Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #8886

Re: Tomcat 6 security vulnerabilities in Wheezy

From Emmanuel Bourg <ebourg@apache.org>
Newsgroups linux.debian.maint.java
Subject Re: Tomcat 6 security vulnerabilities in Wheezy
Date 2016-02-18 18:20 +0100
Message-ID <r3Apc-pQ-11@gated-at.bofh.it> (permalink)
References <r3x7Y-6f7-13@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

Le 18/02/2016 14:45, Markus Koschany a écrit :

> According to [1] Tomcat 6 in Wheezy is still affected by a couple of
> security vulnerabilities that were already fixed in Squeeze-LTS and
> Jessie. Would it be sensible to apply the same changes (backporting the
> 6.0.41 release to Wheezy too) or are there any reasons why this has not
> been done before? Has anybody spoken with the Security Team about Tomcat
> security updates in general? Do they approve of backporting newer
> upstream releases?

Hi Markus,

I vaguely remember trying to backport the fixes and giving up due to the
complexity. Also the lack of tests in Tomcat 6 makes this operation
rather risky. That's why the LTS Team decided to package a more recent
release in Squeeze.

I don't know if the Security Team would accept a new upstream release
for Wheezy. Since the LTS Team is probably going to upgrade the package
when they take over the maintenance in April we could ask the Security
Team to do this upgrade earlier.

Emmanuel Bourg

Back to linux.debian.maint.java | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Tomcat 6 security vulnerabilities in Wheezy Markus Koschany <apo@debian.org> - 2016-02-18 14:50 +0100
  Re: Tomcat 6 security vulnerabilities in Wheezy tony mancill <tmancill@debian.org> - 2016-02-18 18:10 +0100
  Re: Tomcat 6 security vulnerabilities in Wheezy Emmanuel Bourg <ebourg@apache.org> - 2016-02-18 18:20 +0100
    Re: Tomcat 6 security vulnerabilities in Wheezy Markus Koschany <apo@debian.org> - 2016-02-18 18:30 +0100
      Re: Tomcat 6 security vulnerabilities in Wheezy Moritz Mühlenhoff <jmm@inutil.org> - 2016-02-18 20:50 +0100
        Re: Tomcat 6 security vulnerabilities in Wheezy Markus Koschany <apo@debian.org> - 2016-02-21 18:50 +0100
          Re: Tomcat 6 security vulnerabilities in Wheezy Markus Koschany <apo@debian.org> - 2016-02-27 23:50 +0100
            Re: Tomcat 6 security vulnerabilities in Wheezy Moritz Mühlenhoff <jmm@inutil.org> - 2016-03-14 23:10 +0100
              Re: Tomcat 6 security vulnerabilities in Wheezy Markus Koschany <apo@debian.org> - 2016-03-16 14:30 +0100
                Re: Tomcat 6 security vulnerabilities in Wheezy Moritz Mühlenhoff <jmm@inutil.org> - 2016-03-25 00:40 +0100

csiph-web