Re: tomcat5.5 - the long overdue stable upload
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 2010-07-25 14:11, Niels Thykier wrote:
> Hi
>
> As the subject suggests I am considering to do a stable upload of
> tomcat5.5. I intend to fix:
> #589864 - Missing security policy prevents proper logging ...
> #532366 - Various Security issues
> #576261 - missing dependency declaration on a JDK
>
> I had a short look at some of the other bugs, but decided to go only
> with these. If you think other bugs should be fixed by this upload,
> please let me know - though please be prepared to justify it and create
> a patch for it.
> On a related note, if anyone has started on this process or wants to
> help (e.g. with testing), please let me know so we can coordinate this.
>
> As for the rest of the bugs filed against tomcat5.5, I intend to mark
> them as wontfix and close them "in unstable"[1], since we have removed
> tomcat5.5 from unstable and testing.
>
> I will query the security team + the release team about this and since
> they have the final say, I cannot guarantee that all the bugs listed
> will be closed.
> I will write back to the debian-java list once I got more information.
>
> ~Niels
>
> NB: This email has been BCC'ed to the bugs in question and their
> submitters + posters (except for people I know are subscribed to this
> list).
> If you receive this email per BCC and want to be notified about the
> progress, ping me and I will put you in CC with my next email.
>
> [1] Making them as "fixed" in 5.5.26-5+rm.
>
Hey
I heard from the security team and they would like to do a security upload.
Already reported:
CVE-2008-5515 [P]
CVE-2009-0033 [P]
CVE-2009-0580 [P]
CVE-2009-0781 [*]
CVE-2009-0783
Additonal problems to fix:
CVE-2010-2227
CVE-2010-1157 [*]
CVE-2010-2902
CVE-2009-2693
I will write back when I am done with a request for review of the patches.
~Niels
[*] Low impact security bug or/and only affects examples.
[P] Generated patch for it with help from:
http://tomcat.apache.org/security-5.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEAREIAAYFAkxP/DwACgkQVCqoiq1YlqwFLwCfV+tN+Mt29tKNwOpISS6+FES4
YxMAnjbjSsD87wPAzih2xE1jEZU5U9yx
=vydU
-----END PGP SIGNATURE-----
Reply to: