[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: New oldstable-proposed-updates diff: tomcat6 6.0.45+dfsg-1~deb7u1

On Tue, Mar 29, 2016 at 10:03:56PM +0200, Markus Koschany wrote:
> The Security Team decided to mark the issues in Jessie as no-dsa because
> we only ship the servlet API and documentation in this release which
> can't be affected by security vulnerabilities at all. I wouldn't mind
> uploading the 6.0.45+dfsg-1~deb8u1 to Jessie but I think we can safely
> ignore the version number skew in this case. All Wheezy users who update
> to Jessie will keep 6.0.45+dfsg-1~deb7u1 for the servlet API and Jessie
> only users will continue to use 6.0.41. They will not be placed in a
> worse position.
> 
> If you feel more comfortable with an updated source package in Jessie, I
> will gladly upload this one to Jessie.

I missed the wheezy > jessie version skew aspect. In that case let's also
upgrade tomcat6 in jessie even though it's a NOP.

But all those rdeps of libservlet2.5-java should really be upgraded
to libservlet3.1-java.

Cheers,
        Moritz
Reply to: