Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #11550

Re: Changes to get tomcat8 security fixes into Debian 9?

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Hi Andreas,

Am 05.03.20 um 09:34 schrieb Andreas Tille:
> Hi,
> 
> I was wondering, whether there is a chance to get CVE-2020-1938 fixed in
> Tomcat8 in Stretch?  If the chances are low possibly backporting Tomcat9
> to stretch-backports-sloppy would be a feasible way to go for me.  What
> would you recomment?

I intend to fix tomcat8 in Stretch soon. I hope to fix tomcat9 in Buster
too but wouldn't mind if someone beat me to it.

Please note that the AJP connector is disabled by default in Debian and
one may argue that only those users who use it with untrusted services
(not recommended) are really affected. The fix might require some minor
updates to your configuration.

Regards,

Markus

Back to linux.debian.maint.java | Previous | Next — Previous in thread | Next in thread | Find similar

Thread

Changes to get tomcat8 security fixes into Debian 9? Andreas Tille <andreas@an3as.eu> - 2020-03-05 09:40 +0100
  Re: Changes to get tomcat8 security fixes into Debian 9? Markus Koschany <apo@debian.org> - 2020-03-06 00:40 +0100
    Re: Changes to get tomcat8 security fixes into Debian 9? Andreas Tille <andreas@an3as.eu> - 2020-03-06 15:20 +0100
      Re: Changes to get tomcat8 security fixes into Debian 9? Andreas Tille <andreas@an3as.eu> - 2020-04-28 11:00 +0200
        Re: Changes to get tomcat8 security fixes into Debian 9? Markus Koschany <apo@debian.org> - 2020-04-28 15:10 +0200
    Re: Changes to get tomcat8 security fixes into Debian 9? Thorsten Glaser <t.glaser@tarent.de> - 2020-03-06 15:50 +0100

csiph-web