Re: tomcat5.5 - the long overdue stable upload

To: debian-java@lists.debian.org, Ralph Plawetzki <ralph@plawetzki.net>
Subject: Re: tomcat5.5 - the long overdue stable upload
From: Niels Thykier <niels@thykier.net>
Date: Wed, 28 Jul 2010 11:45:33 +0200
Message-id: <4C4FFC3D.9070704@thykier.net>
In-reply-to: <4C4C29DF.4000202@thykier.net>
References: <4C4C29DF.4000202@thykier.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 2010-07-25 14:11, Niels Thykier wrote:
> Hi
> 
> As the subject suggests I am considering to do a stable upload of
> tomcat5.5. I intend to fix:
>  #589864 - Missing security policy prevents proper logging ...
>  #532366 - Various Security issues
>  #576261 - missing dependency declaration on a JDK
> 
> I had a short look at some of the other bugs, but decided to go only
> with these. If you think other bugs should be fixed by this upload,
> please let me know - though please be prepared to justify it and create
> a patch for it.
>   On a related note, if anyone has started on this process or wants to
> help (e.g. with testing), please let me know so we can coordinate this.
> 
> As for the rest of the bugs filed against tomcat5.5, I intend to mark
> them as wontfix and close them "in unstable"[1], since we have removed
> tomcat5.5 from unstable and testing.
> 
> I will query the security team + the release team about this and since
> they have the final say, I cannot guarantee that all the bugs listed
> will be closed.
>   I will write back to the debian-java list once I got more information.
> 
> ~Niels
> 
> NB: This email has been BCC'ed to the bugs in question and their
> submitters + posters (except for people I know are subscribed to this
> list).
>   If you receive this email per BCC and want to be notified about the
> progress, ping me and I will put you in CC with my next email.
> 
> [1] Making them as "fixed" in 5.5.26-5+rm.
> 

Hey

I heard from the security team and they would like to do a security upload.

Already reported:
CVE-2008-5515 [P]
CVE-2009-0033 [P]
CVE-2009-0580 [P]
CVE-2009-0781 [*]
CVE-2009-0783

Additonal problems to fix:
CVE-2010-2227
CVE-2010-1157 [*]
CVE-2010-2902
CVE-2009-2693

I will write back when I am done with a request for review of the patches.

~Niels

[*] Low impact security bug or/and only affects examples.

[P] Generated patch for it with help from:
http://tomcat.apache.org/security-5.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEAREIAAYFAkxP/DwACgkQVCqoiq1YlqwFLwCfV+tN+Mt29tKNwOpISS6+FES4
YxMAnjbjSsD87wPAzih2xE1jEZU5U9yx
=vydU
-----END PGP SIGNATURE-----

Reply to:

References:
- tomcat5.5 - the long overdue stable upload
  - From: Niels Thykier <niels@thykier.net>

Prev by Date: GlassFish v3
Next by Date: Re: RFS: freeplane - A Java program to create and edit mind maps
Previous by thread: tomcat5.5 - the long overdue stable upload
Next by thread: Re: Intent to NMU sun-java6 to fix pending po-debconf l10n bugs
Index(es):
- Date
- Thread