Path: csiph.com!aioe.org!bofh.it!news.nic.it!robomod From: =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= Newsgroups: linux.debian.devel.release,linux.debian.maint.java Subject: Re: New oldstable-proposed-updates diff: tomcat6 6.0.45+dfsg-1~deb7u1 Date: Wed, 30 Mar 2016 23:00:02 +0200 Message-ID: References: X-Mailbox-Line: From debian-release-request@lists.debian.org Wed Mar 30 20:55:42 2016 Old-Return-Path: X-Amavis-Spam-Status: No, score=-9.301 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, LDO_WHITELIST=-5, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no X-Policyd-Weight: using cached result; rate: -6.1 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.5.24 (2015-08-30) X-Sa-Exim-Connect-IP: 95.33.68.62 X-Sa-Exim-Mail-From: jmm@inutil.org X-Sa-Exim-Scanned: No (on inutil.org); SAEximRunCond expanded to false X-Mailing-List: archive/latest/95722 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/20160330205522.GA24093@pisco.westfalen.local Approved: robomod@news.nic.it Lines: 38 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Cc: debian-release@lists.debian.org, team@security.debian.org, debian-java@lists.debian.org X-Original-Date: Wed, 30 Mar 2016 22:55:22 +0200 X-Original-Message-ID: <20160330205522.GA24093@pisco.westfalen.local> X-Original-References: <1459280870.2441.190.camel@adam-barratt.org.uk> <56FADFAC.3000904@debian.org> <20160329210107.GA18955@pisco.westfalen.local> <56FAF252.9010205@debian.org> Xref: csiph.com linux.debian.devel.release:62253 linux.debian.maint.java:8971 On Tue, Mar 29, 2016 at 11:23:30PM +0200, Markus Koschany wrote: > Am 29.03.2016 um 23:01 schrieb Moritz Mühlenhoff: > > On Tue, Mar 29, 2016 at 10:03:56PM +0200, Markus Koschany wrote: > >> The Security Team decided to mark the issues in Jessie as no-dsa because > >> we only ship the servlet API and documentation in this release which > >> can't be affected by security vulnerabilities at all. I wouldn't mind > >> uploading the 6.0.45+dfsg-1~deb8u1 to Jessie but I think we can safely > >> ignore the version number skew in this case. All Wheezy users who update > >> to Jessie will keep 6.0.45+dfsg-1~deb7u1 for the servlet API and Jessie > >> only users will continue to use 6.0.41. They will not be placed in a > >> worse position. > >> > >> If you feel more comfortable with an updated source package in Jessie, I > >> will gladly upload this one to Jessie. > > > > I missed the wheezy > jessie version skew aspect. In that case let's also > > upgrade tomcat6 in jessie even though it's a NOP. > > > > But all those rdeps of libservlet2.5-java should really be upgraded > > to libservlet3.1-java. > > > > Cheers, > > Moritz > > [putting debian-java in the loop] > > I will upload a Jessie update of Tomcat 6 tomorrow. Ok. > Please note that > changing the rdeps of libservlet2.5-java to libservlet3.1-java is one of > our goals for Stretch. [1] Ok, nice. Cheers, Moritz