Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #8887

Re: Tomcat 6 security vulnerabilities in Wheezy

From Markus Koschany <apo@debian.org>
Newsgroups linux.debian.maint.java
Subject Re: Tomcat 6 security vulnerabilities in Wheezy
Date 2016-02-18 18:30 +0100
Message-ID <r3AyS-uN-9@gated-at.bofh.it> (permalink)
References <r3x7Y-6f7-13@gated-at.bofh.it> <r3Apc-pQ-11@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Am 18.02.2016 um 18:10 schrieb Emmanuel Bourg:
> Le 18/02/2016 14:45, Markus Koschany a écrit :
> 
>> According to [1] Tomcat 6 in Wheezy is still affected by a couple of
>> security vulnerabilities that were already fixed in Squeeze-LTS and
>> Jessie. Would it be sensible to apply the same changes (backporting the
>> 6.0.41 release to Wheezy too) or are there any reasons why this has not
>> been done before? Has anybody spoken with the Security Team about Tomcat
>> security updates in general? Do they approve of backporting newer
>> upstream releases?
> 
> Hi Markus,
> 
> I vaguely remember trying to backport the fixes and giving up due to the
> complexity. Also the lack of tests in Tomcat 6 makes this operation
> rather risky. That's why the LTS Team decided to package a more recent
> release in Squeeze.
> 
> I don't know if the Security Team would accept a new upstream release
> for Wheezy. Since the LTS Team is probably going to upgrade the package
> when they take over the maintenance in April we could ask the Security
> Team to do this upgrade earlier.

I am in favor of this solution, especially because we haven't heard
anything negative about this approach for Squeeze-LTS. If the Security
Team agrees I am going ahead and backport this release to Wheezy, test
the package and send the debdiff to them.

Markus

Back to linux.debian.maint.java | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Tomcat 6 security vulnerabilities in Wheezy Markus Koschany <apo@debian.org> - 2016-02-18 14:50 +0100
  Re: Tomcat 6 security vulnerabilities in Wheezy tony mancill <tmancill@debian.org> - 2016-02-18 18:10 +0100
  Re: Tomcat 6 security vulnerabilities in Wheezy Emmanuel Bourg <ebourg@apache.org> - 2016-02-18 18:20 +0100
    Re: Tomcat 6 security vulnerabilities in Wheezy Markus Koschany <apo@debian.org> - 2016-02-18 18:30 +0100
      Re: Tomcat 6 security vulnerabilities in Wheezy Moritz Mühlenhoff <jmm@inutil.org> - 2016-02-18 20:50 +0100
        Re: Tomcat 6 security vulnerabilities in Wheezy Markus Koschany <apo@debian.org> - 2016-02-21 18:50 +0100
          Re: Tomcat 6 security vulnerabilities in Wheezy Markus Koschany <apo@debian.org> - 2016-02-27 23:50 +0100
            Re: Tomcat 6 security vulnerabilities in Wheezy Moritz Mühlenhoff <jmm@inutil.org> - 2016-03-14 23:10 +0100
              Re: Tomcat 6 security vulnerabilities in Wheezy Markus Koschany <apo@debian.org> - 2016-03-16 14:30 +0100
                Re: Tomcat 6 security vulnerabilities in Wheezy Moritz Mühlenhoff <jmm@inutil.org> - 2016-03-25 00:40 +0100

csiph-web