[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: New oldstable-proposed-updates diff: tomcat6 6.0.45+dfsg-1~deb7u1

Am 29.03.2016 um 23:01 schrieb Moritz Mühlenhoff:
> On Tue, Mar 29, 2016 at 10:03:56PM +0200, Markus Koschany wrote:
>> The Security Team decided to mark the issues in Jessie as no-dsa because
>> we only ship the servlet API and documentation in this release which
>> can't be affected by security vulnerabilities at all. I wouldn't mind
>> uploading the 6.0.45+dfsg-1~deb8u1 to Jessie but I think we can safely
>> ignore the version number skew in this case. All Wheezy users who update
>> to Jessie will keep 6.0.45+dfsg-1~deb7u1 for the servlet API and Jessie
>> only users will continue to use 6.0.41. They will not be placed in a
>> worse position.
>> If you feel more comfortable with an updated source package in Jessie, I
>> will gladly upload this one to Jessie.
> I missed the wheezy > jessie version skew aspect. In that case let's also
> upgrade tomcat6 in jessie even though it's a NOP.
> But all those rdeps of libservlet2.5-java should really be upgraded
> to libservlet3.1-java.
> Cheers,
>         Moritz

[putting debian-java in the loop]

I will upload a Jessie update of Tomcat 6 tomorrow. Please note that
changing the rdeps of libservlet2.5-java to libservlet3.1-java is one of
our goals for Stretch. [1]
This is sometimes not an easy task because we also ship packages with
specifications like osgi-compendium that support the Java servlet 2.5
API and above. See [2] for user voiced concerns. I don't think that
libservlet2.5-java poses any security risk, so we should safely ignore
this one in the future.



[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801026

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: