Path: csiph.com!news.freedyn.net!aioe.org!bofh.it!news.nic.it!robomod From: Markus Koschany Newsgroups: linux.debian.maint.java Subject: Re: Tomcat 6 security vulnerabilities in Wheezy Date: Thu, 18 Feb 2016 18:30:02 +0100 Message-ID: References: X-Original-To: "debian-java@lists.debian.org" X-Mailbox-Line: From debian-java-request@lists.debian.org Thu Feb 18 17:24:33 2016 Old-Return-Path: X-Amavis-Spam-Status: No, score=-12 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, LDO_WHITELIST=-5, PGPSIGNATURE=-5, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no X-Policyd-Weight: using cached result; rate: -5 X-Enigmail-Draft-Status: N1110 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.5.0 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="SWFibbbSqMrdPaQNgH9U5j93ah6cbFrJb" X-Sa-Exim-Scanned: No (on richard.fcube.de); SAEximRunCond expanded to false X-Mailing-List: archive/latest/19212 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/56C5FE41.9020603@debian.org Approved: robomod@news.nic.it Lines: 68 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Cc: "team@security.debian.org" X-Original-Date: Thu, 18 Feb 2016 18:24:17 +0100 X-Original-Message-ID: <56C5FE41.9020603@debian.org> X-Original-References: <56C5CB0C.8040400@debian.org> <56C5FAF0.80801@apache.org> Xref: csiph.com linux.debian.maint.java:8887 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --SWFibbbSqMrdPaQNgH9U5j93ah6cbFrJb Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Am 18.02.2016 um 18:10 schrieb Emmanuel Bourg: > Le 18/02/2016 14:45, Markus Koschany a =C3=A9crit : >=20 >> According to [1] Tomcat 6 in Wheezy is still affected by a couple of >> security vulnerabilities that were already fixed in Squeeze-LTS and >> Jessie. Would it be sensible to apply the same changes (backporting th= e >> 6.0.41 release to Wheezy too) or are there any reasons why this has no= t >> been done before? Has anybody spoken with the Security Team about Tomc= at >> security updates in general? Do they approve of backporting newer >> upstream releases? >=20 > Hi Markus, >=20 > I vaguely remember trying to backport the fixes and giving up due to th= e > complexity. Also the lack of tests in Tomcat 6 makes this operation > rather risky. That's why the LTS Team decided to package a more recent > release in Squeeze. >=20 > I don't know if the Security Team would accept a new upstream release > for Wheezy. Since the LTS Team is probably going to upgrade the package= > when they take over the maintenance in April we could ask the Security > Team to do this upgrade earlier. I am in favor of this solution, especially because we haven't heard anything negative about this approach for Squeeze-LTS. If the Security Team agrees I am going ahead and backport this release to Wheezy, test the package and send the debdiff to them. Markus --SWFibbbSqMrdPaQNgH9U5j93ah6cbFrJb Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJWxf5CXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HklnsP/3TvtA+d3S8yZlb79XTcTfti QtTepFM2YMHePao6AZoh2sE948uQ/nSdIWNigUjF4j366//T/SPzVh9Ex3NpPFu3 SXuOBEFKgOHIgz/C2OeHo0U5pG0p9IfB9vBExOx9HZx2Y/fbj94DkjDUq+Wo4KNz vbF2lTHhLOG4QHesQVt/FtEz1rMQA2lX24jHO6OCmxaT7kQJ1m6pmceM8di1TrDF 1RnSzobyx/ec5UwwPHrgrcoEA6hiYRXrbY8ZUzioxx/CfK3tJxT4VDwQOUrWPd5y jLe3YkZuhZT0VBwXOQkDoYdxnFZqXkW5JSBxBXfIVMfAzMEeN71/m+AMM35pK6vx SBMaMy2CVQzjpaWwndTjLYCZHqHEBwyJ5iZmCyrVOtbqCApLHueexLOKkS7J++u2 n4HONyPG2i3fubcX/T1LVaOTBIErRXcw5QEbaXX6wxXzEYnfLocvMGSnwA2XrSUT 5ZH2J5Y+fsvERPmFKSCXOsoVYKDpP/DYykSayPrtduEWRbLPm6fq6oZ1Qj8iPDkM 0qOiNcN8sJgNQu6nCrDDI5D/7iH6O/+ZC+CWupbZmnuojXNnQsmLMuBM8ECrFVKC oC/41HC4Z4kxmckEQs75Uej/CHTIOozOLQkNpYFAC86W7Pl+X4KsS/zMaq6O5uUI tO712OXt0h6u9IPher8t =N9xH -----END PGP SIGNATURE----- --SWFibbbSqMrdPaQNgH9U5j93ah6cbFrJb--