jetty9 (9.4.50-4+deb12u3) bookworm-security; urgency=high * Team upload. * Fix CVE-2024-22201: It was discovered that remote attackers may leave many HTTP/2 connections in ESTABLISHED state (not closed), TCP congested and idle. Eventually the server will stop accepting new connections from valid clients which can cause a denial of service. -- Markus Koschany Sun, 07 Apr 2024 22:26:26 +0200 jetty9 (9.4.50-4+deb12u2) bookworm-security; urgency=high * Team upload. * Fix CVE-2023-36478 and CVE-2023-44487: Two remotely exploitable security vulnerabilities were discovered in Jetty 9, a Java based web server and servlet engine. The HTTP/2 protocol implementation did not sufficiently verify if HPACK header values exceed their size limit. Furthermore the HTTP/2 protocol allowed a denial of service (server resource consumption) because request cancellation can reset many streams quickly. This problem is also known as Rapid Reset Attack. -- Markus Koschany Sun, 29 Oct 2023 16:12:42 +0100 jetty9 (9.4.50-4+deb12u1) bookworm-security; urgency=high * Team upload. * The org.eclipse.jetty.servlets.CGI has been deprecated. It is potentially unsafe to use it. The upstream developers of Jetty recommend to use Fast CGI instead. See also CVE-2023-36479. * Fix CVE-2023-26048: Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. * Fix CVE-2023-26049: Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. * Fix CVE-2023-40167: Prior to this version Jetty accepted the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. * CVE-2023-36479: Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. * Fix CVE-2023-41900: Jetty is vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` is capable of rejecting previously authenticated users. -- Markus Koschany Wed, 27 Sep 2023 16:35:19 +0200 jetty9 (9.4.50-4) unstable; urgency=medium * Team upload. * Revert the switch to libtomcat10-java. For now Jetty 9 only works correctly with libtomcat9-java. (Closes: #1036798) -- Markus Koschany Sat, 27 May 2023 16:28:19 +0200 jetty9 (9.4.50-3) unstable; urgency=medium * Team upload. * Depend on libtomcat10-java instead of libtomcat9-java. * Add tomcat10-migration.patch. * Ignore jetty-jaspi module because it does not work with Tomcat 10 yet. -- Markus Koschany Sun, 19 Feb 2023 13:41:00 +0100 jetty9 (9.4.50-2) unstable; urgency=medium * Depend on libeclipse-jdt-core-java instead of libecj-java * Standards-Version updated to 4.6.2 -- Emmanuel Bourg Fri, 06 Jan 2023 12:08:38 +0100 jetty9 (9.4.50-1) unstable; urgency=medium * New upstream release - Refreshed the patches -- Emmanuel Bourg Sun, 27 Nov 2022 22:47:21 +0100 jetty9 (9.4.49-1) unstable; urgency=medium * Team upload. * New upstream version 9.4.49. -- Markus Koschany Thu, 22 Sep 2022 23:41:17 +0200 jetty9 (9.4.48-1) unstable; urgency=high * Team upload. * New upstream version 9.4.48. - Fix CVE-2022-2048 and CVE-2022-2047. -- Markus Koschany Mon, 18 Jul 2022 13:26:56 +0200 jetty9 (9.4.46-1) unstable; urgency=medium * New upstream release - Refreshed the patches -- Emmanuel Bourg Mon, 02 May 2022 18:42:20 +0200 jetty9 (9.4.45-1) unstable; urgency=medium * Team upload. * New upstream version 9.4.45. * Remove haproxy binary file from the sources. -- Markus Koschany Fri, 11 Feb 2022 11:13:49 +0100 jetty9 (9.4.44-4) unstable; urgency=medium * Team upload. * Add servlet-api.patch and correct the API version in jetty-home/pom.xml. This used to work because libservlet3.1-java was pulled in as a transitive dependency. (Closes: #1002274) -- Markus Koschany Sat, 25 Dec 2021 23:37:56 +0100 jetty9 (9.4.44-3) unstable; urgency=medium * Team upload. * Ignore junit-bom artifact of scope import. The junit-bom dependency caused several FTBFS because of reverse-dependencies that did not depend on junit5. -- Markus Koschany Fri, 12 Nov 2021 12:14:57 +0100 jetty9 (9.4.44-2) unstable; urgency=medium * Team upload. * Update README.Debian and clarify how to override systemd security features. (Closes: #994440) * Replace deprecated configuration options in start.ini. Thanks to Martin van Es for the report. (Closes: #994441) -- Markus Koschany Mon, 18 Oct 2021 11:51:58 +0200 jetty9 (9.4.44-1) unstable; urgency=medium * New upstream release - Refreshed the patches - Updated the Maven rules * Depend on libservlet-api-java instead of libservlet3.1-java * No longer remove the jetty user/group when purging the package * Standards-Version updated to 4.6.0.1 * Switch to debhelper level 13 -- Emmanuel Bourg Mon, 18 Oct 2021 10:56:29 +0200 jetty9 (9.4.39-3) unstable; urgency=high * Team upload. * Fix CVE-2021-34429: URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. Thanks to Salvatore Bonaccorso for the report. (Closes: #991188) -- Markus Koschany Sun, 18 Jul 2021 19:37:57 +0200 jetty9 (9.4.39-2) unstable; urgency=high * Team upload. * Fix CVE-2021-28169: It is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. * Fix CVE-2021-34428: If an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in. Thanks to Salvatore Bonaccorso for the report. (Closes: #989999, #990578) -- Markus Koschany Sat, 03 Jul 2021 19:09:58 +0200 jetty9 (9.4.39-1) unstable; urgency=high * New upstream release - Fixed CVE-2021-28163: If a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory. - Fixes CVE-2021-28164: The default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. This can reveal sensitive information regarding the implementation of a web application. - Fixes CVE-2021-28165: CPU usage can reach 100% upon receiving a large invalid TLS frame. -- Emmanuel Bourg Mon, 12 Apr 2021 00:11:03 +0200 jetty9 (9.4.38-1) unstable; urgency=medium * New upstream release - Refreshed the patches -- Emmanuel Bourg Sun, 28 Feb 2021 21:50:15 +0100 jetty9 (9.4.36-1) unstable; urgency=medium * New upstream release - Refreshed the patches -- Emmanuel Bourg Sun, 17 Jan 2021 23:49:54 +0100 jetty9 (9.4.35-1) unstable; urgency=medium * New upstream release - Refreshed the patches * Standards-Version updated to 4.5.1 -- Emmanuel Bourg Wed, 30 Dec 2020 23:49:47 +0100 jetty9 (9.4.33-1) unstable; urgency=medium * New upstream release - Refreshed the patches -- Emmanuel Bourg Thu, 22 Oct 2020 09:57:19 +0200 jetty9 (9.4.31-1) unstable; urgency=medium * New upstream release - Refreshed the patches -- Emmanuel Bourg Thu, 03 Sep 2020 14:26:52 +0200 jetty9 (9.4.29-1) unstable; urgency=medium * New upstream release - Refreshed the patches -- Emmanuel Bourg Wed, 27 May 2020 17:59:57 +0200 jetty9 (9.4.28-1) unstable; urgency=medium * New upstream release - Refreshed the patches * Switch to debhelper level 12 -- Emmanuel Bourg Tue, 14 Apr 2020 01:20:44 +0200 jetty9 (9.4.27-1) unstable; urgency=medium * New upstream release -- Emmanuel Bourg Sun, 05 Apr 2020 17:46:58 +0200 jetty9 (9.4.26-1) unstable; urgency=medium * New upstream release - Refreshed the patches - Updated the Maven rules - Build the new jetty-openid module - Replaced the jetty-cdi-* artifacts with the unified jetty-cdi one * Standards-Version updated to 4.5.0 -- Emmanuel Bourg Tue, 28 Jan 2020 00:23:26 +0100 jetty9 (9.4.18-2) unstable; urgency=medium * Team upload to unstable. * Add missing dependency on libecj-java (Closes: #924168) * Bump Standards-Version to 4.4.0 * Add NOTICE.txt to be installed in /usr/share/doc/jetty9 -- tony mancill Fri, 12 Jul 2019 06:22:42 -0700 jetty9 (9.4.18-1) experimental; urgency=medium * Team upload. * New upstream release - Addresses CVE-2019-10241, CVE-2019-10247 (Closes: #928444) * Freshen years in debian/copyright * Refresh patches for new upstream version * Add org.eclipse.jetty:infinispan-embedded et.al. to maven.ignoreRules * Update 09-tweak-distribution patch (jetty-home pom) -- tony mancill Sun, 05 May 2019 19:57:45 -0700 jetty9 (9.4.15-1) unstable; urgency=medium * New upstream release - Refreshed the patches - New build dependency on libjboss-logging-java - Ignore the new jetty-websocket-tests module * Standards-Version updated to 4.3.0 -- Emmanuel Bourg Mon, 25 Feb 2019 01:33:58 +0100 jetty9 (9.4.14-1) unstable; urgency=medium * New upstream release - Refreshed the patches - Ignore the new test dependencies - Build the new modules: jetty-alpn-java-*, jetty-alpn-openjdk8-*, jetty-http2-*, jetty-cdi-* and jetty-unixsocket - Ignore the new optional modules: jetty-alpn-conscrypt-*, jetty-memcached, jetty-cdi-servlet, jetty-gcloud, jetty-hazelcast and jetty-infinispan - No longer build the removed modules: jetty-monitor and jetty-rhttp-* - Updated the Maven rules - Derive the content of the jetty9 package from the output of the jetty-distribution module - Require Java 8 or higher to run - Depend on libasm-java (>= 7.0) - Updated the links in /usr/share/jetty9/lib/ - Added jetty-util.jar to the classpath of jetty-start.jar * Added a systemd service file * Removed the default 256M heap limit * Removed the NO_START option from the service configuration * Depend on libtomcat9-java instead of libtomcat8-java * Don't follow the symlinks when setting the owner of the /var/cache/jetty9, /var/log/jetty9 and /var/lib/jetty9 directories in the postinst script * Updated the README file (Closes: #906770) * Exclude the documentation directory from the upstream tarball -- Emmanuel Bourg Mon, 10 Dec 2018 15:44:30 +0100 jetty9 (9.2.26-1) unstable; urgency=medium * Team upload. * New upstream release * Fixed the Maven rule for tomcat-jaspic-api (Closes: #907147) * Standards-Version updated to 4.2.1 -- Emmanuel Bourg Wed, 05 Sep 2018 13:11:13 +0200 jetty9 (9.2.25-1) unstable; urgency=medium * Team upload. * New upstream release - Fixes CVE-2017-7656: A remote user can submit a specially crafted HTTP/0.9 request containing invalid request headers to cause Jetty and an upstream HTTP agent (such as an origin server or another proxy) to interpret the boundary of the HTTP request differently. As a result, a malicious request may be embedded within another request as processed by the subsequent system. This allows a remote user to potentially poison the cache. - Fixes CVE-2017-7657: A remote user can submit a specially crafted HTTP request containing invalid Chunked Transfer-Encoding headers to cause Jetty and an upstream HTTP agent (such as an origin server or another proxy) to interpret the boundary of the HTTP request differently. As a result, a malicious request may be embedded within another request as processed by the subsequent system. This allows a remote user to potentially poison the cache. - Fixes CVE-2017-7658: A remote user can submit a specially crafted HTTP request containing more than one Content-Length header to cause Jetty and an upstream HTTP agent (such as an origin server or another proxy) to interpret the boundary of the HTTP request differently. As a result, a malicious request may be embedded within another request as processed by the subsequent system. This allows a remote user to potentially poison the cache. * Compile with the --release parameter to preserve the compatibility with older JREs -- Emmanuel Bourg Tue, 03 Jul 2018 14:31:51 +0200 jetty9 (9.2.24-1) unstable; urgency=medium * Team upload. * New upstream release * Standards-Version updated to 4.1.4 * Switch to debhelper level 11 * Use salsa.debian.org Vcs-* URLs -- Emmanuel Bourg Fri, 18 May 2018 00:14:54 +0200 jetty9 (9.2.23-1) unstable; urgency=medium * Team upload. * New upstream release * Fixed the broken symlinks indirectly caused by the new pom patching sequence in maven-debian-helper 2.2.8 (Closes: #884771) * Added the missing dependency on lsb-base * Standards-Version updated to 4.1.3 -- Emmanuel Bourg Fri, 05 Jan 2018 18:03:14 +0100 jetty9 (9.2.22-3) unstable; urgency=medium * Team upload. * Depend on libgeronimo-jta-1.2-spec-java instead of glassfish-javaee * Standards-Version updated to 4.1.2 -- Emmanuel Bourg Thu, 14 Dec 2017 16:53:25 +0100 jetty9 (9.2.22-2) unstable; urgency=medium * Team upload. * No longer depend on glassfish-jmac-api and use the jaspic API from libtomcat8-java instead * Standards-Version updated to 4.0.0 -- Emmanuel Bourg Tue, 04 Jul 2017 12:06:15 +0200 jetty9 (9.2.22-1) unstable; urgency=medium * Team upload. * New upstream release - Fixes CVE-2017-9735: Timing attack in Password.java (Closes: #864898) * No longer create a link to jetty-overlay-deployer (Closes: #857217) -- Emmanuel Bourg Mon, 19 Jun 2017 15:56:11 +0200 jetty9 (9.2.21-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches -- Emmanuel Bourg Wed, 25 Jan 2017 09:30:54 +0100 jetty9 (9.2.20-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches - Ignore the Jacoco Maven plugin * Switch to debhelper level 10 -- Emmanuel Bourg Sun, 08 Jan 2017 01:29:03 +0100 jetty9 (9.2.19-2) unstable; urgency=medium * Removed the Require-Capability and Bundle-RequiredExecutionEnvironment fields from the OSGi metadata to avoid a build failure with Eclipse 3.8 -- Emmanuel Bourg Mon, 24 Oct 2016 18:18:50 +0200 jetty9 (9.2.19-1) unstable; urgency=medium * New upstream release * Track the tags from the Git repository -- Emmanuel Bourg Sun, 09 Oct 2016 16:26:33 +0200 jetty9 (9.2.18-1) unstable; urgency=medium * New upstream release * Depend on taglibs-standard instead of jakarta-taglibs-standard * Track the release tags on GitHub -- Emmanuel Bourg Thu, 28 Jul 2016 13:37:30 +0200 jetty9 (9.2.16-1) unstable; urgency=medium * New upstream release * Standards-Version updated to 3.9.8 (no changes) -- Emmanuel Bourg Sat, 23 Apr 2016 15:11:28 +0200 jetty9 (9.2.15-1) unstable; urgency=medium * New upstream release * Standards-Version updated to 3.9.7 (no changes) * Use a secure Vcs-Git URL * Depend on libasm-java (>= 5.0) instead of libasm4-java -- Emmanuel Bourg Fri, 01 Apr 2016 22:22:36 +0200 jetty9 (9.2.14-1) unstable; urgency=medium * New upstream release (Closes: #795416) -- Emmanuel Bourg Thu, 17 Dec 2015 15:44:57 +0100 jetty8 (8.1.18-3) unstable; urgency=medium * No longer install the default page on updates in /var/lib/jetty8/webapps/root if another root application is installed (Closes: #767612) * Support the JVMs installed by the older versions of java-package (<< 0.52) and the oracle-java{n > 7}-installer packages from webupd8. * Updated the error message displayed when the JAVA_HOME variable defined in /etc/default/jetty8 doesn't point to a JRE. * Removed the unused commons-daemon.jar and tools.jar from the start classpath * Invoke Jetty with 'java -jar start.jar' instead of 'java -cp start.jar org.eclipse.jetty.start.Main' * Removed the JDK_DIRS and JSP_COMPILER variables from /etc/default/jetty8 * Added a VERSION variable in jetty8.init and replaced 'jetty8' with 'jetty$VERSION' * Added the version in the description of the service * Fixed the formatting of the message displayed when starting and stopping the service -- Emmanuel Bourg Fri, 04 Dec 2015 10:06:41 +0100 jetty8 (8.1.18-2) unstable; urgency=medium * Changed the default value of NO_START to 0 in /etc/default/jetty8 and let Jetty start automatically on installing (LP #1194755) * Fixed a build failure with maven-debian-helper 2.0 * Added the missing build dependency on asm * Replaced the dependency on libasm3-java with libasm4-java and fixed the compatibility with servlets containing Java 8 lambda expressions. * Build with the DH sequencer instead of CDBS * Ignore the modules with a --ignore parameter in debian/libjetty8-java.poms instead of a patch -- Emmanuel Bourg Wed, 25 Nov 2015 19:01:06 +0100 jetty8 (8.1.18-1) unstable; urgency=medium * New upstream release - Refreshed the patches -- Emmanuel Bourg Thu, 08 Oct 2015 21:49:05 +0200 jetty8 (8.1.17-2) unstable; urgency=medium * Added the missing build dependency on libjetty-java (Closes: #796441) -- Emmanuel Bourg Sun, 23 Aug 2015 23:14:06 +0200 jetty8 (8.1.17-1) unstable; urgency=medium * New upstream release - Refreshed the patches -- Emmanuel Bourg Mon, 11 May 2015 12:43:18 +0200 jetty8 (8.1.16-4) unstable; urgency=medium * Fixed an error on purging jetty8 when authbind is not installed (Closes: #767337) * Added the missing link to tomcat-util.jar in /usr/share/jetty8/lib/jsp/ (Closes: #740596) * Enable IPv6 by default (Closes: #767369) -- Emmanuel Bourg Fri, 31 Oct 2014 18:54:25 +0100 jetty8 (8.1.16-3) unstable; urgency=medium * Configure Jetty to write the jetty.state file in the /var/lib/jetty8 directory (Closes: #764454) * Standards-Version updated to 3.9.6 (no changes) -- Emmanuel Bourg Wed, 08 Oct 2014 12:37:56 +0200 jetty8 (8.1.16-2) unstable; urgency=medium * Fixed an integration issue with the JSP compiler from Tomcat 7 causing an AccessControlException when requesting a JSP. -- Emmanuel Bourg Mon, 06 Oct 2014 14:33:54 +0200 jetty8 (8.1.16-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches - Ignore the Maven dependency on the Mycila maven-license-plugin * Added authbind support to run Jetty on privileged ports * Updated the init.d script to detect the recent JDKs and ignore the old ones (Closes: #756310) * Fixed the version of the Servlet API in the poms (3.0 instead of 'debian') * debian/control: - Removed java5-runtime-headless from the acceptable runtime dependencies (Jetty 8 requires Java 6) - Use distinct descriptions for the jetty8 and libjetty8-java packages - jetty8 now depends on libjetty8-extra-java - libjetty8-java-doc depends on libservlet3.0-java-doc instead of libservlet2.5-java-doc - libjetty8-java-doc suggests libjetty8-java instead of libjetty-java - Depend on libmail-java instead of libgnumail-java - Updated the Homepage field * debian/rules: Install the upstream changelog * debian/watch: Watch the tags from the Git repository * debian/jetty8.init: Added the missing JETTY_CONF variable * debian/jetty8.init: Paths relative to JETTY_HOME are now recognized in /etc/jetty8/jetty.conf * Install the missing Jasper dependencies in /usr/share/jetty8/lib/jsp * Reuse and patch the configuration files from the upstream distribution instead of installing Debian specific files (Closes: #728380) * debian/copyright: Updated the missing file paths reported by Lintian * Switch to debhelper level 9 -- Emmanuel Bourg Thu, 11 Sep 2014 19:55:16 +0200 jetty8 (8.1.3-9) unstable; urgency=low [ Emmanuel Bourg ] * Team upload. * Use the Tomcat 7 jars from /usr/share/tomcat7/lib * Updated Standards-Version to 3.9.5 (no changes) * debian/copyright: Updated the Format URI [ Ludovico Cavedon ] * Added jars in libjetty8-java for: jetty-jaspi, jetty-jsp, jetty-nested, jetty-websocket (Closes: #724973). -- Ludovico Cavedon Thu, 05 Dec 2013 22:20:15 -0800 jetty8 (8.1.3-8) unstable; urgency=low * Don't build jetty-spdy module with Java 7 (Closes: #717119). * Updated d/watch. -- Jakub Adam Fri, 26 Jul 2013 19:45:24 +0200 jetty8 (8.1.3-7) unstable; urgency=low * Removed dependencies on libgnujaf-java. * Build-Depends on libservlet3.0-java (>= 7.0.40-2). - Previous versions had a problem with maven-repo deployment. -- Jakub Adam Thu, 16 May 2013 16:34:13 +0200 jetty8 (8.1.3-6) unstable; urgency=low [ Emmanuel Bourg ] * Team upload. * Fixed the watch file [ tony mancill ] * Upload to unstable for the jessie release cycle. -- tony mancill Mon, 06 May 2013 07:19:07 -0700 jetty8 (8.1.3-5) experimental; urgency=low * Add test-jetty-servlet jar into libjetty8-extra-java. * Bump Standards-Version to 3.9.4. -- Jakub Adam Fri, 05 Apr 2013 09:38:08 +0200 jetty8 (8.1.3-4) unstable; urgency=low * Team upload * Switch to use of javax.* and standard jar names for Servlet, JSP and EL API's (Closes: #678766): - d/maven.rules: Fix mapping to javax.* artifacts as published by the latest version of the tomcat7 package. - d/{libjetty8-java,libjetty8-extra-java}.links: Switch use from deprecated tomcat-* jar files for Servlet, JSP and EL API's. - d/control: Bump minimum version of libtomcat7-java to ensure that the correct API jars/artifacts are provided. -- James Page Mon, 25 Jun 2012 16:02:46 +0200 jetty8 (8.1.3-3) unstable; urgency=low * Team upload. * Allow co-installation of libjetty-java-doc with libjetty8-java-doc. (Closes: #674204). -- Miguel Landaeta Tue, 29 May 2012 21:45:21 +0200 jetty8 (8.1.3-2) unstable; urgency=low * Fix server startup when jsvc is not installed. * Fix a typo in binary package dependencies (jstl1.1-java to libjstl1.1-java) -- Jakub Adam Wed, 23 May 2012 07:49:07 +0200 jetty8 (8.1.3-1) unstable; urgency=low * New upstream release. * Bump Standards-Version to 3.9.3. -- Jakub Adam Sun, 13 May 2012 14:54:06 +0200 jetty (6.1.24-6) unstable; urgency=medium * Removed Depends on JREs for library packages, no longer required by the policy. * Added missing depends on JREs for the jetty package. * Made init script ignore weird exit statuses from logrotate. (Closes: 589681, LP: #607202) * Fixed broken restart command in jetty init script. Was missing a negation. -- Niels Thykier Mon, 05 Jul 2010 22:28:14 +0200 jetty (6.1.24-5) unstable; urgency=low * Ignore test failures. (Closes: #586635) * Remove debian/.mh in clean target. -- Torsten Werner Tue, 29 Jun 2010 20:53:42 +0200 jetty (6.1.24-4) unstable; urgency=low * Updated the versions in the Manifests to match the actual version of jetty. * Remove all use of sudo in jetty.init. (Closes: #580639) * Fixed some formatting issues in the NEWS file. * Bumped debhelper compat to 7. * Made the javadoc link against system javadocs. This includes adding Recommends on various java-doc packages. -- Niels Thykier Sun, 20 Jun 2010 14:49:32 +0200 jetty (6.1.24-3) unstable; urgency=low [ Torsten Werner ] * Merge changes from Ubuntu version 6.1.22-1ubuntu1: - debian/build.xml, debian/module.xml: Enable tests in the jetty module - debian/rules: Adding slf4j-simple to the DEB_JARS since it's used in tests - debian/rules, debian/control: Added junit and ant-optional needed for tests [ Miguel Landaeta ] * Enable jetty-plus and jetty-annotations modules. (Closes: #585387). -- Torsten Werner Thu, 10 Jun 2010 14:07:51 -0430 jetty (6.1.24-2) unstable; urgency=low * Set JAVA_HOME in d/rules to /usr/lib/jvm/default-java. (Closes: #578618, #579469) * Fix the installation of jetty-util5.jar. (Closes: #569328) -- Torsten Werner Thu, 29 Apr 2010 07:36:43 +0200 jetty (6.1.24-1) unstable; urgency=low [ Niels Thykier ] * Reduced Depends on libjetty-java-doc to a Suggests. (Closes: #569293) * Clarified what JETTY_HOST should be set to in order to accept all connections. (Closes: #554874) * Bumped Standards-Version to 3.8.4 - no changes required. [ Torsten Werner ] * New upstream release. * Change Build-Depends: default-jdk. (Closes: #578618) * Switch to source format 3.0. -- Torsten Werner Fri, 23 Apr 2010 23:55:35 +0200 jetty (6.1.22-1ubuntu1) lucid; urgency=low * debian/build.xml, debian/module.xml: Enable tests in the jetty module * debian/rules: Adding slf4j-simple to the DEB_JARS since it's used in tests * debian/rules, debian/control: Added junit and ant-optional needed for tests * debian/control, debian/rules: Build with default-jdk. -- Thierry Carrez Tue, 26 Jan 2010 09:52:06 +0100 jetty (6.1.22-1) unstable; urgency=medium * New upstream release. (Closes: #553644) * Added OSGi bundle metadata (by upstream). (Closes: #558187) * Corrected path to jetty web-apps (by Niels Thykier). (Closes: #554877) -- Pablo Duboue Sun, 13 Dec 2009 1:55:00 -0400 jetty (6.1.21-1) unstable; urgency=medium * New upstream release. * Stopped using /tmp/jetty-temp in /etc/init.d/jetty for security reasons. - JVM_TMP is now /var/cache/jetty/tmp - JETTY_TMP is now /var/cache/jetty/data * The postrm script no longer deletes files in /tmp/jetty-temp. * Removed Philipp Meier from Uploaders (last upload was 2006-06-07). Thanks for your work on this package. * Corrected javadoc symlink in binary package jetty. -- Niels Thykier Fri, 23 Oct 2009 20:45:43 +0200 jetty (6.1.20-2) unstable; urgency=low * Move documentation to /usr/share/doc/libjetty-java * Better postinst and postrm scripts, aligned with tomcat6 scripts: - postinst: user jetty is created with its own group - postrm: better cleanup of temporary data, thourough remove and purge of data * debian/changelog: - fix suggest for package libjetty-java-doc, add libjetty-java-doc to the list of Suggests for libjetty-java - add libjetty-extra to the list of Suggests for package jetty. -- Ludovic Claude Mon, 07 Sep 2009 00:22:20 +0100 jetty (6.1.20-1) unstable; urgency=medium [ Niels Thykier ] * New upstream release. * Stop using Build-Depends-Indep, since the policy and the build daemons disagree on when it should be used (Closes: #540861). * Corrected jetty.install to reflect the move of some license files in the source tree. * Bumped to Standard-Versions 3.8.3 - no changes required. * Updated jetty.post{install,rm} scripts to use "set -e" instead of passing it to sh. * Installed "VERSION.txt" as upstream changelog. * A previous version (6.1.18-1) fixed the following security problems, which were not mentioned in the changelog: CVE-2007-5613, CVE-2007-5614, CVE-2007-5615, CVE-2009-1523, and CVE-2009-1524 (see below for more information). [ Torsten Werner ] * Set urgency to medium because this version fixes a FTBFS. -- Torsten Werner Sun, 06 Sep 2009 23:06:45 +0200 jetty (6.1.19-2) unstable; urgency=low * Upload to unstable. -- Torsten Werner Sun, 09 Aug 2009 08:48:10 +0200 jetty (6.1.19-1) experimental; urgency=low [ Ludovic Claude ] * New upstream release fixing a security vulnerability (cookies are not secure if you are running behind a netscaler). * Remove the bootstrap patch as it has been added upstream and update the build to use the new start-daemon component. * Remove the Build-Depend on quilt as the patch is not needed anymore. * Add the Maven POM to the package. * Add a Build-Depends dependency on maven-repo-helper. * Use mh_installpom and mh_installjar to install the POM and the jar to the Maven repository. * Add optional support for web applications located in /usr/share/webapps. * Add a cron job that cleans up the old log files in /var/log/jetty. * Register the Javadoc into Debian documentation and put it in a separate package (libjetty-java-doc). * Use openjdk-6-jdk for the build; add a Build-Depends on this package. Required to build the javadoc. * Update debian/copyright (patch provided by Jan Pascal Vanbest ). [ Torsten Werner ] * Add myself to Uploaders. * Update Standards-Version: 3.8.2. * Move package libjetty-java-doc to Section: doc. * Fix init script: check for /etc/default/rcS before reading it. -- Torsten Werner Tue, 14 Jul 2009 11:50:43 +0200 jetty (6.1.18-1) unstable; urgency=low [Ludovic Claude] * Add myself to Uploaders. * Change the build dependency on java-gcj to default-jdk. * Add init.d startup script. * Add dependencies on ant, libslf4j-java, libxerces2-java, libtomcat6-java for libjetty-extra-java, add links for the lib folder. * Add dependency on jsvc to run jetty as a daemon. * Add the package libjetty-setuid-java for the Setuid module (with native code). * Add an index page used when Jetty starts. * Use latest jasper from Tomcat to provide jsp 2.1 instead of Glassfish JSP implementation as in the standard distribution. * Add tools.jar to the classpath to be able to run JSP (Closes: #452586). * Fix Lintian warnings: add ${misc:Depends} to all Depends. * Move jetty to main as all its dependencies are in main, and jetty contains only code that complies with Debian guidelines, use java section like tomcat6 (Closes: #498582). * Do not depend on tomcat 5.5 (Closes: #530720, #458399). * Remove empty prerm and preinst scripts. * Remove old patches that don't apply anymore. * Update copyright and remove full text of Apache license. * Bump up compat to 6 and Standards-Version to 3.8.1. [David Yu] * New upstream release for jetty (Closes: #528389, #527571, #454529, #425152). * Fixed jetty.links. Now delegates install of start.jar to libjetty-java. [ Torsten Werner ] * fixes several security issues: - CVE-2007-5613: Cross-site scripting (XSS) vulnerability in Dump Servlet. - CVE-2007-5614: Quote Sequence vulnerability. - CVE-2007-5615: CRLF injection vulnerability. - CVE-2009-1523: Directory traversal vulnerability in the HTTP server in Mort Bay Jetty. - CVE-2009-1524: Cross-site scripting (XSS) vulnerability in Mort Bay Jetty. (Closes: #454529, #528389, #527571, #543462). -- Ludovic Claude Fri, 12 Jun 2009 17:19:08 +0100 jetty (5.1.14-1) unstable; urgency=low * New upstream release. - Removed debian/patches/cve-2007-6969.patch. Applied upstream. * Added recognition of installed libcommons-el-java to debian/start.config. Closes: #352093. * Fixed short and long service description in debian/jetty.init. Closes: #446788. * Removed libapache2-mod-webapp from Suggests. * Added watch file. -- Michael Koch Wed, 24 Oct 2007 14:14:45 +0200 jetty (5.1.10-4) unstable; urgency=low * Added patch to fix CVE-2006-6969. Thanks to Greg Wilkins for the patch. Closes: #445283. * Updated debian/patches/jdk-1.2-src-encoding.patch to make it work with current ecj. -- Michael Koch Fri, 05 Oct 2007 07:34:55 +0200 jetty (5.1.10-3) unstable; urgency=low * Fix debian/jetty.init to permit removal without purge and offer a new NO_START option in /etc/default/jetty. Closes: #356067. Thanks to Loic Minier for the patch. * Added additional paths to JDK_DIRS in debian/jetty.init. Closes: #405851. * (Build-)Depends on java-gcj-compat. * Moved debhelper from Build-Depends-Indep to Build-Depends. * Removed Build-Depends on libtomcat5-java and replace Depends on libtomcat5-java by libtomcat5.5-java. * Added LSB section in debian/jetty.init. * Removed extra license file from /usr/share/doc/jetty. * Added myself to Uploaders. -- Michael Koch Tue, 24 Jul 2007 20:40:27 +0200 jetty (5.1.10-2) unstable; urgency=low * Fix in init script for new version of su (closes #367491). * Create logfile if not existing. Aknolwedge NMU (closes #356066). -- Philipp Meier Tue, 30 May 2006 10:46:21 +0200 jetty (5.1.10-1) unstable; urgency=low * New upstream release. * Sercurity fixes for windows. * Fixed path aliasing with // on windows. * Fix for AJP13 with multiple headers. * Fix for AJP13 with encoded path. * Remove null dispatch attributes from getAttributeNames. * Put POST content default back to iso_8859_1. GET is UTF-8 still. -- Philipp Meier Tue, 30 May 2006 10:40:18 +0200 jetty (5.1.8-3) unstable; urgency=low * Enhance dependencies. -- Philipp Meier Fri, 16 Dec 2005 10:53:48 +0100 jetty (5.1.8-2) unstable; urgency=low * Add dependeny on apache2-util for log rotation. Closes: #343177. -- Philipp Meier Tue, 13 Dec 2005 14:28:09 +0100 jetty (5.1.8-1) unstable; urgency=low * New upstream release. From 5.1.8: * Fixed space in URL issued created in 5.1.6. From 5.1.7: * improved server stats. * char encoding for MultiPartRequest. * fixed merging of POST params in dispatch query string. * protect from NPE in dispatcher getValues. * Updated to 2.6.2 xerces. * JSP file servlet mappings copy JspServlet init params. * Prefix servlet context logs with org.mortbay.jetty.context. * better support for URI character encodings. * use commons logging jar instead of api jar. -- Philipp Meier Wed, 7 Dec 2005 11:06:10 +0100 jetty (5.1.6-1) unstable; urgency=high * New upstream release. * Fixed JSP visibility security issue in upstream. * Fix location of jasper since upgrade to tomcat5. Closes: #333010. -- Philipp Meier Wed, 30 Nov 2005 15:20:47 +0100 jetty (5.1.5rc1-5) unstable; urgency=low Patch from Oyvind Harboe : * increased default amount of memory available to 256Mbyte. the advantage of having more heap available is that more applications will be able to run without modification to the standard Jetty configuration. * added -Djava.library.path=/usr/lib to VM arguments. This is requried to make e.g. the librxtx-java package work. * Closes: #32960. -- Philipp Meier Thu, 22 Sep 2005 16:13:16 +0200 jetty (5.1.5rc1-4) unstable; urgency=low Patch from Oyvind Harboe : * Fixed rc script /etc/init.d/jetty. "stop" could leave dangling /var/run/jetty.pid. Fixed this by adding "--oknodo" to "start-stop-daemon --stop" command. * Removed trailing "/" from LOGDIR which caused /var/log/out.log not to be created. * /etc/init.d/jetty start will now deal more gracefully with a dangling /var/run/jetty.pid. A dangling jetty.pid is detected and ignored. * Closes: #326176. -- Philipp Meier Fri, 2 Sep 2005 13:40:59 +0200 jetty (5.1.5rc1-3) unstable; urgency=low * Removed -v from ant opts during build. * Remove pid file on stop. Closes: #325667 * Fix location of ant-1.6.jar in start.config. Closes: #324472. -- Philipp Meier Tue, 30 Aug 2005 13:37:15 +0200 jetty (5.1.5rc1-2) unstable; urgency=low * Builds with kaffe. * Adds patch to exclude Sun JSSE if not available. -- Philipp Meier Sat, 27 Aug 2005 14:21:12 +0200 jetty (5.1.5rc1-1) unstable; urgency=low * New upstream release. -- Philipp Meier Fri, 26 Aug 2005 12:53:50 +0200 jetty (5.1.4-1) unstable; urgency=low * New upstream release. * Added myself to Uploaders in control. * Standards-Version bumbed to 3.6.2. * Removed debian/watch which will not work with sourceforge. * Manage changes to upstream with cdbs simple-patchsys. * Fixed rc script /etc/init.d/jetty. * Adjusted new location of servlet.jar. Closes: #280139. -- Philipp Meier Fri, 12 Aug 2005 18:14:28 +0200 jetty (5.0.0-3) unstable; urgency=low * Package is now maintained by pkg-java. Maintainer was updated. * Disable validation of xml files in start.config by default. Closes: #298731. * Add /usr/lib/j2sdk1.5-sun to JAVA_HOME_DIRS in debian/rules. -- Philipp Meier Thu, 30 Jun 2005 14:32:31 +0200 jetty (5.0.0-2.1) unstable; urgency=low * Non-maintainer upload. * Transition to liblog4j1.2-java. Closes: #306761. -- Matej Vela Mon, 2 May 2005 12:12:12 +0200 jetty (5.0.0-2) unstable; urgency=low * Shipping working default configuration in /etc/jetty/jetty.xml. Closes: #278134 -- Philipp Meier Mon, 25 Oct 2004 11:52:25 +0200 jetty (5.0.0-1) unstable; urgency=low * New upstream release. -- Philipp Meier Thu, 16 Sep 2004 00:40:41 +0200 jetty (4.2.22-2) unstable; urgency=low * New upstream release. * Changed mantainer email. -- Philipp Meier Wed, 25 Aug 2004 18:14:56 +0200 jetty (4.2.21-1) unstable; urgency=low * New upstream release. -- Philipp Meier Mon, 23 Aug 2004 15:23:25 +0200 jetty (4.2.19-1) unstable; urgency=high * New upstream release. * Fixed DOS attack problem. -- Philipp Meier Fri, 19 Mar 2004 17:55:45 +0100 jetty (4.2.18-1) unstable; urgency=low * New upstream release. * Package description of jetty-extra lists the extensions provided. Closes: #232824 -- Philipp Meier Mon, 1 Mar 2004 13:54:01 +0100 jetty (4.2.15-1) unstable; urgency=low * Adds missing javadoc to /usr/share/doc/ * Removes invalid libxdoclet-java from Build-Depends. * Fixed clean target in upstreams extra build file. Building jetty twice from the debianized source should work now. -- Philipp Meier Thu, 15 Jan 2004 14:00:13 +0100 jetty (4.2.15) unstable; urgency=low * New upstream release. * New additional package jetty-extra. * Updated standards version from 3.5.10 to 3.6.0 * Build target directory are no longer in debian because the customization of the build process does not really pay off. -- Philipp Meier Wed, 14 Jan 2004 14:00:01 +0100 jetty (4.2.12-2) unstable; urgency=low * Fixes start.config to make jetty run with kaffe. * Updated standards version from 3.5.8 to 3.5.10. -- Philipp Meier Fri, 29 Aug 2003 14:43:40 +0200 jetty (4.2.12-1) unstable; urgency=low * New upstream release. -- Philipp Meier Tue, 12 Aug 2003 14:07:56 +0200 jetty (4.2.11-7) unstable; urgency=low * Adds alternative dependency on j2sdk1.4. * Fixes typos in debian/TODO. * Adds ant to classpath because jasper needs it. -- Philipp Meier Thu, 7 Aug 2003 20:34:19 +0200 jetty (4.2.11-6) unstable; urgency=low * Removes DH_VERBOSE from debian/rules. * /etc/jetty will be removed on purge. * Add build-dependency on j2sdk1.4. -- Philipp Meier Wed, 23 Jul 2003 15:38:05 +0200 jetty (4.2.11-5) unstable; urgency=low * Fix for /etc/default/jetty which was misplaced. * Fixes messed-up corrections for javadoc tags. Introduced before. -- Philipp Meier Wed, 23 Jul 2003 01:11:42 +0200 jetty (4.2.11-4) unstable; urgency=low * Jetty depends on j2re1.4 until build process of jetty with java < 1.4 works. * Fixes in build process. -- Philipp Meier Thu, 17 Jul 2003 12:56:14 +0200 jetty (4.2.11-3) unstable; urgency=low * Creates /usr/share/java/webapps if necessary. * Not longer uses symlinks in ext but a debianized start.config. * Changed to multiline logging. * Removed demo webapps and provides a preliminary debian jetty root. * Fixes /etc/defaults/jetty to be /etc/default/jetty. -- Philipp Meier Thu, 17 Jul 2003 12:56:03 +0200 jetty (4.2.11-2) unstable; urgency=low * Adds build dependencies on libmx4j-java and iblog4j-java. * Removes comment about "Tomcat 4" from /etc/jetty.init. * Renamed debian/{pre,post}{inst,rm} to debian/jetty.* * Enables javac.debug to provide useful stackstraces. -- Philipp Meier Tue, 15 Jul 2003 21:50:36 +0200 jetty (4.2.11-1) unstable; urgency=low * Initial Release. -- Philipp Meier Mon, 14 Jul 2003 13:21:36 +0200