Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.maint.java > #8896
| From | Markus Koschany <apo@debian.org> |
|---|---|
| Newsgroups | linux.debian.maint.java |
| Subject | Re: Tomcat 6 security vulnerabilities in Wheezy |
| Date | 2016-02-21 18:50 +0100 |
| Message-ID | <r4GiT-12G-47@gated-at.bofh.it> (permalink) |
| References | <r3x7Y-6f7-13@gated-at.bofh.it> <r3Apc-pQ-11@gated-at.bofh.it> <r3AyS-uN-9@gated-at.bofh.it> <r3CKn-23z-27@gated-at.bofh.it> |
| Organization | linux.* mail to news gateway |
[Multipart message — attachments visible in raw view] - view raw
Am 18.02.2016 um 20:46 schrieb Moritz Mühlenhoff: > On Thu, Feb 18, 2016 at 06:24:17PM +0100, Markus Koschany wrote: >> Am 18.02.2016 um 18:10 schrieb Emmanuel Bourg: >>> Le 18/02/2016 14:45, Markus Koschany a écrit : >>> >>>> According to [1] Tomcat 6 in Wheezy is still affected by a couple of >>>> security vulnerabilities that were already fixed in Squeeze-LTS and >>>> Jessie. Would it be sensible to apply the same changes (backporting the >>>> 6.0.41 release to Wheezy too) or are there any reasons why this has not >>>> been done before? Has anybody spoken with the Security Team about Tomcat >>>> security updates in general? Do they approve of backporting newer >>>> upstream releases? >>> >>> Hi Markus, >>> >>> I vaguely remember trying to backport the fixes and giving up due to the >>> complexity. Also the lack of tests in Tomcat 6 makes this operation >>> rather risky. That's why the LTS Team decided to package a more recent >>> release in Squeeze. >>> >>> I don't know if the Security Team would accept a new upstream release >>> for Wheezy. Since the LTS Team is probably going to upgrade the package >>> when they take over the maintenance in April we could ask the Security >>> Team to do this upgrade earlier. >> >> I am in favor of this solution, especially because we haven't heard >> anything negative about this approach for Squeeze-LTS. If the Security >> Team agrees I am going ahead and backport this release to Wheezy, test >> the package and send the debdiff to them. > > Ok, please go ahead. I have updated the package in Wheezy. It is basically the same one as in Squeeze-LTS with some minor changes. I didn't change the compat level for instance and did not add the versioned dependency on libtcnative-1. libtcnative >= 1.1.30 was backported to Squeeze but it appears that the actual version 1.1.24 is already sufficient. tomcat6.cron.daily was also slightly changed in Squeeze-LTS but I decided to keep the Wheezy cron file. So in short: I imported the new upstream release, applied new security patches and removed obsolete ones and documented the changes. I have attached the debdiff between the version in Squeeze-LTS and Wheezy. Regards, Markus
Back to linux.debian.maint.java | Previous | Next — Previous in thread | Next in thread | Find similar
Tomcat 6 security vulnerabilities in Wheezy Markus Koschany <apo@debian.org> - 2016-02-18 14:50 +0100
Re: Tomcat 6 security vulnerabilities in Wheezy tony mancill <tmancill@debian.org> - 2016-02-18 18:10 +0100
Re: Tomcat 6 security vulnerabilities in Wheezy Emmanuel Bourg <ebourg@apache.org> - 2016-02-18 18:20 +0100
Re: Tomcat 6 security vulnerabilities in Wheezy Markus Koschany <apo@debian.org> - 2016-02-18 18:30 +0100
Re: Tomcat 6 security vulnerabilities in Wheezy Moritz Mühlenhoff <jmm@inutil.org> - 2016-02-18 20:50 +0100
Re: Tomcat 6 security vulnerabilities in Wheezy Markus Koschany <apo@debian.org> - 2016-02-21 18:50 +0100
Re: Tomcat 6 security vulnerabilities in Wheezy Markus Koschany <apo@debian.org> - 2016-02-27 23:50 +0100
Re: Tomcat 6 security vulnerabilities in Wheezy Moritz Mühlenhoff <jmm@inutil.org> - 2016-03-14 23:10 +0100
Re: Tomcat 6 security vulnerabilities in Wheezy Markus Koschany <apo@debian.org> - 2016-03-16 14:30 +0100
Re: Tomcat 6 security vulnerabilities in Wheezy Moritz Mühlenhoff <jmm@inutil.org> - 2016-03-25 00:40 +0100
csiph-web