On Mon, Jan 30, 2012 at 01:55:57PM +0000, Dominic Hargreaves wrote: > On Sun, Jan 29, 2012 at 01:14:20PM +0100, Moritz Mühlenhoff wrote: > > Moritz Mühlenhoff <jmm@inutil.org> schrieb: > > > Hi, > > > the changes needed to secure Tomcat against the recent hash collision > > > attack are large and instrusive. That's why we decided to update to > > > 6.0.35 in the upcoming stable update. > > > > > > No breakage is expected, but we need more "beta testers" before we > > > can release the update. The packages can be fetched from > > > http://people.debian.org/~tmancill/ (6.0.35-1+squeeze1) > > > > > > Please send negative/positive test feedback to jmm@debian.org > > > > We've received no feedback so far. In the absence of feedback, there > > won't be a DSA. > > I can try and get some testing of this done We tested the Tomcat update on three test servers: two running bespoke applications, and the third running a Shibboleth IdP. In all cases, we ran Tomcat not via the init scripts provided, but via daemontools, and we ran it using OpenJDK from squeeze. Our tests did not find any problems with the update. Cheers, Dominic. -- Dominic Hargreaves, Systems Development and Support Team Computing Services, University of Oxford
Attachment:
signature.asc
Description: Digital signature