Re: New oldstable-proposed-updates diff: tomcat6 6.0.45+dfsg-1~deb7u1
On Tue, Mar 29, 2016 at 11:23:30PM +0200, Markus Koschany wrote:
> Am 29.03.2016 um 23:01 schrieb Moritz Mühlenhoff:
> > On Tue, Mar 29, 2016 at 10:03:56PM +0200, Markus Koschany wrote:
> >> The Security Team decided to mark the issues in Jessie as no-dsa because
> >> we only ship the servlet API and documentation in this release which
> >> can't be affected by security vulnerabilities at all. I wouldn't mind
> >> uploading the 6.0.45+dfsg-1~deb8u1 to Jessie but I think we can safely
> >> ignore the version number skew in this case. All Wheezy users who update
> >> to Jessie will keep 6.0.45+dfsg-1~deb7u1 for the servlet API and Jessie
> >> only users will continue to use 6.0.41. They will not be placed in a
> >> worse position.
> >> If you feel more comfortable with an updated source package in Jessie, I
> >> will gladly upload this one to Jessie.
> > I missed the wheezy > jessie version skew aspect. In that case let's also
> > upgrade tomcat6 in jessie even though it's a NOP.
> > But all those rdeps of libservlet2.5-java should really be upgraded
> > to libservlet3.1-java.
> > Cheers,
> > Moritz
> [putting debian-java in the loop]
> I will upload a Jessie update of Tomcat 6 tomorrow.
> Please note that
> changing the rdeps of libservlet2.5-java to libservlet3.1-java is one of
> our goals for Stretch.