Guidance on tomcat8 update for (LTS) jessie
Security Team & Tomcat Maintainers,
I began working on a jessie LTS update for tomcat8 and sought some
guidance from Markus Koschany, as he prepared a tomact7 update recently.
He pointed out that the tomcat8 package in jessie is based on the 8.0.x
upstream relases, which will reach EOL on 30th June. He further
recommended that I consider updating the tomcat8 package in jessie to
the 8.5.x series.
After some quick investigating I found that the current tomcat8 packages
in Debian are based on the following upstream releases:
stretch -> 8.5.14
buster -> 8.5.31
sid -> 8.5.32 (latest upstream release)
It doesn't make sense to advance tomcat8 in jessie to a newer release
that what is in stretch. However, it is also not a workable solution to
have an unsupported tomcat release in jessie.
There appear to be the following possible courses of action:
- Backport patches to the 8.0.14-based packages in jessie
+ this is potentially high risk, especially since after EOL upstream
will no longer check new CVEs for applicability to the 8.0.x releaes
nor will they make any effort to appky fixes to that branch
- Update the tomcat8 in jessie using the stretch 8.5.14-1+deb9u2
packages as a starting point
- Update the tomcat8 in jessie to be based on the latest upstream 8.5.32
+ This does not seem to make much sense unless the same is done for
stretch, a user would otherwise then end up with the stretch package
masked in a jessie -> stretch distribution upgrade because of the
jessie package having a higher version that the stretch package
+ The upgrade version anomally could be avoided by using a package
version like 8.0.14-2+really8.5.32, but that would still result in
users actually downgrading
I am curious as to whether there is a plan to bring tomcat8 in stretch
in line with the latest 8.5.x upstream release. If not, then what is
the recommendation for how to proceed here?
P.S. Please keep the debian-lts list in the CC when you reply.
Roberto C. Sánchez