On 02/18/2016 05:45 AM, Markus Koschany wrote: > Hi, > > According to [1] Tomcat 6 in Wheezy is still affected by a couple of > security vulnerabilities that were already fixed in Squeeze-LTS and > Jessie. Would it be sensible to apply the same changes (backporting the > 6.0.41 release to Wheezy too) or are there any reasons why this has not > been done before? Has anybody spoken with the Security Team about Tomcat > security updates in general? Do they approve of backporting newer > upstream releases? > > Regards, > > Markus > > [1] https://security-tracker.debian.org/tracker/source-package/tomcat6 Hi Markus, In the past, the Security Team has been receptive to introducing newer Tomcat releases to address security issues. As always, just let the Security Team know what you are intending to do before any uploads. In this instance, I think introducing 6.0.41 is the right approach. I don't believe there are any reasons why this hasn't been done yet. I have added the Security Team to the cc: in case they have a strong opinion on this specific question. Cheers, tony
Attachment:
signature.asc
Description: OpenPGP digital signature