Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.maint.java > #8884 > unrolled thread
| Started by | Markus Koschany <apo@debian.org> |
|---|---|
| First post | 2016-02-18 14:50 +0100 |
| Last post | 2016-03-25 00:40 +0100 |
| Articles | 10 — 4 participants |
Back to article view | Back to linux.debian.maint.java
Tomcat 6 security vulnerabilities in Wheezy Markus Koschany <apo@debian.org> - 2016-02-18 14:50 +0100
Re: Tomcat 6 security vulnerabilities in Wheezy tony mancill <tmancill@debian.org> - 2016-02-18 18:10 +0100
Re: Tomcat 6 security vulnerabilities in Wheezy Emmanuel Bourg <ebourg@apache.org> - 2016-02-18 18:20 +0100
Re: Tomcat 6 security vulnerabilities in Wheezy Markus Koschany <apo@debian.org> - 2016-02-18 18:30 +0100
Re: Tomcat 6 security vulnerabilities in Wheezy Moritz Mühlenhoff <jmm@inutil.org> - 2016-02-18 20:50 +0100
Re: Tomcat 6 security vulnerabilities in Wheezy Markus Koschany <apo@debian.org> - 2016-02-21 18:50 +0100
Re: Tomcat 6 security vulnerabilities in Wheezy Markus Koschany <apo@debian.org> - 2016-02-27 23:50 +0100
Re: Tomcat 6 security vulnerabilities in Wheezy Moritz Mühlenhoff <jmm@inutil.org> - 2016-03-14 23:10 +0100
Re: Tomcat 6 security vulnerabilities in Wheezy Markus Koschany <apo@debian.org> - 2016-03-16 14:30 +0100
Re: Tomcat 6 security vulnerabilities in Wheezy Moritz Mühlenhoff <jmm@inutil.org> - 2016-03-25 00:40 +0100
| From | Markus Koschany <apo@debian.org> |
|---|---|
| Date | 2016-02-18 14:50 +0100 |
| Subject | Tomcat 6 security vulnerabilities in Wheezy |
| Message-ID | <r3x7Y-6f7-13@gated-at.bofh.it> |
[Multipart message — attachments visible in raw view] — view raw
Hi, According to [1] Tomcat 6 in Wheezy is still affected by a couple of security vulnerabilities that were already fixed in Squeeze-LTS and Jessie. Would it be sensible to apply the same changes (backporting the 6.0.41 release to Wheezy too) or are there any reasons why this has not been done before? Has anybody spoken with the Security Team about Tomcat security updates in general? Do they approve of backporting newer upstream releases? Regards, Markus [1] https://security-tracker.debian.org/tracker/source-package/tomcat6
[toc] | [next] | [standalone]
| From | tony mancill <tmancill@debian.org> |
|---|---|
| Date | 2016-02-18 18:10 +0100 |
| Message-ID | <r3Afx-lQ-11@gated-at.bofh.it> |
| In reply to | #8884 |
[Multipart message — attachments visible in raw view] — view raw
On 02/18/2016 05:45 AM, Markus Koschany wrote: > Hi, > > According to [1] Tomcat 6 in Wheezy is still affected by a couple of > security vulnerabilities that were already fixed in Squeeze-LTS and > Jessie. Would it be sensible to apply the same changes (backporting the > 6.0.41 release to Wheezy too) or are there any reasons why this has not > been done before? Has anybody spoken with the Security Team about Tomcat > security updates in general? Do they approve of backporting newer > upstream releases? > > Regards, > > Markus > > [1] https://security-tracker.debian.org/tracker/source-package/tomcat6 Hi Markus, In the past, the Security Team has been receptive to introducing newer Tomcat releases to address security issues. As always, just let the Security Team know what you are intending to do before any uploads. In this instance, I think introducing 6.0.41 is the right approach. I don't believe there are any reasons why this hasn't been done yet. I have added the Security Team to the cc: in case they have a strong opinion on this specific question. Cheers, tony
[toc] | [prev] | [next] | [standalone]
| From | Emmanuel Bourg <ebourg@apache.org> |
|---|---|
| Date | 2016-02-18 18:20 +0100 |
| Message-ID | <r3Apc-pQ-11@gated-at.bofh.it> |
| In reply to | #8884 |
Le 18/02/2016 14:45, Markus Koschany a écrit : > According to [1] Tomcat 6 in Wheezy is still affected by a couple of > security vulnerabilities that were already fixed in Squeeze-LTS and > Jessie. Would it be sensible to apply the same changes (backporting the > 6.0.41 release to Wheezy too) or are there any reasons why this has not > been done before? Has anybody spoken with the Security Team about Tomcat > security updates in general? Do they approve of backporting newer > upstream releases? Hi Markus, I vaguely remember trying to backport the fixes and giving up due to the complexity. Also the lack of tests in Tomcat 6 makes this operation rather risky. That's why the LTS Team decided to package a more recent release in Squeeze. I don't know if the Security Team would accept a new upstream release for Wheezy. Since the LTS Team is probably going to upgrade the package when they take over the maintenance in April we could ask the Security Team to do this upgrade earlier. Emmanuel Bourg
[toc] | [prev] | [next] | [standalone]
| From | Markus Koschany <apo@debian.org> |
|---|---|
| Date | 2016-02-18 18:30 +0100 |
| Message-ID | <r3AyS-uN-9@gated-at.bofh.it> |
| In reply to | #8886 |
[Multipart message — attachments visible in raw view] — view raw
Am 18.02.2016 um 18:10 schrieb Emmanuel Bourg: > Le 18/02/2016 14:45, Markus Koschany a écrit : > >> According to [1] Tomcat 6 in Wheezy is still affected by a couple of >> security vulnerabilities that were already fixed in Squeeze-LTS and >> Jessie. Would it be sensible to apply the same changes (backporting the >> 6.0.41 release to Wheezy too) or are there any reasons why this has not >> been done before? Has anybody spoken with the Security Team about Tomcat >> security updates in general? Do they approve of backporting newer >> upstream releases? > > Hi Markus, > > I vaguely remember trying to backport the fixes and giving up due to the > complexity. Also the lack of tests in Tomcat 6 makes this operation > rather risky. That's why the LTS Team decided to package a more recent > release in Squeeze. > > I don't know if the Security Team would accept a new upstream release > for Wheezy. Since the LTS Team is probably going to upgrade the package > when they take over the maintenance in April we could ask the Security > Team to do this upgrade earlier. I am in favor of this solution, especially because we haven't heard anything negative about this approach for Squeeze-LTS. If the Security Team agrees I am going ahead and backport this release to Wheezy, test the package and send the debdiff to them. Markus
[toc] | [prev] | [next] | [standalone]
| From | Moritz Mühlenhoff <jmm@inutil.org> |
|---|---|
| Date | 2016-02-18 20:50 +0100 |
| Message-ID | <r3CKn-23z-27@gated-at.bofh.it> |
| In reply to | #8887 |
On Thu, Feb 18, 2016 at 06:24:17PM +0100, Markus Koschany wrote:
> Am 18.02.2016 um 18:10 schrieb Emmanuel Bourg:
> > Le 18/02/2016 14:45, Markus Koschany a écrit :
> >
> >> According to [1] Tomcat 6 in Wheezy is still affected by a couple of
> >> security vulnerabilities that were already fixed in Squeeze-LTS and
> >> Jessie. Would it be sensible to apply the same changes (backporting the
> >> 6.0.41 release to Wheezy too) or are there any reasons why this has not
> >> been done before? Has anybody spoken with the Security Team about Tomcat
> >> security updates in general? Do they approve of backporting newer
> >> upstream releases?
> >
> > Hi Markus,
> >
> > I vaguely remember trying to backport the fixes and giving up due to the
> > complexity. Also the lack of tests in Tomcat 6 makes this operation
> > rather risky. That's why the LTS Team decided to package a more recent
> > release in Squeeze.
> >
> > I don't know if the Security Team would accept a new upstream release
> > for Wheezy. Since the LTS Team is probably going to upgrade the package
> > when they take over the maintenance in April we could ask the Security
> > Team to do this upgrade earlier.
>
> I am in favor of this solution, especially because we haven't heard
> anything negative about this approach for Squeeze-LTS. If the Security
> Team agrees I am going ahead and backport this release to Wheezy, test
> the package and send the debdiff to them.
Ok, please go ahead.
Cheers,
Moritz
[toc] | [prev] | [next] | [standalone]
| From | Markus Koschany <apo@debian.org> |
|---|---|
| Date | 2016-02-21 18:50 +0100 |
| Message-ID | <r4GiT-12G-47@gated-at.bofh.it> |
| In reply to | #8889 |
[Multipart message — attachments visible in raw view] — view raw
Am 18.02.2016 um 20:46 schrieb Moritz Mühlenhoff: > On Thu, Feb 18, 2016 at 06:24:17PM +0100, Markus Koschany wrote: >> Am 18.02.2016 um 18:10 schrieb Emmanuel Bourg: >>> Le 18/02/2016 14:45, Markus Koschany a écrit : >>> >>>> According to [1] Tomcat 6 in Wheezy is still affected by a couple of >>>> security vulnerabilities that were already fixed in Squeeze-LTS and >>>> Jessie. Would it be sensible to apply the same changes (backporting the >>>> 6.0.41 release to Wheezy too) or are there any reasons why this has not >>>> been done before? Has anybody spoken with the Security Team about Tomcat >>>> security updates in general? Do they approve of backporting newer >>>> upstream releases? >>> >>> Hi Markus, >>> >>> I vaguely remember trying to backport the fixes and giving up due to the >>> complexity. Also the lack of tests in Tomcat 6 makes this operation >>> rather risky. That's why the LTS Team decided to package a more recent >>> release in Squeeze. >>> >>> I don't know if the Security Team would accept a new upstream release >>> for Wheezy. Since the LTS Team is probably going to upgrade the package >>> when they take over the maintenance in April we could ask the Security >>> Team to do this upgrade earlier. >> >> I am in favor of this solution, especially because we haven't heard >> anything negative about this approach for Squeeze-LTS. If the Security >> Team agrees I am going ahead and backport this release to Wheezy, test >> the package and send the debdiff to them. > > Ok, please go ahead. I have updated the package in Wheezy. It is basically the same one as in Squeeze-LTS with some minor changes. I didn't change the compat level for instance and did not add the versioned dependency on libtcnative-1. libtcnative >= 1.1.30 was backported to Squeeze but it appears that the actual version 1.1.24 is already sufficient. tomcat6.cron.daily was also slightly changed in Squeeze-LTS but I decided to keep the Wheezy cron file. So in short: I imported the new upstream release, applied new security patches and removed obsolete ones and documented the changes. I have attached the debdiff between the version in Squeeze-LTS and Wheezy. Regards, Markus
[toc] | [prev] | [next] | [standalone]
| From | Markus Koschany <apo@debian.org> |
|---|---|
| Date | 2016-02-27 23:50 +0100 |
| Message-ID | <r6VQt-1fb-1@gated-at.bofh.it> |
| In reply to | #8896 |
[Multipart message — attachments visible in raw view] — view raw
Hi, as you know Tomcat 6 is affected by new security vulnerabilities that are fixed in version 6.0.45. Do you want me to replace the last version I sent to you regarding Wheezy with this one or shall I upload version 6.0.41 instead, which is more tested, and prepare another upload afterwards. I wouldn't mind this incremental approach but I could also merge 6.0.45 into Wheezy right now. The update for Jessie should be straight forward because src:tomcat6 only builds the unaffected servlet API, so we just need to replace the upstream sources. Regards, Markus
[toc] | [prev] | [next] | [standalone]
| From | Moritz Mühlenhoff <jmm@inutil.org> |
|---|---|
| Date | 2016-03-14 23:10 +0100 |
| Message-ID | <rcIQx-1o0-1@gated-at.bofh.it> |
| In reply to | #8904 |
On Sat, Feb 27, 2016 at 11:45:45PM +0100, Markus Koschany wrote:
> Hi,
>
> as you know Tomcat 6 is affected by new security vulnerabilities that
> are fixed in version 6.0.45. Do you want me to replace the last version
> I sent to you regarding Wheezy with this one or shall I upload version
> 6.0.41 instead, which is more tested, and prepare another upload
> afterwards. I wouldn't mind this incremental approach but I could also
> merge 6.0.45 into Wheezy right now.
Sorry for the late reply. Let's move to 6.0.45 rightaway.
Cheers,
Moritz
[toc] | [prev] | [next] | [standalone]
| From | Markus Koschany <apo@debian.org> |
|---|---|
| Date | 2016-03-16 14:30 +0100 |
| Message-ID | <rdjGq-136-15@gated-at.bofh.it> |
| In reply to | #8933 |
[Multipart message — attachments visible in raw view] — view raw
Am 14.03.2016 um 23:06 schrieb Moritz Mühlenhoff: > On Sat, Feb 27, 2016 at 11:45:45PM +0100, Markus Koschany wrote: >> Hi, >> >> as you know Tomcat 6 is affected by new security vulnerabilities that >> are fixed in version 6.0.45. Do you want me to replace the last version >> I sent to you regarding Wheezy with this one or shall I upload version >> 6.0.41 instead, which is more tested, and prepare another upload >> afterwards. I wouldn't mind this incremental approach but I could also >> merge 6.0.45 into Wheezy right now. > > Sorry for the late reply. Let's move to 6.0.45 rightaway. > Hi, I have uploaded 6.0.45 to security-master just now. I'm attaching the debdiff that shows the differences between the version in squeeze-lts and this one. Regards, Markus
[toc] | [prev] | [next] | [standalone]
| From | Moritz Mühlenhoff <jmm@inutil.org> |
|---|---|
| Date | 2016-03-25 00:40 +0100 |
| Message-ID | <rgn18-1tn-11@gated-at.bofh.it> |
| In reply to | #8937 |
On Wed, Mar 16, 2016 at 02:21:06PM +0100, Markus Koschany wrote:
> Am 14.03.2016 um 23:06 schrieb Moritz Mühlenhoff:
> > On Sat, Feb 27, 2016 at 11:45:45PM +0100, Markus Koschany wrote:
> >> Hi,
> >>
> >> as you know Tomcat 6 is affected by new security vulnerabilities that
> >> are fixed in version 6.0.45. Do you want me to replace the last version
> >> I sent to you regarding Wheezy with this one or shall I upload version
> >> 6.0.41 instead, which is more tested, and prepare another upload
> >> afterwards. I wouldn't mind this incremental approach but I could also
> >> merge 6.0.45 into Wheezy right now.
> >
> > Sorry for the late reply. Let's move to 6.0.45 rightaway.
> >
>
> Hi,
>
> I have uploaded 6.0.45 to security-master just now. I'm attaching the
> debdiff that shows the differences between the version in squeeze-lts
> and this one.
Thanks for preparing the update. All my tests were fine, I'll release the
DSA tomorrow (or rather later the day by now).
Cheers,
Moritz
[toc] | [prev] | [standalone]
Back to top | Article view | linux.debian.maint.java
csiph-web