File tomcat6.changes of Package tomcat6.import5619

-------------------------------------------------------------------
Thu Jan  5 14:06:11 UTC 2012 - mvyskocil@suse.cz

- fix bnc#727543 - VUL-0: Apache tomcat vulnerable to hash collision attack
  backport upstream changes:
  * add getCharset method for B2Converter 
    http://svn.apache.org/viewvc?view=revision&revision=1140904
  * add isConfigProblemFatal method
    http://svn.apache.org/viewvc?view=revision&revision=1199122
  * GET POST parameter processing performance. Adds maximum number of
    parameters per request (defaults to 10000) and new FailedRequestFilter for
    rejecting requests with excessive number of parameters
    http://svn.apache.org/viewvc?view=revision&revision=1200601
- fix bnc#712784 - tomcat6: add missing Requires on java >= 1.6.0
  * add recommends on java >= 1.6.0 and java-devel >= 1.6.0

-------------------------------------------------------------------
Thu Sep 15 14:13:16 UTC 2011 - mvyskocil@suse.cz

- fix bnc#715991 - VUL-0: tomcat authentication bypass and information
  disclosure (CVE-2011-3190)
  * http://svn.apache.org/viewvc?view=revision&revision=1162959

-------------------------------------------------------------------
Mon Aug 15 11:30:34 UTC 2011 - mvyskocil@suse.cz

- fix bnc#706404 - VUL-0: tomcat user password information leak (CVE-2011-2204)
  * http://svn.apache.org/viewvc?view=revision&revision=1140071
- fix bnc#706382 - VUL-0: tomcat information leak and DoS (CVE-2011-2526)
  * http://svn.apache.org/viewvc?view=revision&revision=1146703
- fix bnc#702289 - suse manager pam ldap authentication fails
  * source CATALINA_HOME/bin/setenv.sh if exists

-------------------------------------------------------------------
Fri Feb 11 08:27:50 UTC 2011 - mvyskocil@suse.cz

- update to latest upstream version 6.0.32 (bugfix release)
- obsolete CVE-2010-4172 patch
- fixes bnc#669897 (CVE-2010-3718), bnc#669926 (CVE-2010-4476), bnc#669928
  (CVE-2011-0013) and bnc#669930 (CVE-2011-0534)

-------------------------------------------------------------------
Thu Dec  9 10:50:46 UTC 2010 - mvyskocil@suse.cz

- fix bnc#655440#c14 - clean workdir of tomcat's webapps to be sure
  our fixed jsps will be redeployed on each update

-------------------------------------------------------------------
Thu Nov 25 10:33:51 UTC 2010 - mvyskocil@suse.cz

- fix bnc#655440 - VUL-0: tomcat6: Apache Tomcat Manager application XSS
  vulnerability (CVE-2010-4172)
  http://svn.apache.org/viewvc?view=revision&revision=1037779
- fix bnc#653586 - spacewalk 1.2 requires jasper 5.5
  * add offline jasper compiler /usr/bin/jspc
- unpack tarball to apache-tomcat-$VERSION-src directory directly

-------------------------------------------------------------------
Tue Nov  2 10:19:13 UTC 2010 - mvyskocil@suse.cz

- Fix bnc#650130 - Update of tomcat6 not possible (cpio: Is a directory)
  * workaround the rpm bug - it cannot update directory to symlink
  * make /etc/tomcat6/Catalina/ as ghost file
  * create link in %posttrans

-------------------------------------------------------------------
Tue Sep 14 13:18:45 UTC 2010 - mvyskocil@suse.cz

- Update to 6.0.29 (bugfix release)
- fix bnc#625415:  Tomcat6 does not have permissions to its own directories
  * also fix the /etc/tomcat6/Catalina link target
- revert a setclasspath.sh changes
- disable user/group verification of tomcat owned files and directories to
  allow easy change of the tomcat user without rpm --verify complaints

-------------------------------------------------------------------
Thu Jul 15 09:21:45 UTC 2010 - mvyskocil@suse.cz

- Update to 6.0.28 (bugfix release) 
- fix bnc#565901 - missing catalina.sh again
  * move catalina.sh to CATALINA_HOME/bin
  * add jpackage.org compatible CATALINA_HOME/bin/setclasspath.sh
- add missing logrotate requires
- install scripts with mode 0755

-------------------------------------------------------------------
Wed Feb  3 12:39:44 UTC 2010 - mvyskocil@suse.cz

- Update to 6.0.24 (bugfix release). This obsoletes patch
  * tomcat6-bug47316.patch
- Merged with tomcat6-6.0.18-10.jpp6.src.rpm
  * return the jpackage.org license header in spec
  * polish in spec (use more macros)
  * add logrotate support
  * add patch to document webapps in %%{_sysconfdir}/%%{name}/tomcat-users.xml
  * move %%{_bindir}/d%%{name} to %%{_sbindir}/%%{name} and provide symlink to
    %%{_sbindir}/d%%{name}
  * add digest and tool-wrapper scripts
  * explicitly unset CLASSPATH
  * explicitly set OPT_JAR_LIST to include ant/ant-trax
  * build and install sample webapp
  * use copy instead of move to fix short-circuit install build
  * version jsp and servlet Provides with their spec versions
  * make initscript LSB-complaint
  * add el subpackage

-------------------------------------------------------------------
Tue Jan  5 14:20:08 UTC 2010 - mvyskocil@suse.cz

- fixed bnc#565901 - missing catalina.sh
  * added catalina.sh (link from dtomcat6) to improve upstream compatibility

-------------------------------------------------------------------
Wed Sep 30 08:01:35 UTC 2009 - mvyskocil@suse.cz

- fixed bnc#542634: Tomcat NPE on start
  applied patch from upstream bugzilla
  https://issues.apache.org/bugzilla/show_bug.cgi?id=47316#c3

-------------------------------------------------------------------
Wed Aug 26 13:01:22 UTC 2009 - mvyskocil@suse.cz

- fixed bnc#520532: marked all webapp/ROOT/* files as config(noreplace)
- marked /etc/ant.d/catalina-ant as config(noreplace)

-------------------------------------------------------------------
Mon Jun 15 09:09:12 CEST 2009 - mvyskocil@suse.cz

- added a missing -p1 for %patch0

-------------------------------------------------------------------
Wed Jun  3 10:39:19 CEST 2009 - mvyskocil@suse.cz

- fixed bnc#488061: work directory clean on tomcat stop
- update to 6.0.20 - the bugfix release:
  * MemoryUserDatabase is read-only by default
  * Allow huge request body packets for AJP13
  * Never return an empty HTTP status reason phrase
  * Prevent double initialisation of JSPs
  * A node should ignore its own heartbeat messages
  * Prettry error messages (instead of stacktrace) if shutdown port is disabled

-------------------------------------------------------------------
Mon Mar 16 15:57:55 CET 2009 - mvyskocil@suse.cz

- fixed bnc#418664 - Tomcat6 installation has missing bits
  - added /etc/ant.d/catalina-ant
- another fix for bnc#471639 - tomcat does not start/work
  * merged a sysconfig and tomcat6.conf to allow a dtomcat6 start works
  * also fixs (bnc#471639)
- fixed bnc#424675 - Access rights to /etc/tomcat6 directory not set right
  * create a link from /etc/tomcat6/Catalina to /var/cache/tomcat6/Catalina
- removed a CATALINA_OPTS from stop in dtcomcat6 (bao#42951)

-------------------------------------------------------------------
Wed Feb 25 14:31:44 CET 2009 - mvyskocil@suse.cz

- fixed bnc#471301: tomcat6 doesn't want to be started when sun java 1.5 is selected
  - built with -target 1.5

-------------------------------------------------------------------
Mon Feb  9 16:50:07 CET 2009 - mvyskocil@suse.cz

- Fixed bnc#471639 - tomcat does not start/work
  - fill up a default JVM in sysconfig
- changed a default JAVA_HOME from JRE to SDK in config

-------------------------------------------------------------------
Mon Nov 24 14:05:10 CET 2008 - mvyskocil@suse.cz

- Fixed bnc#446598 - Tomcat6: tomcat6.conf overwrites sysconfig/tomcat6 values 

-------------------------------------------------------------------
Fri Sep 12 09:28:26 CEST 2008 - mvyskocil@suse.cz

- Update to 6.0.18. This obsoletes patches:
	apache-tomcat-CVE-2008-1232
	apache-tomcat-CVE-2008-1947
	apache-tomcat-CVE-2008-2370
	apache-tomcat-CVE-2008-2938

-------------------------------------------------------------------
Tue Aug 19 13:16:48 CEST 2008 - mvyskocil@suse.cz

- fix CVE-2008-2938: VUL-0: tomcat5: directory traversal 

-------------------------------------------------------------------
Wed Aug  6 11:11:58 CEST 2008 - mvyskocil@suse.cz

- fix CVE-2008-1232 and CVE-2008-2370: VUL-0: Apache Tomcat Cross-Site
  Scripting and Security Bypass [bnc#414657]

-------------------------------------------------------------------
Mon Jul 21 15:45:27 CEST 2008 - mvyskocil@suse.cz

- fixed [bnc#394503]:  tomcat6 is missing rctomcat6 link
  - add a /usr/sbin/rctomcat6 symlink
  - and heavy rewrite and improve of original jpackage tomcat6 init script
    - add Should-Start and Should-Stop section and values for Default-Start and
      Default-Stop
    - removed the echo_success and echo_failure functions and usage
    - include a /etc/rc.status and use a rc_XXXXX functions instead of echo and
      return. Plus add a comments with error codes explanations
    - merge the start/stop/status messages from previous version
    - use `ps' command instead of pgrep
    - changes in commands: added a try-restart|force-reload|reload|probe and
      removed the version|conrestart
- fixed [bnc#394499]: add a PreReq to jpackage-utils
- fixed [bnc#408253]: tomcat6 fails because if missing commons-xxxx jars
  - add a removed dependencies to the jakarta-commons-*-tomcat5 packages
  - fixed a proper link creation in post/n scripts
  - fixed a build cycle, jakarta-commons-dbcp-tomcat5 needs the tomcat6-lib for
    build, but the tomcat6-lib has this package in Requires(post). The
    %post scripplet is non-fatal if the jars cannot be found (but this would
    not happens in a production state).

-------------------------------------------------------------------
Fri Jun 27 14:47:03 CEST 2008 - mvyskocil@suse.cz

- fixed [bnc#396962]: VUL-0: tomcat5: [SECURITY] CVE-2008-1947: Tomcat host-manager XSS vulnerability
- fixed [bnc#403310]: Tomcat startup script uses wrong java.io.tmpdir
  - the temp directory is in /var/cache/tomcat6/temp

-------------------------------------------------------------------
Tue May  6 10:12:07 CEST 2008 - mvyskocil@suse.cz

- fixed a [bnc#383331] - Tomcat cannot compile JSPs
  - add a ecj requires for tomcat6-lib
  - create a symlink of ecj.jar to tomcat6 libdir
- add a jakarta-taglibs-standard to BuildRequires
- use a fdupes to avoid a file duplication waste in /srv
- replace a %{_jvmdir}/jre to /etc/alternatives/jre in JAVAHOME in default
  tomcat6.conf (this path is architecture independent)
- add a %stop_on_removal to %preun, %restart_on_update and %insserv_cleanup to
  %postun to fix some rpmlint warnings
- add a $remote_fs dependency to init script

-------------------------------------------------------------------
Wed Feb 27 10:53:38 CET 2008 - mvyskocil@suse.cz

- update to 6.0.16

-------------------------------------------------------------------
Fri Jan 25 18:26:09 CET 2008 - coolo@suse.de

- don't require the old package names 

-------------------------------------------------------------------
Fri Jan 25 15:42:30 CET 2008 - ro@suse.de

- don't use dots in package names 

-------------------------------------------------------------------
Tue Jan 22 12:22:00 CET 2008 - anosek@suse.cz

- don't use macros in package names (the %package lines)
  which does not work with autobuild. 

-------------------------------------------------------------------
Thu Dec 20 08:36:29 CET 2007 - anosek@suse.cz

- don't use static uid/gid for tomcat user and tomcat group

-------------------------------------------------------------------
Tue Dec  4 10:00:49 CET 2007 - anosek@suse.cz

- initial version of tomcat6 package
- based on work by jpackage project