Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #8969

Re: New oldstable-proposed-updates diff: tomcat6 6.0.45+dfsg-1~deb7u1

From Markus Koschany <apo@debian.org>
Newsgroups linux.debian.devel.release, linux.debian.maint.java
Subject Re: New oldstable-proposed-updates diff: tomcat6 6.0.45+dfsg-1~deb7u1
Date 2016-03-29 23:30 +0200
Message-ID <ri9n4-3BH-5@gated-at.bofh.it> (permalink)
References <ri7Oi-2sv-25@gated-at.bofh.it> <ri7Oi-2sv-23@gated-at.bofh.it> <ri87F-2Ps-57@gated-at.bofh.it> <ri93H-3su-5@gated-at.bofh.it>
Organization linux.* mail to news gateway

Cross-posted to 2 groups.

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Am 29.03.2016 um 23:01 schrieb Moritz Mühlenhoff:
> On Tue, Mar 29, 2016 at 10:03:56PM +0200, Markus Koschany wrote:
>> The Security Team decided to mark the issues in Jessie as no-dsa because
>> we only ship the servlet API and documentation in this release which
>> can't be affected by security vulnerabilities at all. I wouldn't mind
>> uploading the 6.0.45+dfsg-1~deb8u1 to Jessie but I think we can safely
>> ignore the version number skew in this case. All Wheezy users who update
>> to Jessie will keep 6.0.45+dfsg-1~deb7u1 for the servlet API and Jessie
>> only users will continue to use 6.0.41. They will not be placed in a
>> worse position.
>>
>> If you feel more comfortable with an updated source package in Jessie, I
>> will gladly upload this one to Jessie.
> 
> I missed the wheezy > jessie version skew aspect. In that case let's also
> upgrade tomcat6 in jessie even though it's a NOP.
> 
> But all those rdeps of libservlet2.5-java should really be upgraded
> to libservlet3.1-java.
> 
> Cheers,
>         Moritz

[putting debian-java in the loop]

I will upload a Jessie update of Tomcat 6 tomorrow. Please note that
changing the rdeps of libservlet2.5-java to libservlet3.1-java is one of
our goals for Stretch. [1]
This is sometimes not an easy task because we also ship packages with
specifications like osgi-compendium that support the Java servlet 2.5
API and above. See [2] for user voiced concerns. I don't think that
libservlet2.5-java poses any security risk, so we should safely ignore
this one in the future.

Regards,

Markus


[1]
https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=pkg-java-maintainers@lists.alioth.debian.org;tag=libservlet2.5-java
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801026

Back to linux.debian.maint.java | Previous | NextNext in thread | Find similar | Unroll thread

Thread

Re: New oldstable-proposed-updates diff: tomcat6 6.0.45+dfsg-1~deb7u1 Markus Koschany <apo@debian.org> - 2016-03-29 23:30 +0200
  Re: New oldstable-proposed-updates diff: tomcat6 6.0.45+dfsg-1~deb7u1 Moritz Mühlenhoff <jmm@inutil.org> - 2016-03-30 23:00 +0200

csiph-web