Re: tomcat9 in buster-backports vs. security
On Tue, 10 Aug 2021, Markus Koschany wrote:
> Currently I don't plan to update the bpo version of Tomcat 9 in Buster. If you
> prefer the latest updates then I'd suggest to focus on bullseye-backports from
I think you misunderstood the intention of this request.
Packages in $version-backports have to be up-to-date wrt.
their corresponding packages from $(version+1), except
small, not very user-visible, etc. changes.
In the case of security updates, this is even more important.
The person who uploaded the first backport basically agreed
to keep the tomcat9 backport up-to-date over the lifetime of
buster-backports, that is, to approximately 14/15ᵗʰ August 2022(!).
> now on. I am not sure yet if the regression which I have fixed in
> 9.0.43-3 requires another security update for bullseye or buster at
> the moment, since an easy workaround is available and probably not
> many users are affected. I will monitor the situation though.
Right.
However, if you’re not intending to update the buster backport,
please file a removal request and inform the users (via the bpo
mailing list) about this and the extant security issues in the
version they have installed.
Thanks,
//mirabilos
ObPlug: http://www.mirbsd.org/~tg/Debs/dists/buster/lts/Pkgs/tomcat9/
is what I try to keep reasonably up to date. It also contains
the sysvinit fixes. It’s built in a bullseye chroot though,
and as such does NOT follow the bpo rules. It’s a works-for-me
thing which one MAY use if they want, at their own risk.
--
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
*************************************************
Mit dem tarent-Newsletter nichts mehr verpassen: www.tarent.de/newsletter
*************************************************
Reply to: