Am 08.08.19 um 00:50 schrieb Sylvain Beucler: > Hi, > > So I reworked CVE-2017-5647, which involved 5 new commits related to > non-blocking I/O (NIO2 and COMET). > Stable build. > > Then I got upstream to renew their new certs that were expiring tomorrow (!) > https://bz.apache.org/bugzilla/show_bug.cgi?id=63648 > and had to fix-up the SSL client tests accordingly (new client DN). > > At last we have a working package that passes the testsuite. > How would you smoke-test it? > https://www.beuc.net/tmp/debian-lts/tomcat8/ You can safely ignore all SSL test failures. I suggest you compare the output of the current Tomcat release with the output after you have fixed the newly reported CVE. If you discover new test failures unrelated to the current ones, then it deserves further investigation. After that you can simply run DEB_BUILD_OPTIONS=nocheck to avoid the FTBFS. Another option is to upgrade to the latest stable release in case the changes are too complex and a backport is becoming more and more time consuming. Please note that I have fixed CVE-2017-5647 2,5 years ago as a member of the Java team. I don't believe that the new commits are directly related to CVE-2017-5647. This appears to be a bug that was always present and was only fixed after Jessie became stable. Testing the server works similar to testing the Apache web server. Install Tomcat and the examples and check whether simple web applications work. Find a more complex web application and configure the server to use NIO/BIO depending on what was fixed or changed regarding to the CVE. You can only reproduce certain issues if the connector is configured correctly. Bonus points if you or Abhijith send your changes to the Java team, so that we can incorporate them into Git. Regards, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature