Re: Changes to get tomcat8 security fixes into Debian 9?
- To: debian-java@lists.debian.org
- Subject: Re: Changes to get tomcat8 security fixes into Debian 9?
- From: Andreas Tille <andreas@an3as.eu>
- Date: Tue, 28 Apr 2020 10:57:00 +0200
- Message-id: <[🔎] 20200428085700.GR1150@an3as.eu>
- In-reply-to: <20200306141709.GI14082@an3as.eu>
- References: <20200305083442.GL14082@an3as.eu> <3599459e-7758-5682-6ba6-96e91355924f@debian.org> <20200306141709.GI14082@an3as.eu>
On Fri, Mar 06, 2020 at 03:17:09PM +0100, Andreas Tille wrote:
> On Fri, Mar 06, 2020 at 12:24:56AM +0100, Markus Koschany wrote:
> > Hi Andreas,
> >
> > Am 05.03.20 um 09:34 schrieb Andreas Tille:
> > > Hi,
> > >
> > > I was wondering, whether there is a chance to get CVE-2020-1938 fixed in
> > > Tomcat8 in Stretch? If the chances are low possibly backporting Tomcat9
> > > to stretch-backports-sloppy would be a feasible way to go for me. What
> > > would you recomment?
> >
> > I intend to fix tomcat8 in Stretch soon. I hope to fix tomcat9 in Buster
> > too but wouldn't mind if someone beat me to it.
>
> I'd really welcome if you or anybody who might beat you would care for
> this. I'm pretty sure that I will not put my incompetent hands on it if
> I know you will do this in a foreseable time frame.
>
> > Please note that the AJP connector is disabled by default in Debian and
> > one may argue that only those users who use it with untrusted services
> > (not recommended) are really affected.
>
> I've verified that this part of the configuration was not changed in our
> case. Thanks a lot for the helpful hint
>
> Andreas.
Any news about the tomcat backport?
Kind regards
Andreas.
--
http://fam-tille.de
Reply to: