Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #11549 > unrolled thread

Changes to get tomcat8 security fixes into Debian 9?

Back to article view | Back to linux.debian.maint.java

Contents

  Changes to get tomcat8 security fixes into Debian 9? Andreas Tille <andreas@an3as.eu> - 2020-03-05 09:40 +0100
    Re: Changes to get tomcat8 security fixes into Debian 9? Markus Koschany <apo@debian.org> - 2020-03-06 00:40 +0100
      Re: Changes to get tomcat8 security fixes into Debian 9? Andreas Tille <andreas@an3as.eu> - 2020-03-06 15:20 +0100
        Re: Changes to get tomcat8 security fixes into Debian 9? Andreas Tille <andreas@an3as.eu> - 2020-04-28 11:00 +0200
          Re: Changes to get tomcat8 security fixes into Debian 9? Markus Koschany <apo@debian.org> - 2020-04-28 15:10 +0200
      Re: Changes to get tomcat8 security fixes into Debian 9? Thorsten Glaser <t.glaser@tarent.de> - 2020-03-06 15:50 +0100

#11549 — Changes to get tomcat8 security fixes into Debian 9?

Hi,

I was wondering, whether there is a chance to get CVE-2020-1938 fixed in
Tomcat8 in Stretch?  If the chances are low possibly backporting Tomcat9
to stretch-backports-sloppy would be a feasible way to go for me.  What
would you recomment?

Kind regards

      Andreas.

-- 
http://fam-tille.de

[toc] | [next] | [standalone]

#11550

[Multipart message — attachments visible in raw view] — view raw

Hi Andreas,

Am 05.03.20 um 09:34 schrieb Andreas Tille:
> Hi,
> 
> I was wondering, whether there is a chance to get CVE-2020-1938 fixed in
> Tomcat8 in Stretch?  If the chances are low possibly backporting Tomcat9
> to stretch-backports-sloppy would be a feasible way to go for me.  What
> would you recomment?

I intend to fix tomcat8 in Stretch soon. I hope to fix tomcat9 in Buster
too but wouldn't mind if someone beat me to it.

Please note that the AJP connector is disabled by default in Debian and
one may argue that only those users who use it with untrusted services
(not recommended) are really affected. The fix might require some minor
updates to your configuration.

Regards,

Markus

[toc] | [prev] | [next] | [standalone]

#11551

On Fri, Mar 06, 2020 at 12:24:56AM +0100, Markus Koschany wrote:
> Hi Andreas,
> 
> Am 05.03.20 um 09:34 schrieb Andreas Tille:
> > Hi,
> > 
> > I was wondering, whether there is a chance to get CVE-2020-1938 fixed in
> > Tomcat8 in Stretch?  If the chances are low possibly backporting Tomcat9
> > to stretch-backports-sloppy would be a feasible way to go for me.  What
> > would you recomment?
> 
> I intend to fix tomcat8 in Stretch soon. I hope to fix tomcat9 in Buster
> too but wouldn't mind if someone beat me to it.

I'd really welcome if you or anybody who might beat you would care for
this.  I'm pretty sure that I will not put my incompetent hands on it if
I know you will do this in a foreseable time frame.
 
> Please note that the AJP connector is disabled by default in Debian and
> one may argue that only those users who use it with untrusted services
> (not recommended) are really affected.

I've verified that this part of the configuration was not changed in our
case.  Thanks a lot for the helpful hint

      Andreas.


-- 
http://fam-tille.de

[toc] | [prev] | [next] | [standalone]

#11585

On Fri, Mar 06, 2020 at 03:17:09PM +0100, Andreas Tille wrote:
> On Fri, Mar 06, 2020 at 12:24:56AM +0100, Markus Koschany wrote:
> > Hi Andreas,
> > 
> > Am 05.03.20 um 09:34 schrieb Andreas Tille:
> > > Hi,
> > > 
> > > I was wondering, whether there is a chance to get CVE-2020-1938 fixed in
> > > Tomcat8 in Stretch?  If the chances are low possibly backporting Tomcat9
> > > to stretch-backports-sloppy would be a feasible way to go for me.  What
> > > would you recomment?
> > 
> > I intend to fix tomcat8 in Stretch soon. I hope to fix tomcat9 in Buster
> > too but wouldn't mind if someone beat me to it.
> 
> I'd really welcome if you or anybody who might beat you would care for
> this.  I'm pretty sure that I will not put my incompetent hands on it if
> I know you will do this in a foreseable time frame.
>  
> > Please note that the AJP connector is disabled by default in Debian and
> > one may argue that only those users who use it with untrusted services
> > (not recommended) are really affected.
> 
> I've verified that this part of the configuration was not changed in our
> case.  Thanks a lot for the helpful hint
> 
>       Andreas.

Any news about the tomcat backport?

Kind regards

       Andreas. 

-- 
http://fam-tille.de

[toc] | [prev] | [next] | [standalone]

#11587

[Multipart message — attachments visible in raw view] — view raw

Am 28.04.20 um 10:57 schrieb Andreas Tille:
[...]
> 
> Any news about the tomcat backport?

Tomcat 8 and Tomcat 9 are currently pending review by the security team.

Regards,

Markus

[toc] | [prev] | [next] | [standalone]

#11552

On Fri, 6 Mar 2020, Markus Koschany wrote:

> Please note that the AJP connector is disabled by default in Debian and

That being said, it’s the first thing we enable as AJP together with
mod_jk is the only reliable method I found to use Tomcat with Apache.
Just please don’t discount it entirely.

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-235
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

**********

Mit der tarent Academy bieten wir auch Trainings und Schulungen in den
Bereichen Softwareentwicklung, Agiles Arbeiten und Zukunftstechnologien an.

Besuchen Sie uns auf www.tarent.de/academy. Wir freuen uns auf Ihren Kontakt.

**********

[toc] | [prev] | [standalone]

Back to top | Article view | linux.debian.maint.java

csiph-web