Path: csiph.com!weretis.net!feeder6.news.weretis.net!4.us.feeder.erje.net!3.eu.feeder.erje.net!feeder.erje.net!news.albasani.net!tahina.priv.at!bofh.it!news.nic.it!robomod
From: Andreas Tille <andreas@an3as.eu>
Newsgroups: linux.debian.maint.java
Subject: Re: Changes to get tomcat8 security fixes into Debian 9?
Date: Tue, 28 Apr 2020 11:00:03 +0200
Message-ID: <A0ufV-1fX-11@gated-at.bofh.it>
References: <zGUcW-87O-5@gated-at.bofh.it> <zH8fT-8S-5@gated-at.bofh.it> <zHlZw-pS-9@gated-at.bofh.it>
X-Original-To: debian-java@lists.debian.org
X-Mailbox-Line: From debian-java-request@lists.debian.org  Tue Apr 28 08:57:12 2020
Old-Return-Path: <andreas@an3as.eu>
X-Amavis-Spam-Status: No, score=-7 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, LDO_WHITELIST=-5] autolearn=ham autolearn_force=no
X-Policyd-Weight: using cached result; rate:hard: -4.6
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Mailing-List: <debian-java@lists.debian.org> archive/latest/22153
List-ID: <debian-java.lists.debian.org>
List-URL: <https://lists.debian.org/debian-java/>
List-Archive: https://lists.debian.org/msgid-search/20200428085700.GR1150@an3as.eu
Approved: robomod@news.nic.it
Lines: 36
Organization: linux.* mail to news gateway
Sender: robomod@news.nic.it
X-Original-Date: Tue, 28 Apr 2020 10:57:00 +0200
X-Original-Message-ID: <20200428085700.GR1150@an3as.eu>
X-Original-References: <20200305083442.GL14082@an3as.eu> <3599459e-7758-5682-6ba6-96e91355924f@debian.org> <20200306141709.GI14082@an3as.eu>
Xref: csiph.com linux.debian.maint.java:11585

On Fri, Mar 06, 2020 at 03:17:09PM +0100, Andreas Tille wrote:
> On Fri, Mar 06, 2020 at 12:24:56AM +0100, Markus Koschany wrote:
> > Hi Andreas,
> > 
> > Am 05.03.20 um 09:34 schrieb Andreas Tille:
> > > Hi,
> > > 
> > > I was wondering, whether there is a chance to get CVE-2020-1938 fixed in
> > > Tomcat8 in Stretch?  If the chances are low possibly backporting Tomcat9
> > > to stretch-backports-sloppy would be a feasible way to go for me.  What
> > > would you recomment?
> > 
> > I intend to fix tomcat8 in Stretch soon. I hope to fix tomcat9 in Buster
> > too but wouldn't mind if someone beat me to it.
> 
> I'd really welcome if you or anybody who might beat you would care for
> this.  I'm pretty sure that I will not put my incompetent hands on it if
> I know you will do this in a foreseable time frame.
>  
> > Please note that the AJP connector is disabled by default in Debian and
> > one may argue that only those users who use it with untrusted services
> > (not recommended) are really affected.
> 
> I've verified that this part of the configuration was not changed in our
> case.  Thanks a lot for the helpful hint
> 
>       Andreas.

Any news about the tomcat backport?

Kind regards

       Andreas. 

-- 
http://fam-tille.de