Re: Changes to get tomcat8 security fixes into Debian 9?

To: debian-java@lists.debian.org
Subject: Re: Changes to get tomcat8 security fixes into Debian 9?
From: Markus Koschany <apo@debian.org>
Date: Fri, 6 Mar 2020 00:24:56 +0100
Message-id: <[🔎] 3599459e-7758-5682-6ba6-96e91355924f@debian.org>
In-reply-to: <[🔎] 20200305083442.GL14082@an3as.eu>
References: <[🔎] 20200305083442.GL14082@an3as.eu>

Hi Andreas,

Am 05.03.20 um 09:34 schrieb Andreas Tille:
> Hi,
> 
> I was wondering, whether there is a chance to get CVE-2020-1938 fixed in
> Tomcat8 in Stretch?  If the chances are low possibly backporting Tomcat9
> to stretch-backports-sloppy would be a feasible way to go for me.  What
> would you recomment?

I intend to fix tomcat8 in Stretch soon. I hope to fix tomcat9 in Buster
too but wouldn't mind if someone beat me to it.

Please note that the AJP connector is disabled by default in Debian and
one may argue that only those users who use it with untrusted services
(not recommended) are really affected. The fix might require some minor
updates to your configuration.

Regards,

Markus

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: Changes to get tomcat8 security fixes into Debian 9?
  - From: Andreas Tille <andreas@an3as.eu>
- Re: Changes to get tomcat8 security fixes into Debian 9?
  - From: Thorsten Glaser <t.glaser@tarent.de>

References:
- Changes to get tomcat8 security fixes into Debian 9?
  - From: Andreas Tille <andreas@an3as.eu>

Prev by Date: Changes to get tomcat8 security fixes into Debian 9?
Next by Date: Re: Changes to get tomcat8 security fixes into Debian 9?
Previous by thread: Changes to get tomcat8 security fixes into Debian 9?
Next by thread: Re: Changes to get tomcat8 security fixes into Debian 9?
Index(es):
- Date
- Thread