Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #12277

Re: tomcat9 in buster-backports vs. security

From Markus Koschany <apo@debian.org>
Newsgroups linux.debian.maint.java
Subject Re: tomcat9 in buster-backports vs. security
Date 2021-08-10 23:00 +0200
Message-ID <CKH0S-VD-5@gated-at.bofh.it> (permalink)
References <CKGet-FO-3@gated-at.bofh.it> <CKGHv-P2-1@gated-at.bofh.it> <CKGRc-Su-1@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Am Dienstag, dem 10.08.2021 um 22:47 +0200 schrieb Thorsten Glaser:
> On Tue, 10 Aug 2021, Markus Koschany wrote:
> 
> > Currently I don't plan to update the bpo version of Tomcat 9 in Buster. If
> > you
> > prefer the latest updates then I'd suggest to focus on bullseye-backports
> > from
> 
> I think you misunderstood the intention of this request.
> 
> Packages in $version-backports have to be up-to-date wrt.
> their corresponding packages from $(version+1), except
> small, not very user-visible, etc. changes.
> 
> In the case of security updates, this is even more important.
> 
> The person who uploaded the first backport basically agreed
> to keep the tomcat9 backport up-to-date over the lifetime of
> buster-backports, that is, to approximately 14/15ᵗʰ August 2022(!).
> 
> > now on. I am not sure yet if the regression which I have fixed in
> > 9.0.43-3 requires another security update for bullseye or buster at
> > the moment, since an easy workaround is available and probably not
> > many users are affected. I will monitor the situation though.
> 
> Right.
> 
> However, if you’re not intending to update the buster backport,
> please file a removal request and inform the users (via the bpo
> mailing list) about this and the extant security issues in the
> version they have installed.

I have never uploaded tomcat9 to a debian-backports suite hence why I have only
replied to the debian-java list. Obviously you should wait for Emmanuel's
feedback before doing anything.

Regards,

Markus

Back to linux.debian.maint.java | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

tomcat9 in buster-backports vs. security Thorsten Glaser <t.glaser@tarent.de> - 2021-08-10 22:10 +0200
  Re: tomcat9 in buster-backports vs. security Markus Koschany <apo@debian.org> - 2021-08-10 22:40 +0200
    Re: tomcat9 in buster-backports vs. security Thorsten Glaser <t.glaser@tarent.de> - 2021-08-10 22:50 +0200
      Re: tomcat9 in buster-backports vs. security Markus Koschany <apo@debian.org> - 2021-08-10 23:00 +0200
        Re: tomcat9 in buster-backports vs. security Thorsten Glaser <t.glaser@tarent.de> - 2021-08-22 23:00 +0200
          Re: tomcat9 in buster-backports vs. security Markus Koschany <apo@debian.org> - 2021-10-14 23:30 +0200
            Re: tomcat9 in buster-backports vs. security Alexander Wirt <formorer@formorer.de> - 2021-10-15 11:00 +0200

csiph-web