- Thu May 23 2013 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.40
- Related: CVE-2013-1976 It was found during additional testing
- that the tomcat5 init may fail to start because the user
- shell is set to sbin/nologin. Fixed in init scrip. SU now
- uses -s /bin/sh during startup - Tue May 21 2013 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.39
- Resolves: CVE-2013-1976 Improper TOMCAT_LOG management in
- initscript. Change location of TOMCAT_LOG to /var/log so
- only root can write to it. Touching TOMCAT_LOG is no longer
- required during initscript startup. Permissions and ownership
- changed to 0755 tomcat:root for logdir - Thu Feb 21 2013 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.38
- Resolves: CVE-2012-3439 rhbz#882008 three DIGEST authentication
- implementation
- Resolves: CVE-2012-3546, rhbz#913034 Bypass of security constraints.
- Remove unneeded handling of FORM authentication in RealmBase - Thu Aug 9 2012 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.37
- Related: rhbz#543995
- Thu Aug 9 2012 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.36
- Related: rhbz#543995, rhbz#691833, rhbz#689924, rhbz#578648, rhbz#530089
- Wed Aug 8 2012 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.35
- Resolve: rhbz#543995, rhbz#691833, rhbz#689924,
- rhbz#578648, rhbz#530089. Remove patch46. - Mon Apr 23 2012 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.34
- Resolve: rhbz#578648 - re-enable JSP compiliation on s380x and
- ppc64 - Wed Apr 18 2012 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.33
- Resolves: rhbz#548961 - tomcat-juli.jar missing
- Thu Mar 29 2012 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.32
- Resolves: CVE-2012-0022 regression. Changed patch.
- Sun Feb 5 2012 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.31
- Resolves: CVE-2012-0022
- Tue Jan 17 2012 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.30
- Resolves: rhbz#587215 - LSB compliance. Changed initscript to
- return 3 if status is stopped. - Tue Jan 10 2012 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.29
- Resolves: rhbz#493007 - tomcat relink scripts have data loss window
- Made call to relink in init script conditional - Sun Dec 18 2011 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.28
- Resolves rhbz#767195 - correct variable dist in release string
- Mon Nov 7 2011 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.27
- Resolves CVE-2011-0013 rhbz#675933
- Resolves CVE-2011-3718 rhbz#675933 - Wed Nov 2 2011 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.23
- Resolves CVE-2011-1184 rhbz#744984
- Resolves CVE-2011-2204 rhbz#719188 - Tue Oct 18 2011 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.22
- Resolves rhbz#543995 TRACE option returned when not allowed
- Wed Jun 22 2011 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.20
- Resolves rhbz#691833 - NPE when deploying context.xml in Catalina/localhost
- Wed May 18 2011 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.19
- Resolves: rhbz#689924 - NPE on start
- Wed Feb 2 2011 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.18
- Resolves: rhbz#674601 - JDK Double.parseDouble DoS
- Thu Dec 9 2010 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.17
- Resolves: rhbz#530089 - cookieparsing error
- Port patches for JBPAPP-3626 and 3627 - Thu Dec 9 2010 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.16
- Resolves: rhbz#623465 - NPE and ConcurrentModification Exception
- Wed Dec 8 2010 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.15
- Resolves: rhbz#217630, 217141 naming-factory-dbcp.jar missing causes
- JNDI errors. Change made to tomcat5.conf, added javax.sql.DataSource.
- Factory to JAVA_OPTS - Tue Sep 28 2010 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.14
- Resolves rhbz#613005, rhbz#584514
- Wed Aug 4 2010 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.13
- Fixed problem with CVE 2009-2902 which introduced a stack overflow
- Resolves: rhbz#620996 - Wed Jul 28 2010 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.12
- Adding the patch for 0781 to cvs
- - Thu Jul 15 2010 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.11
- Initscript edited to correct permissions and made partially LSB compliant
- Fri Apr 23 2010 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.10
- Resolves:rhbz#584514
- Sun Aug 9 2009 David Knox <dknox@redhat.com> 0:5.5.23-0jpp.9.1t
- Test build to merge CVE-2009-0781
- Thu Jun 25 2009 Fernando Nasser <fnasser@redhat.com> 0:5.5.23-0jpp.9
- Merge fixes from Z-Streams to incorporate fixes for:
Resolves: rhbz#427780 rhbz#504759 rhbz#503981 rhbz#504163
Resolves: rhbz#457727 rhbz#449917 rhbz#458635 rhbz#456216 - Thu Jun 25 2009 Fernando Nasser <fnasser@redhat.com> 0:5.5.23-0jpp.7.2
From David Knox
:
- add patch for CVE-2007-5333
Resolves: rhbz#427780
- add patch for CVE-2008-5515
Resolves: rhbz#504759
- add patch for CVE-2009-0033
- add patch for CVE-2009-0580
Resolves: rhbz#503981
- add patch for CVE-2009-0783
Resolves: rhbz#504163 - Mon Jun 22 2009 David Knox <dknox@redhat.com> - 0:5.5.23-0jpp.8
- First attempt to merge in:
Resolves: rhbz#427780 rhbz#504759 rhbz#503981 rhbz#504163
Resolves: rhbz#457727 rhbz#449917 rhbz#458635 rhbz#456216 - Fri Aug 22 2008 David Walluck <dwalluck@redhat.com> 0:5.5.23-0jpp.7.1
- add patch for CVE-2008-1232
Resolves: rhbz#457727
- add patch for CVE-2008-1947
Resolves: rhbz#449917
- add patch for CVE-2008-2370
Resolves: rhbz#458635
- add patch for CVE-2008-2938
Resolves: rhbz#456216 - Wed Feb 27 2008 Deepak Bhole <dbhole@redhat.com> - 0:5.5.23-0jpp.7
- Patch for CVE-2007-5342
Resolves: bz# 427777
- Patch for CVE-2007-5461
Resolves: bz# 334571 - Mon Jan 28 2008 Deepak Bhole <dbhole@redhat.com> - 0:5.5.23-0jpp.6
- Resolves: bz# 240739. Update version string
- Thu Aug 30 2007 Fernando Nasser <fnasser@redhat.com> - 0:5.5.23-0jpp.5
From jean-frederic clere
:
- Patch for CVE-2007-3382 and CVE-2007-3385
Resolves: rhbz#254156 - Wed Aug 29 2007 Fernando Nasser <fnasser@redhat.com> - 0:5.5.23-0jpp.4
From jean-frederic clere
:
- Patch for CVE-2007-3386
Resolves: rhbz#254156 - Tue Jun 19 2007 Vivek Lakshmanan <vivekl@redhat.com> - 0:5.5.23-0jpp.3
- Remove erroneous rebuild-gcj-db for javadoc subpackage
- Add fixes for CVE-2007-2449 and CVE-2007-2450
- Resolves: bug 244846, bug 244817 - Tue May 8 2007 Vivek Lakshmanan <vivekl@redhat.com> - 0:5.5.23-0jpp.2
- Rebuild
- Add catalina.out to the rpm and set explicit permissions; tomcat ownership
- Resolves: bug 237088 - Mon Apr 23 2007 Vivek Lakshmanan <vivekl@redhat.com> - 0:5.5.23-0jpp.1
- Resolves: bug 237088
- Merge 0:5.5.17-8jpp.2 with sources/patches from 5.5.23
- Build against jakarta-commons-modeler 1.1 with MODELER-15 patch - Thu Jan 18 2007 Rafael Schloming <rafaels@redhat.com> - 0:5.5.17-8jpp.2
- Changed PreReq to Requires(pre)
- Wed Oct 4 2006 Fernando Nasser <fnasser@redhat.com> 0:5.5.17-8jpp.1
- Merge with upstream
- Wed Oct 4 2006 Permaine Cheung <pcheung@redhat.com> 0:5.5.17-8jpp
- Fix condrestart in init script and location of init script in the spec file.
- Mon Oct 2 2006 Permaine Cheung <pcheung@redhat.com> 0:5.5.17-7jpp
- Add the new config file, and add the CONNECTOR_PORT variable in it.
- Mon Oct 2 2006 Permaine Cheung <pcheung@redhat.com> 0:5.5.17-6jpp
- Add the ability to start multiple instances of tomcat on the same machine.
- Wed Aug 30 2006 Deepak Bhole <dbhole@redhat.com> 5.5.17-6jpp.2
- Rebuilding.
- Mon Aug 21 2006 Fernando Nasser <fnasser@redhat.com> 0:5.5.17-6jpp.1
- Merge with upstream
- Mon Aug 21 2006 Fernando Nasser <fnasser@redhat.com> 0:5.5.17-6jpp
- Rebuild
- Mon Aug 21 2006 Fernando Nasser <fnasser@redhat.com> 0:5.5.17-5jpp
From Andrew Overholt
:
- Silence post common-lib and server-lib. - Thu Jul 27 2006 Fernando Nasser <fnasser@redhat.com> 0:5.5.17-3jpp_5fc
- Fix regression in relink with patch from Matt Wringe
- Sat Jul 22 2006 Jakub Jelinek <jakub@redhat.com> - 0:5.5.17-3jpp_4fc
- Rebuilt
- Thu Jul 13 2006 Fernando Nasser <fnasser@redhat.com> 0:5.5.17-3jpp_3fc
- Rebuild in full
- Wed Jul 5 2006 Fernando Nasser <fnasser@redhat.com> 0:5.5.17-3jpp_2fc
- Re-enable ppc64 and s390x
- Disable JSP pre-compilation on ppc64 and x390x (FIXME)
- Bootstrap mode (with apisonly) build - Wed Jul 5 2006 Fernando Nasser <fnasser@redhat.com> 0:5.5.17-3jpp_1fc
- Full build
- Do not build on ppc64 and s390x
- Fix servlet-api.jar path
- Add version to catalina .so
From Ralph Apel:
- Re-add patch to add rt.jar
- Add mx4j JMX API and struts to classpath - Wed Jul 5 2006 Fernando Nasser <fnasser@redhat.com> 0:5.5.17-3jpp_0fc
- Upgrade
- Use any JTA for now
- Try and remove exclude for sample.war
- Bootstrap build with apisonly - Wed Jul 5 2006 Fernando Nasser <fnasser@redhat.com> 0:5.5.17-3jpp_1rh
- Merge with upstream
- Fri Jun 30 2006 Ralph Apel <r.apel@r-apel.de> 0:5.5.17-3jpp
- Create option --with apisonly to build just tomcat5-servlet-2.4-api,
tomcat5-jsp-2.0-api and its -javadoc subpackages
- Create option --without ecj to build even when eclipse-ecj not available
- Drop several unnecessary export CLASSPATH= - Sat Jun 17 2006 Deepak Bhole <dbhole@redhat.com> - 0:5.5.15-1jpp_7fc
- Re-enable ppc64, s390 and s390x architectures now that eclipse is built there
- Mon May 15 2006 Fernando Nasser <fnasser@redhat.com> 0:5.5.17-2jpp_1rh
- Merge with upstream for upgrade to 5.5.17
- Mon May 15 2006 Fernando Nasser <fnasser@redhat.com> 0:5.5.17-2jpp
- Requires on post things that are linked to at post
Merge changes from downstream:
- Fix line breaks in the tomcat5 init script
- Split preun section among main package and the two new subpackages
- Move catalina-ant*.jar to the server-lib subpackage to avoid circular
dependency with the main package
- Remove leading zero from alternative priorities
- Rebuild with new classpath-mail as javamail alternative
- Update versions of dependencies and move them to library subpackages
- Use only jta from geronimo-specs - Mon May 15 2006 Fernando Nasser <fnasser@redhat.com> 0:5.5.17-1jpp
- Upgrade to 5.5.17
- Remove jasper2 subdirectory of jasper from patches and this spec file - Wed Apr 19 2006 Ralph Apel <r.apel@r-apel.de> 0:5.5.16-3jpp
- Drop jdtCompilerAdapter from build-jar-repository
- Use ant-trax in static webapp build
- Duplicate admin-webapps jars in _javadir and make them world readable
- Direct install of common-lib and server-lib to _javadir and symlink for TC5 - Tue Apr 4 2006 Ralph Apel <r.apel@r-apel.de> 0:5.5.16-2jpp
- Require eclipse-ecj >= 3.1.1 and adapt to it
- Fri Mar 24 2006 Ralph Apel <r.apel@r-apel.de> 0:5.5.16-1jpp
- Upgrade to 5.5.16
- Mon Mar 6 2006 Jeremy Katz <katzj@redhat.com> - 0:5.5.15-1jpp_6fc
- stop scriptlet spew
- Fri Mar 3 2006 Thomas Fitzsimmons <fitzsim@redhat.com> - 0:5.5.15-1jpp_5fc
- Require java-gcj-compat for post and postun sections of
servlet-2.4-api, jsp-2.0-api-javadoc and
server-lib sub-packages, since these three packages call
/usr/bin/rebuild-gcj-db in their post and/or postun sections. - Wed Mar 1 2006 Rafael Schloming <rafaels@redhat.com> - 0:5.5.15-1jpp_4fc
- Disabled juli logging as a workaround for a number of classpath bugs
- in java.util.logging.* - Thu Feb 23 2006 Rafael Schloming <rafaels@redhat.com> - 0:5.5.15-1jpp_3fc
- Added jasper-foo symlinks for jars.
- Wed Feb 22 2006 Rafael Schloming <rafaels@redhat.com> - 0:5.5.15-1jpp_2fc
- Exclude ppc64 s390 s390x
- Wed Feb 22 2006 Rafael Schloming <rafaels@redhat.com> - 0:5.5.15-1jpp_1fc
- Updated to 5.5.15
- Tue Feb 14 2006 Ralph Apel <r.apel@r-apel.de> 0:5.5.12-2jpp
- Fix jta.jar location
- Fri Nov 11 2005 Fernando Nasser <fnasser@redhat.com> 0:5.5.12-1jpp
- Place jsp in its own subpackage
- Fix alternative links to jsp and servlet
- Fix alternative priorities to jsp and servlet
- Create library subpackages: common-lib and server-lib
From Vadim Nasardinov0:5.5.12-1jpp
- Upgrade to 5.5.12
From Deepak Bhole
- Fix init script so it works with SELinux - Wed Jun 8 2005 Fernando Nasser <fnasser@redhat.com> 0:5.5.9-1jpp
- Merge for upgrade
- Change the user to tomcat from tomcat4
- Relax permissions on appdir directory so jonas package can build
- Remove spurious links to log4j.jar from common and server/lib
- Remove spurious dependency on tyrex (only needed for tomcat4)
- Make sure the main package installs first so user tomcat is created
- Reinstate ssl code changes so that tomcat can be built with other SDKs
and not only with Sun's or BEA's. - Mon May 9 2005 Fernando Nasser <fnasser@redhat.com> 0:5.5.9-1jpp
- Upgrade to 5.5.9
- Add jmx to bindir and lower requirement to java 1.4.2 - Fri Feb 4 2005 Jason Corley 0:5.5.7-2jpp
- Add provides servletapi5 in addition to obsoletes servletapi5 (Martin Grotzke)
- Thu Feb 3 2005 Jason Corley 0:5.5.7-1jpp
- Upgrade to current stable release, 5.5.7
- Mon Jan 31 2005 Jason Corley 0:5.5.4-17jpp
- Use new eclipse-ecj package to remove old jasper-compiler-jdt.jar hack
- Thu Jan 27 2005 Jason Corley 0:5.5.4-16jpp
- Attempt to replace non-free jta with free geronimo-specs
- Thu Jan 27 2005 Jason Corley 0:5.5.4-15jpp
- Clean rebuild
- Thu Dec 16 2004 Jason Corley 0:5.5.4-14jpp
- First attempt at jasper subpackages
- Thu Dec 16 2004 Jason Corley 0:5.5.4-13jpp
- Yet another "servletapi" naming scheme change
- Tue Dec 14 2004 Jason Corley 0:5.5.4-12jpp
- Update the servletapi and servletapi-javadoc subpackages to the way proposed
by Gary Benson (based on work by Ralph Apel) in the 5.0.30 RPMs - Wed Dec 8 2004 Jason Corley 0:5.5.4-10jpp
- Incorporate Fernando Nasser's javaxssl patch from the tomcat 5.0.28 RPM
- Replace find ... -exec's with find | xargs - Tue Dec 7 2004 Jason Corley 0:5.5.4-9jpp
- First attempt at the whole servletapi issue
- Replace jmxri references with mx4j
- Build with JDK 1.4 and require a 1.4 JDK to run
- Remove cruft
- Clearly lost track of some stuff between changelog entries ;-) - Fri Dec 3 2004 Jason Corley 0:5.5.4-1jpp
- First attempt at building 5.5
- Fri Sep 10 2004 Fernando Nasser <fnasser@redhat.com> 0:5.0.27-4jpp
- Rebuild using Tyrex 1.0.1
- Sat Sep 4 2004 Fernando Nasser <fnasser@redhat.com> 0:5.0.27-3jpp
- Rebuild with Ant 1.6.2
- Fri Jul 16 2004 Kaj J. Niemi <kajtzu@fi.basen.net> 0:5.0.27-2jpp
- Oops, don't require mx4j 2.0.1. 1.1.1 or later should be enough.
jmxri won't work anymore since tc5 needs mx4j-tools. - Fri Jul 16 2004 Kaj J. Niemi <kajtzu@fi.basen.net> 0:5.0.27-1jpp
- Update to 5.0.27 (stable)
- Don't remove tomcat4 user/group on uninstall see the mailing list
for discussion
- build w/ xml-apis.jar instead of xmlParserAPIs.jar (release notes 5.0.27)
- Require junit 3.8.1 or newer (release notes 5.0.26)
- Require jakarta-commons-dbcp 1.2.1 or newer (release notes 5.0.27)
- Require jakarta-commons-logging 1.0.4 or newer (release notes 5.0.27)
- Require jakarta-commons-pool 1.1 or newer (release notes 5.0.27) - Wed Jun 9 2004 Kaj J. Niemi <kajtzu@fi.basen.net> 0:5.0.24-3jpp
- Change default webapps file permissions from 0640 -> 0644
- Tue Jun 8 2004 Fernando Nasser <fnasser@redhat.com> 0:5.0.24-2jpp
- Allow browsing of webapps directory so that JOnAS can build.
- Mon May 17 2004 Kaj J. Niemi <kajtzu@fi.basen.net> 0:5.0.24-1jpp
- Update to 5.0.24
- Require xerces-j2 2.6.2 (release notes 5.0.21), also require ant < 1.6
as tomcat5 doesn't seem to build cleanly with 1.6 yet. - Fri Mar 19 2004 Kaj J. Niemi <kajtzu@fi.basen.net> 0:5.0.19-2jpp
- Set JAVA_ENDORSED_DIRS by default in tomcat5.conf, it is otherwise empty
Suggestion from Aleksander Adamowski - Wed Feb 25 2004 Kaj J. Niemi <kajtzu@fi.basen.net> 0:5.0.19-1jpp
- Update to 5.0.19
- Fri Jan 23 2004 Kaj J. Niemi <kajtzu@fi.basen.net> 0:5.0.18-1jpp
- Update to 5.0.18
- Build catalina before connectors
- Hack connectors build
- Require xerces-j2 2.6.0 (release notes 5.0.17) - Sat Jan 17 2004 Kaj J. Niemi <kajtzu@fi.basen.net> 0:5.0.16-4jpp
- Create TC4 user and group separately, lets TC5 work out of the box
on Trustix (Patch from Iain Arnell) - Sat Jan 10 2004 Kaj J. Niemi <kajtzu@fi.basen.net> - 0:5.0.16-3jpp
- servletapi5 is required
- move confdir/Catalina from admin-webapps to main package
(otherwise we end up requiring tomcat5-admin-webapps for struts-webapps) - Sat Jan 10 2004 Kaj J. Niemi <kajtzu@fi.basen.net> - 0:5.0.16-2jpp
- Fix conflict with tomcat4 catalina-ant.jar in %_javadir by renaming it
catalina-ant5.jar for now. - Fri Jan 9 2004 Kaj J. Niemi <kajtzu@fi.basen.net> - 0:5.0.16-1jpp
- First build for JPackage
- Mon Dec 29 2003 Kaj J. Niemi <kajtzu@fi.basen.net> 0:5.0.16-0.11
- Merge changes from tomcat4.init to tomcat5.init
- Mon Dec 22 2003 Kaj J. Niemi <kajtzu@fi.basen.net> 0:5.0.16-0.10
- Some jsp-examples require jakarta-taglibs-standard to work
- Mon Dec 22 2003 Kaj J. Niemi <kajtzu@fi.basen.net> 0:5.0.16-0.9.1
- Struts should be 1.1 or later according to the release notes
- The /admin webapp works now as well
- manager.xml needs to be group writeable, otherwise tomcat complains - Fri Dec 19 2003 Kaj J. Niemi <kajtzu@fi.basen.net> 0:5.0.16-0.7
- Accept an older version of xerces-j2 as well.
- Fri Dec 19 2003 Kaj J. Niemi <kajtzu@fi.basen.net> 0:5.0.16-0.6
- Require xerces-j2 instead of just jaxp_parser_impl
- Require jpackage commons-logging instead of internal version - Wed Dec 17 2003 Kaj J. Niemi <kajtzu@fi.basen.net> 0:5.0.16-0.5
- Tomcat5 isn't beta anymore
- Wed Dec 17 2003 Kaj J. Niemi <kajtzu@fi.basen.net> 0:5.0.16-0.beta.4
- Place jspapi, jmxri, commons-el in common/lib as mentioned in the
upstream RELEASE-NOTES.txt. This makes jsps actually work. - Wed Dec 17 2003 Kaj J. Niemi <kajtzu@fi.basen.net> 0:5.0.16-0.beta.3
- Separated jakarta-commons-el from tomcat
- Require servletapi5 and jakata-commons-el
- Added Patch #4 (tomcat5-5.0.16-cluster-pathelement.patch) which fixes
build failure when servlet-api is renamed something else than the default
- Added Patch #5 (tomcat5-5.0.16-skip-build-on-install.patch) which corrects
servletapi/jspapi related build snafu on install. They're already built so
it's OK to skip. - Thu Dec 4 2003 Kaj J. Niemi <kajtzu@fi.basen.net> 0:5.0.16-0.beta.1
- 5.0.16
- jakarta-commons-el included here instead of somewhere else for now,
packaging unfinished
- Patch #3 removes dependency to jsvc.tar.gz which doesn't seem to be anywhere - Tue Aug 5 2003 Kaj J. Niemi <kajtzu@fi.basen.net> 0:5.0.12-0.beta.1
- Based on JPackage.org's tomcat4 .spec
- No compat stuff anymore.
- First build