tomcat8 (8.0.14-1+deb8u28) jessie-security; urgency=high

  * Non-maintainer upload by the ELTS team.
  * Fix CVE-2023-46589:
    Tomcat did not correctly parse HTTP trailer headers.
    A trailer header that exceeded the header size limit could cause
    Tomcat to treat a single request as multiple requests leading to the
    possibility of request smuggling when behind a reverse proxy.

 -- Markus Koschany <apo@debian.org>  Thu, 25 Apr 2024 12:57:06 +0200

tomcat8 (8.0.14-1+deb8u27) jessie-security; urgency=high

  * Non-maintainer upload by the ELTS team.
  * Fix CVE-2023-42795: Information Disclosure. When recycling various internal
    objects, including the request and the response, prior to re-use by the
    next request/response, an error could cause Tomcat to skip some parts of
    the recycling process leading to information leaking from the current
    request/response to the next.
  * Fix CVE-2023-45648: Request smuggling. Tomcat did not correctly parse HTTP
    trailer headers. A specially crafted, invalid trailer header could cause
    Tomcat to treat a single request as multiple requests leading to the
    possibility of request smuggling when behind a reverse proxy.

 -- Markus Koschany <apo@debian.org>  Sun, 15 Oct 2023 22:18:06 +0200

tomcat8 (8.0.14-1+deb8u26) jessie-security; urgency=high

  * Non-maintainer upload by the ELTS team.
  * Fix CVE-2023-24998:
    Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to
    provide the file upload functionality defined in the Jakarta Servlet
    specification. Apache Tomcat was, therefore, also vulnerable to the Apache
    Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to
    the number of request parts processed. This resulted in the possibility of
    an attacker triggering a DoS with a malicious upload or series of uploads.
  * Fix CVE-2023-41080:
    If the ROOT (default) web application is configured to use FORM
    authentication then it is possible that a specially crafted URL could be
    used to trigger a redirect to an URL of the attackers choice.

 -- Markus Koschany <apo@debian.org>  Sun, 24 Sep 2023 15:46:29 +0200

tomcat8 (8.0.14-1+deb8u25) jessie-security; urgency=high

  * Non-maintainer upload by the ELTS team.
  * Update TestRemoteIpFilter class and fix
    testJSessionIdSecureAttributeMissing test.

 -- Markus Koschany <apo@debian.org>  Mon, 10 Apr 2023 15:32:13 +0200

tomcat8 (8.0.14-1+deb8u24) jessie-security; urgency=high

  * Non-maintainer upload by the ELTS team.
  * Fix CVE-2023-28708:
    When using the RemoteIpFilter with requests received from a reverse proxy
    via HTTP that include the X-Forwarded-Proto header set to https, session
    cookies created by Apache Tomcat did not include the secure attribute. This
    could result in the user agent transmitting the session cookie over an
    insecure channel.

 -- Markus Koschany <apo@debian.org>  Mon, 10 Apr 2023 00:04:46 +0200

tomcat8 (8.0.14-1+deb8u23) jessie-security; urgency=high

  * Non-maintainer upload by the ELTS team.
  * CVE-2022-23181: The fix for bug CVE-2020-9484 introduced a time of check,
    time of use vulnerability into Apache Tomcat that allowed a local attacker
    to perform actions with the privileges of the user that the Tomcat process
    is using. This issue is only exploitable when Tomcat is configured to
    persist sessions using the FileStore.

 -- Markus Koschany <apo@debian.org>  Sun, 20 Nov 2022 18:59:53 +0100

tomcat8 (8.0.14-1+deb8u22) jessie-security; urgency=high

  * Non-maintainer upload by the ELTS team.
  * Fix CVE-2021-30640:
    A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to
    authenticate using variations of a valid user name and/or to bypass some of
    the protection provided by the LockOut Realm.
  * Fix CVE-2021-33037:
    Apache Tomcat did not correctly parse the HTTP transfer-encoding request
    header in some circumstances leading to the possibility to request
    smuggling when used with a reverse proxy. Specifically: - Tomcat
    incorrectly ignored the transfer encoding header if the client declared it
    would only accept an HTTP/1.0 response; - Tomcat honoured the identify
    encoding; and - Tomcat did not ensure that, if present, the chunked
    encoding was the final encoding.

 -- Markus Koschany <apo@debian.org>  Wed, 11 Aug 2021 13:28:06 +0200

tomcat8 (8.0.14-1+deb8u21) jessie-security; urgency=high

  * Non-maintainer upload by the ELTS team.
  * Use a different solution to fix CVE-2021-25329 in order to fix two failing
    tests.

 -- Markus Koschany <apo@debian.org>  Mon, 22 Mar 2021 01:08:00 +0100

tomcat8 (8.0.14-1+deb8u20) jessie-security; urgency=high

  * Non-maintainer upload by the ELTS team.
  * Fix CVE-2021-25329:
    The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat with a
    configuration edge case that was highly unlikely to be used, the Tomcat
    instance was still vulnerable to CVE-2020-9494. Note that both the
    previously published prerequisites for CVE-2020-9484 and the previously
    published mitigations for CVE-2020-9484 also apply to this issue.

 -- Markus Koschany <apo@debian.org>  Sun, 21 Mar 2021 22:36:00 +0100

tomcat8 (8.0.14-1+deb8u19) jessie-security; urgency=high

  * Non-maintainer upload by the ELTS team.
  * Add ignore-failing-tests.patch to ignore test failures due to isolated
    networking.

 -- Markus Koschany <apo@debian.org>  Fri, 17 Jul 2020 21:36:01 +0200

tomcat8 (8.0.14-1+deb8u18) jessie-security; urgency=high

  * Non-maintainer upload by the ELTS team.
  * Fix CVE-2020-13935:
    The payload length in a WebSocket frame was not correctly validated.
    Invalid payload lengths could trigger an infinite loop. Multiple requests
    with invalid payload lengths could lead to a denial of service.
  * Add ignore-failing-tests.patch to ignore test failures due to isolated
    networking.

 -- Markus Koschany <apo@debian.org>  Wed, 15 Jul 2020 21:30:09 +0200

tomcat8 (8.0.14-1+deb8u17) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.

  * WARNING: The fix for CVE-2020-1938 may disrupt services that rely on a
    working AJP configuration. The option secretRequired defaults to true now.
    You should define a secret in your server.xml or you can revert back by
    setting secretRequired to false.

  * Fix CVE-2019-17563:
    When using FORM authentication with Apache Tomcat there was a narrow window
    where an attacker could perform a session fixation attack. The window was
    considered too narrow for an exploit to be practical but, erring on the
    side of caution, this issue has been treated as a security vulnerability.
  * Fix CVE-2020-1935:
    In Apache Tomcat the HTTP header parsing code used an approach to
    end-of-line parsing that allowed some invalid HTTP headers to be parsed as
    valid. This led to a possibility of HTTP Request Smuggling if Tomcat was
    located behind a reverse proxy that incorrectly handled the invalid
    Transfer-Encoding header in a particular manner. Such a reverse proxy is
    considered unlikely.
  * Fix CVE-2020-1938:
    When using the Apache JServ Protocol (AJP), care must be taken when
    trusting incoming connections to Apache Tomcat. Tomcat treats AJP
    connections as having higher trust than, for example, a similar HTTP
    connection. If such connections are available to an attacker, they can be
    exploited in ways that may be surprising. Previously Tomcat shipped with an
    AJP Connector enabled by default that listened on all configured IP
    addresses. It was expected (and recommended in the security guide) that
    this Connector would be disabled if not required.
    .
    Note that Debian already disabled the AJP connector by default.
    Mitigation is only required if the AJP port was made accessible to
    untrusted users.
  * Fix CVE-2020-9484:
    When using Apache Tomcat and an attacker is able to control the contents
    and name of a file on the server; and b) the server is configured to use
    the PersistenceManager with a FileStore; and c) the PersistenceManager is
    configured with sessionAttributeValueClassNameFilter="null" (the default
    unless a SecurityManager is used) or a sufficiently lax filter to allow the
    attacker provided object to be deserialized; and d) the attacker knows the
    relative file path from the storage location used by FileStore to the file
    the attacker has control over; then, using a specifically crafted request,
    the attacker will be able to trigger remote code execution via
    deserialization of the file under their control. Note that all of
    conditions a) to d) must be true for the attack to succeed.

 -- Markus Koschany <apo@debian.org>  Thu, 28 May 2020 18:08:54 +0200

tomcat8 (8.0.14-1+deb8u16) jessie-security; urgency=medium

  * Non-maintainer upload by the Debian LTS Team.
  * Fix CVE-2019-12418: manipulate the RMI registry to perform a
    man-in-the-middle attack via JMX Remote Lifecycle Listener

 -- Abhijith PA <abhijith@debian.org>  Mon, 23 Mar 2020 22:58:21 +0530

tomcat8 (8.0.14-1+deb8u15) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix flacky FTBFS by improving fix for CVE-2017-5647.
  * Refresh the expired SSL certificates used by the tests from
    freshly-renewed upstream Tomcat and adapt the test user DN.
  * Fix CVE-2019-0221:
    The SSI printenv command in Apache Tomcat echoes user provided
    data without escaping and is, therefore, vulnerable to XSS. SSI is
    disabled by default. The printenv command is intended for
    debugging and is unlikely to be present in a production website.
  * Fix CVE-2018-8014:
    The defaults settings for the CORS filter provided in Apache
    Tomcat are insecure and enable 'supportsCredentials' for all
    origins. It is expected that users of the CORS filter will have
    configured it appropriately for their environment rather than
    using it in the default configuration. Therefore, it is expected
    that most users will not be impacted by this issue.
  * Fix CVE-2016-5388:
    Apache Tomcat, when the CGI Servlet is enabled, follows RFC 3875
    section 4.1.18 and therefore does not protect applications from
    the presence of untrusted client data in the HTTP_PROXY
    environment variable, which might allow remote attackers to
    redirect an application's outbound HTTP traffic to an arbitrary
    proxy server via a crafted Proxy header in an HTTP request, aka an
    "httpoxy" issue.  The 'cgi' servlet now has a 'envHttpHeaders'
    parameter to filter environment variables.

 -- Sylvain Beucler <beuc@debian.org>  Tue, 13 Aug 2019 16:22:22 +0200

tomcat8 (8.0.14-1+deb8u14) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2018-11784:
    Sergey Bobrov discovered that when the default servlet returned a redirect
    to a directory (e.g. redirecting to /foo/ when the user requested /foo) a
    specially crafted URL could be used to cause the redirect to be generated
    to any URI of the attackers choice.

 -- Markus Koschany <apo@debian.org>  Mon, 15 Oct 2018 14:03:25 +0200

tomcat8 (8.0.14-1+deb8u13) jessie-security; urgency=high

  * Non-maintainer upload by the LTS Team.
  * Fix CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder
    with supplementary characters can lead to an infinite loop in the decoder
    causing a Denial of Service.
  * Fix CVE-2018-8034: The host name verification when using TLS with the
    WebSocket client was missing. It is now enabled by default.

 -- Roberto C. Sanchez <roberto@debian.org>  Sat, 01 Sep 2018 11:13:51 -0400

tomcat8 (8.0.14-1+deb8u12) jessie-security; urgency=high

  * Non-maintainer upload by the LTS Team.
  * Refreshed the expired SSL certificates used by the tests
  * Fix CVE-2018-1304:
    The URL pattern of "" (the empty string) which exactly maps to the context
    root was not correctly handled when used as part of a security constraint
    definition. This caused the constraint to be ignored. It was, therefore,
    possible for unauthorised users to gain access to web application
    resources that should have been protected. Only security constraints with
    a URL pattern of the empty string were affected. (Closes: #802312)
  * Fix CVE-2018-1305:
    Security constraints defined by annotations of Servlets were only applied
    once a Servlet had been loaded. Because security constraints defined in
    this way apply to the URL pattern and any URLs below that point, it was
    possible - depending on the order Servlets were loaded - for some security
    constraints not to be applied. This could have exposed resources to users
    who were not authorised to access them. (Closes: #802312)
 
 -- Roberto C. Sanchez <roberto@debian.org>  Sun, 22 Jul 2018 23:07:52 -0400

tomcat8 (8.0.14-1+deb8u11) jessie-security; urgency=high

  * Fix CVE-2017-7674:
    The CORS Filter did not add an HTTP Vary header indicating that the
    response varies depending on Origin. This permitted client and server side
    cache poisoning in some circumstances.

 -- Sebastien Delafond <seb@debian.org>  Fri, 15 Sep 2017 13:18:33 +0200

tomcat8 (8.0.14-1+deb8u10) jessie-security; urgency=high

  * Team upload.
  * Fix CVE-2017-5664.
    The error page mechanism of the Java Servlet Specification requires that,
    when an error occurs and an error page is configured for the error that
    occurred, the original request and response are forwarded to the error
    page. This means that the request is presented to the error page with the
    original HTTP method. If the error page is a static file, expected
    behaviour is to serve content of the file as if processing a GET request,
    regardless of the actual HTTP method. The Default Servlet in Apache Tomcat
    did not do this. Depending on the original request this could lead to
    unexpected and undesirable results for static error pages including, if the
    DefaultServlet is configured to permit writes, the replacement or removal
    of the custom error page. (Closes: #864447)

 -- Markus Koschany <apo@debian.org>  Tue, 20 Jun 2017 20:26:44 +0200

tomcat8 (8.0.14-1+deb8u9) jessie-security; urgency=high

  * Team upload.
  * Fix the following security vulnerabilities:
   - CVE-2017-5647:
     A bug in the handling of the pipelined requests when send file was used
     resulted in the pipelined request being lost when send file processing of
     the previous request completed. This could result in responses appearing
     to be sent for the wrong request. For example, a user agent that sent
     requests A, B and C could see the correct response for request A, the
     response for request C for request B and no response for request C.
   - CVE-2017-5648:
     It was noticed that some calls to application listeners did not use the
     appropriate facade object. When running an untrusted application under a
     SecurityManager, it was therefore possible for that untrusted application
     to retain a reference to the request or response object and thereby access
     and/or modify information associated with another web application.

 -- Markus Koschany <apo@debian.org>  Sun, 30 Apr 2017 21:38:43 +0200

tomcat8 (8.0.14-1+deb8u8) jessie-security; urgency=high

  * Team upload.
  * Add BZ57544-infinite-loop-part2.patch.
    Fix regression (400 HTTP errors) due to an incomplete fix for
    CVE-2017-6056. See #854551 for further information.

 -- Markus Koschany <apo@debian.org>  Sat, 18 Feb 2017 18:44:25 +0100

tomcat8 (8.0.14-1+deb8u7) jessie-security; urgency=high

  * Team upload.
  * Add BZ57544-infinite-loop.patch: It was found that https GET requests could
    trigger an infinite loop and thus cause a denial-of-service.
    (Closes: #851304)

 -- Markus Koschany <apo@debian.org>  Mon, 13 Feb 2017 10:34:43 +0100

tomcat8 (8.0.14-1+deb8u6) jessie-security; urgency=high

  * Fixed CVE-2016-8745: A bug in the error handling of the send file code for
    the NIO HTTP connector resulted in the current Processor object being added
    to the Processor cache multiple times. This in turn meant that the same
    Processor could be used for concurrent requests. Sharing a Processor can
    result in information leakage between requests including, not not limited
    to, session ID and the response body.

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 05 Jan 2017 17:10:29 +0100

tomcat8 (8.0.14-1+deb8u5) jessie-security; urgency=high

  * Fixed CVE-2016-9774: Potential privilege escalation when the tomcat8
    package is upgraded. Thanks to Paul Szabo for the report (Closes: #845393)
  * Fixed CVE-2016-9775: Potential privilege escalation when the tomcat8
    package is purged. Thanks to Paul Szabo for the report (Closes: #845385)
  * Fixed CVE-2016-6816: The code that parsed the HTTP request line permitted
    invalid characters. This could be exploited, in conjunction with a proxy
    that also permitted the invalid characters but with a different
    interpretation, to inject data into the HTTP response. By manipulating the
    HTTP response the attacker could poison a web-cache, perform an XSS attack
    and/or obtain sensitive information from requests other then their own.
  * Fixed CVE-2016-8735: The JmxRemoteLifecycleListener was not updated to take
    account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations
    using this listener remained vulnerable to a similar remote code execution
    vulnerability. This issue has been rated as important rather than critical
    due to the small number of installations using this listener and that it
    would be highly unusual for the JMX ports to be accessible to an attacker
    even when the listener is used.
  * Backported the fix for upstream bug 57377: Remove the restriction that
    prevented the use of SSL when specifying a bind address for the JMX/RMI
    server. Enable SSL to be configured for the registry as well as the server.
  * CVE-2016-5018 follow-up: Applied a missing modification fixing
    a ClassNotFoundException when the security manager is enabled (see #846298)
  * CVE-2016-6797 follow-up: Fixed a regression preventing some applications
    from accessing the global resources (see #845425)
  * CVE-2015-5345 follow-up: Applied a missing modification to DefaultServlet
  * Backported a fix for a test failure in Test*NonLoginAndBasicAuthenticator
    with recent JREs
  * Backported a fix disabling the broken SSLv3 tests
  * Refreshed the expired SSL certificates used by the tests
  * Set the locale when running the tests to prevent locale sensitive tests
    from failing
  * Added asm-all.jar to the test classpath to fix TestWebappServiceLoader
  * Fixed a test failure in the new TestNamingContext test added with the fix
    for CVE-2016-6797
  * Test failures are no longer ignored and now stop the build

 -- Emmanuel Bourg <ebourg@apache.org>  Sat, 17 Dec 2016 09:19:36 +0100

tomcat8 (8.0.14-1+deb8u4) jessie-security; urgency=medium

  * Fixed CVE-2016-0762: The Realm implementations did not process the supplied
    password if the supplied user name did not exist. This made a timing attack
    possible to determine valid user names.
  * Fixed CVE-2016-5018: A malicious web application was able to bypass
    a configured SecurityManager via a Tomcat utility method that was
    accessible to web applications.
  * Fixed CVE-2016-6794: When a SecurityManager is configured, a web
    application's ability to read system properties should be controlled by
    the SecurityManager. Tomcat's system property replacement feature for
    configuration files could be used by a malicious web application to bypass
    the SecurityManager and read system properties that should not be visible.
  * Fixed CVE-2016-6796: A malicious web application was able to bypass
    a configured SecurityManager via manipulation of the configuration
    parameters for the JSP Servlet.
  * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application
    access to global JNDI resources to those resources explicitly linked to the
    web application. Therefore, it was possible for a web application to access
    any global JNDI resource whether an explicit ResourceLink had been
    configured or not.
  * CVE-2016-1240 follow-up:
    - The previous init.d fix was vulnerable to a race condition that could
      be exploited to make any existing file writable by the tomcat user.
      Thanks to Paul Szabo for the report and the fix.
    - The catalina.policy file generated on startup was affected by a similar
      vulnerability that could be exploited to overwrite any file on the system.
      Thanks to Paul Szabo for the report.
  * Hardened the init.d script, thanks to Paul Szabo (Closes: #840685)

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 17 Nov 2016 09:00:15 +0100

tomcat8 (8.0.14-1+deb8u3) jessie-security; urgency=high

  * Team upload.
  * Fix CVE-2016-1240:
    tomcat8.init: Protect /var/lib/tomcat8/catalina.out against a symlink
    attack and possible root privilege escalation.
  * Do not unconditionally overwrite files in /etc/tomcat8 anymore.
    (Closes: #825786)
  * Change file permissions to 640 for Debian files in /etc/tomcat8.

 -- Markus Koschany <apo@debian.org>  Mon, 15 Aug 2016 17:38:02 +0200

tomcat8 (8.0.14-1+deb8u2) jessie-security; urgency=high

  * Team upload.

  [ Emmanuel Bourg ]
  * Fix CVE-2016-3092: Denial-of-Service vulnerability with file uploads

  [ Markus Koschany ]
  * Fix CVE-2015-5174:
    Directory traversal vulnerability in RequestUtil.java allows remote
    authenticated users to bypass intended SecurityManager restrictions and
    list a parent directory via a /.. (slash dot dot) in a pathname used by a
    web application in a getResource, getResourceAsStream, or getResourcePaths
    call, as demonstrated by the $CATALINA_BASE/webapps directory.
  * Fix CVE-2015-5345:
    The Mapper component in Apache Tomcat processes redirects before
    considering security constraints and Filters, which allows remote attackers
    to determine the existence of a directory via a URL that lacks a trailing /
    (slash) character.
  * Fix CVE-2015-5346:
    Session fixation vulnerability in Apache Tomcat when different session
    settings are used for deployments of multiple versions of the same web
    application, might allow remote attackers to hijack web sessions by
    leveraging use of a requestedSessionSSL field for an unintended request,
    related to CoyoteAdapter.java and Request.java.
  * Fix CVE-2015-5351:
    The Manager and Host Manager applications in Apache Tomcat establish
    sessions and send CSRF tokens for arbitrary new requests, which allows
    remote attackers to bypass a CSRF protection mechanism by using a token.
  * Fix CVE-2016-0706:
    Apache Tomcat does not place
    org.apache.catalina.manager.StatusManagerServlet on the
    org/apache/catalina/core/RestrictedServlets.properties list, which allows
    remote authenticated users to bypass intended SecurityManager restrictions
    and read arbitrary HTTP requests, and consequently discover session ID
    values, via a crafted web application.
  * Fix CVE-2016-0714:
    The session-persistence implementation in Apache Tomcat mishandles session
    attributes, which allows remote authenticated users to bypass intended
    SecurityManager restrictions and execute arbitrary code in a privileged
    context via a web application that places a crafted object in a session.
  * Fix CVE-2016-0763:
    The setGlobalContext method in
    org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
    not consider whether ResourceLinkFactory.setGlobalContext callers are
    authorized, which allows remote authenticated users to bypass intended
    SecurityManager restrictions and read or write to arbitrary application
    data, or cause a denial of service (application disruption), via a web
    application that sets a crafted global context.

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 23 Jun 2016 00:27:20 +0200

tomcat8 (8.0.14-1+deb8u1) jessie-security; urgency=medium

  * Fixed CVE-2014-7810: Malicious web applications could use expression
    language to bypass the protections of a Security Manager as expressions
    were evaluated within a privileged code section.

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 18 Dec 2015 10:20:56 +0100

tomcat8 (8.0.14-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
  * Build depend on libcglib3-java instead of libcglib-java
  * Standards-Version updated to 3.9.6 (no changes)

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 29 Sep 2014 13:23:43 +0200

tomcat8 (8.0.12-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
  * Fixed the tomcat8-examples configuration (Closes: #753372)
  * No longer create the common/server/shared directories under
    /var/lib/tomcat8, and use a unique lib directory as documented
    upstream since Tomcat 6. The old directories are still supported
    if inherited from a previous installation (Closes: #754386)
  * Depend on libecj-java >= 3.10.0 to support the new Java 8 syntax in JSPs
  * Install the missing tomcat-dbcp.jar in libtomcat8-java and use it as
    the default JDBC pool implementation instead of Commons DBCP.
  * Removed the obsolete patch 0012-java7-compat.patch
  * Tightened the build dependency on junit4 (>= 4.11)
  * Build the Javadoc with the JDK specified by the JAVA_HOME variable
    instead of the default JDK (this fixes a build failure when backporting
    to Wheezy)
  * Removed the note about the authbind IPv6 incompatibility
    in /etc/defaults/tomcat8

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 17 Sep 2014 16:23:52 +0200

tomcat8 (8.0.9-1) unstable; urgency=medium

  [ Emmanuel Bourg ]
  * New upstream release
    - Refreshed the patches
  * Search for OpenJDK 8 and Oracle JDKs when starting the server
  * Removed the dependency on the non existent java-7-runtime package
  * Fixed a link still pointing to the Tomcat 7 documentation in README.Debian
  * Updated the version required for libtcnative-1 (>= 1.1.30)

  [ tony mancill ]
  * Update README.Debian with information about migration guides.

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 24 Jun 2014 21:28:37 +0200

tomcat8 (8.0.8-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 22 May 2014 13:01:55 +0200

tomcat8 (8.0.5-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
    - Disabled Java 8 support in JSPs (requires an Eclipse compiler update)
  * Fixed the name of the doc-base file for libservlet3.1-java (Closes: #746338)
  * Update email addresses of maintainers.

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 29 Apr 2014 10:22:45 +0200

tomcat8 (8.0.3-1) unstable; urgency=medium

  [ Emmanuel Bourg ]
  * Team upload.
  * New upstream release (Closes: #722675)
    - Updated the version of the Servlet, JSP and EL APIs
    - Switched to Java 7
    - Updated the watch file to match the Tomcat 8 releases
    - Refreshed the patches
    - Updated debian/copyright, documented the xsd files licensed under the CDDL
    - Installed the new jars (spdy, jni, websocket, websocket-api, storeconfig)
    - Updated the artifactId of the specification jars to include
      the new javax prefix
    - Added the javax.websocket-api artifact to libservlet3.1-java
    - New build dependency on cglib, easymock and objenesis
  * Added a patch to include the name of the distribution on the error pages
  * Use XZ compression for the upstream tarball
  * debian/control:
    - Replaced Sun Microsystems with Oracle in the packages descriptions
    - Mentioned 'Apache Tomcat' in the packages descriptions
    - Standards-Version updated to 3.9.5 (no changes)
  * Deploy the Tomcat artifacts in the Maven repository with the 8.x version
    instead of 'debian' to avoid conflicts with other versions of Tomcat.
  * Hard coded the versions in the poms in debian/javaxpoms to fix the version
    of the dependencies for jsp-api
  * Renamed the jars in /usr/share/java to tomcat8-xxx to avoid conflicts
    with other versions of Tomcat
  * Added the missing descriptions to the patches
  * Added a patch to ignore the failing tests
  * Moved the tomcat-{servlet|jsp|el}-api artifacts from libservlet3.1-java
    to libtomcat8-java and changed their versions to the Tomcat version instead
    of the specification version.
  * Removed libservlet3.1-java.links defining the tomcat-* links
    in /usr/share/java with the specifications versions
  * The symlinks to /usr/share/tomcat8/lib are no longer split between the two
    packages libtomcat8-java and tomcat8-common. tomcat8-common assembles all
    the jars required by Tomcat (tomcat jars + dbcp + pool). libtomcat8-java
    deploys only the jars in /usr/share/java and the Maven artifacts in
    /usr/share/maven-repo.
  * Added the EL and WebSocket APIs to libservlet3.1-java-doc
  * Added a Lintian override for the incompatible-java-bytecode-format warning
    since Tomcat requires Java 7
  * Added a Lintian override to clear the codeless-jar warnings
    on the tomcat-i18n jars instead of a patch turning them into zip files.
  * Removed 0011-fix-classpath-lintian-warnings.patch and specified
    the classpath of jasper.jar in libtomcat8-java.manifest instead.
  
  [ tony mancill ]
  * Include tomcat-util-scan.jar in the libtomcat8-java package.
  * Remove debian/NEWS (inapplicable to this release).
  * Prune debian/changelog to only contain tomcat8 entries.

 -- Emmanuel Bourg <ebourg@apache.org>  Sat, 15 Mar 2014 23:23:14 +0100
