Path: csiph.com!news.freedyn.net!aioe.org!bofh.it!news.nic.it!robomod From: Emmanuel Bourg Newsgroups: linux.debian.maint.java Subject: Re: Tomcat 6 security vulnerabilities in Wheezy Date: Thu, 18 Feb 2016 18:20:02 +0100 Message-ID: References: X-Mailbox-Line: From debian-java-request@lists.debian.org Thu Feb 18 17:10:26 2016 Old-Return-Path: X-Amavis-Spam-Status: No, score=-7.697 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, LDO_WHITELIST=-5, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no X-Policyd-Weight: using cached result; rate: -7 Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:subject:to:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-type:content-transfer-encoding; bh=wJIFj0TFeKPEM2Jrug2BqDYZlDXJ7EuoUzJNTi28gaY=; b=QPmDzSfX++RjhjK5vD2hxlBxhkdNvBdxQmCsQW2PyR49xtnHvuFIO3Op+GK4kB/ma2 pQrFCK3yEIvEyyskk0Ok5tzTvckENWpW8LQaZ5i33nbsJjJVuNOOfKNqBSx+5iXv5DsE ZX6ydr9k+CU/u3DbrdprqSOwXUcEea7sfXSiQ1zIobLj9/UjU8W0m4t2HWzztye8v+xK F1El/n4DTTxXJQv7tZOOQbNKRMA1wbtMELm+lkMW6RHVhq4akeBsYdX+aVkZ5RbHzx9t r8l3JBa96ue7hLU9ZrxYEyJlRyNLBfSAwCJB34tkPwKfXUtN/0yDGkF7NWqXVOJXNMJH SGYQ== X-Google-Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:subject:to:references:from:message-id :date:user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=wJIFj0TFeKPEM2Jrug2BqDYZlDXJ7EuoUzJNTi28gaY=; b=lltSmYmkL+tjyK4NxRqY5m8AaUu9WJ0oc7VgC9rU7+KRc1dmvOYq/vnZz9fWyLYsUU fzQnDBfoW0Y2zVarC7fcf3Ug3BB52YxVnpkCI+YxRKMWTBGbGWUITaJGVH2X82X5HrSj 8br8Rq1PUA6DkPuqeIE3log97L02rlAYrjx0+Ufm2rMe98RgiecoB71D5LhBYjt4Cv0q DUTr4gAo3DbY56u2qGxCEhhJhrlYJSQhHlv5LuDOGpYFSEP0kfkcXKUOt2Hrt8GGBqie EKO30BSlJp4KZeYjwgI4cC/9M9WNkPZxfqfjCW4oFs8ZJeeOeVfOfhg7YjPKZimnzmz0 MqYQ== X-Gm-Message-State: AG10YOT6Y5PGMImaSQis69NcwdMJzv9z7x2iHeJfc5fKtN61GwwaCsJf0fRh5d48y31o5Q== X-Received: by 10.194.58.234 with SMTP id u10mr8824778wjq.174.1455815410260; Thu, 18 Feb 2016 09:10:10 -0800 (PST) Sender: robomod@news.nic.it X-Enigmail-Draft-Status: N1110 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Mailing-List: archive/latest/19211 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/56C5FAF0.80801@apache.org Approved: robomod@news.nic.it Lines: 23 Organization: linux.* mail to news gateway X-Original-Date: Thu, 18 Feb 2016 18:10:08 +0100 X-Original-Message-ID: <56C5FAF0.80801@apache.org> X-Original-References: <56C5CB0C.8040400@debian.org> X-Original-Sender: Emmanuel Bourg Xref: csiph.com linux.debian.maint.java:8886 Le 18/02/2016 14:45, Markus Koschany a écrit : > According to [1] Tomcat 6 in Wheezy is still affected by a couple of > security vulnerabilities that were already fixed in Squeeze-LTS and > Jessie. Would it be sensible to apply the same changes (backporting the > 6.0.41 release to Wheezy too) or are there any reasons why this has not > been done before? Has anybody spoken with the Security Team about Tomcat > security updates in general? Do they approve of backporting newer > upstream releases? Hi Markus, I vaguely remember trying to backport the fixes and giving up due to the complexity. Also the lack of tests in Tomcat 6 makes this operation rather risky. That's why the LTS Team decided to package a more recent release in Squeeze. I don't know if the Security Team would accept a new upstream release for Wheezy. Since the LTS Team is probably going to upgrade the package when they take over the maintenance in April we could ask the Security Team to do this upgrade earlier. Emmanuel Bourg