Thanks for the debdiff! Since Marc just updated precise, I compared your patches to his and noticed a few things: * 0016-CVE-2012-3439.patch should be renamed 0013-CVE-2012-588x.patch since CVE-2012-3439 was split out into CVE-2012-5885, CVE-2012-5886 and CVE-2012-5887 (as mentioned in the changelog) * 0016-CVE-2012-3439.patch had some additional whitespace changes not in the upstream patch * 0016-CVE-2012-3439.patch does not match the changes in http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java?r1=1380829&r2=1380828&pathrev=1380829. Specifically, your patch retains 'this.' in this chunk, but it should not (ie, you use !this.opaque.equals): @@ -587,7 +623,7 @@ } // Validate the opaque string - if (!this.opaque.equals(opaque)) { + if (!opaque.equals(opaqueReceived)) { return false; } * 0014-CVE-2012-4431.patch has additional whitespace changes * 0015-CVE-2012-4534.patch has additional whitespace and typo changes * debian/changelog is not formatted in the normal manner, with one stanza per CVE
It seems like you might have applied the patches by hand. If so, I encourage you to use the 'patch' utility. At this point, since there are now additional fixes, I think I am going to pull Marc's new patches and where the patches differ, update the changelog, run through QRT and publish. Thanks for your work on this! ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3439 ** Changed in: tomcat6 (Ubuntu) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tomcat6 in Ubuntu. https://bugs.launchpad.net/bugs/1166649 Title: Multiple open vulnerabilities in tomcat6 in quantal and raring To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat6/+bug/1166649/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs