[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Changes to get tomcat8 security fixes into Debian 9?

On Fri, Mar 06, 2020 at 12:24:56AM +0100, Markus Koschany wrote:
> Hi Andreas,
> 
> Am 05.03.20 um 09:34 schrieb Andreas Tille:
> > Hi,
> > 
> > I was wondering, whether there is a chance to get CVE-2020-1938 fixed in
> > Tomcat8 in Stretch?  If the chances are low possibly backporting Tomcat9
> > to stretch-backports-sloppy would be a feasible way to go for me.  What
> > would you recomment?
> 
> I intend to fix tomcat8 in Stretch soon. I hope to fix tomcat9 in Buster
> too but wouldn't mind if someone beat me to it.

I'd really welcome if you or anybody who might beat you would care for
this.  I'm pretty sure that I will not put my incompetent hands on it if
I know you will do this in a foreseable time frame.
 
> Please note that the AJP connector is disabled by default in Debian and
> one may argue that only those users who use it with untrusted services
> (not recommended) are really affected.

I've verified that this part of the configuration was not changed in our
case.  Thanks a lot for the helpful hint

      Andreas.


-- 
http://fam-tille.de
Reply to: