Path: csiph.com!newsfeed.xs4all.nl!newsfeed7.news.xs4all.nl!bofh.it!news.nic.it!robomod From: Thorsten Glaser Newsgroups: linux.debian.maint.java Subject: Re: tomcat9 in buster-backports vs. security Date: Tue, 10 Aug 2021 22:50:02 +0200 Message-ID: References: X-Original-To: Markus Koschany X-Mailbox-Line: From debian-java-request@lists.debian.org Tue Aug 10 20:48:11 2021 Old-Return-Path: X-Amavis-Spam-Status: No, score=-6.602 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, KHOP_HELO_FCRDNS=0.398, LDO_WHITELIST=-5] autolearn=ham autolearn_force=no X-Policyd-Weight: using cached result; rate:hard: -3.5 Content-Language: de-DE-1901 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: QUOTED-PRINTABLE X-Mailing-List: archive/latest/22905 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/be94c73-b86-ad9d-531e-7517453fa83@tarent.de Approved: robomod@news.nic.it Lines: 53 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Cc: debian-java@lists.debian.org, debian-backports@lists.debian.org X-Original-Date: Tue, 10 Aug 2021 22:47:44 +0200 (CEST) X-Original-Message-ID: X-Original-References: <438ce4ac-f4f8-f946-1663-b029efae4577@tarent.de> <6600963dce52ab8d72a82b5e027167b3d7c86b0d.camel@debian.org> Xref: csiph.com linux.debian.maint.java:12276 On Tue, 10 Aug 2021, Markus Koschany wrote: > Currently I don't plan to update the bpo version of Tomcat 9 in Buster. I= f you > prefer the latest updates then I'd suggest to focus on bullseye-backports= from I think you misunderstood the intention of this request. Packages in $version-backports have to be up-to-date wrt. their corresponding packages from $(version+1), except small, not very user-visible, etc. changes. In the case of security updates, this is even more important. The person who uploaded the first backport basically agreed to keep the tomcat9 backport up-to-date over the lifetime of buster-backports, that is, to approximately 14/15=E1=B5=97=CA=B0 August 202= 2(!). > now on. I am not sure yet if the regression which I have fixed in > 9.0.43-3 requires another security update for bullseye or buster at > the moment, since an easy workaround is available and probably not > many users are affected. I will monitor the situation though. Right. However, if you=E2=80=99re not intending to update the buster backport, please file a removal request and inform the users (via the bpo mailing list) about this and the extant security issues in the version they have installed. Thanks, //mirabilos ObPlug:=09http://www.mirbsd.org/~tg/Debs/dists/buster/lts/Pkgs/tomcat9/ =09is what I try to keep reasonably up to date. It also contains =09the sysvinit fixes. It=E2=80=99s built in a bullseye chroot though, =09and as such does NOT follow the bpo rules. It=E2=80=99s a works-for-me =09thing which one MAY use if they want, at their own risk. --=20 Infrastrukturexperte =E2=80=A2 tarent solutions GmbH Am Dickobskreuz 10, D-53121 Bonn =E2=80=A2 http://www.tarent.de/ Telephon +49 228 54881-393 =E2=80=A2 Fax: +49 228 54881-235 HRB AG Bonn 5168 =E2=80=A2 USt-ID (VAT): DE122264941 Gesch=C3=A4ftsf=C3=BChrer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Ale= xander Steeg ************************************************* Mit dem tarent-Newsletter nichts mehr verpassen: www.tarent.de/newsletter *************************************************