Am 18.02.2016 um 18:10 schrieb Emmanuel Bourg: > Le 18/02/2016 14:45, Markus Koschany a écrit : > >> According to [1] Tomcat 6 in Wheezy is still affected by a couple of >> security vulnerabilities that were already fixed in Squeeze-LTS and >> Jessie. Would it be sensible to apply the same changes (backporting the >> 6.0.41 release to Wheezy too) or are there any reasons why this has not >> been done before? Has anybody spoken with the Security Team about Tomcat >> security updates in general? Do they approve of backporting newer >> upstream releases? > > Hi Markus, > > I vaguely remember trying to backport the fixes and giving up due to the > complexity. Also the lack of tests in Tomcat 6 makes this operation > rather risky. That's why the LTS Team decided to package a more recent > release in Squeeze. > > I don't know if the Security Team would accept a new upstream release > for Wheezy. Since the LTS Team is probably going to upgrade the package > when they take over the maintenance in April we could ask the Security > Team to do this upgrade earlier. I am in favor of this solution, especially because we haven't heard anything negative about this approach for Squeeze-LTS. If the Security Team agrees I am going ahead and backport this release to Wheezy, test the package and send the debdiff to them. Markus
Attachment:
signature.asc
Description: OpenPGP digital signature