Bug#695250: tomcat6: CVE-2012-4534 CVE-2012-4431 CVE-2012-3546
tony mancill
tmancill at debian.org
Fri Dec 7 06:23:17 UTC 2012
On 12/05/2012 11:43 PM, Moritz Muehlenhoff wrote:
> Package: tomcat6
> Severity: grave
> Tags: security
> Justification: user security hole
>
> More Tomcat security issues have been disclosed:
> http://tomcat.apache.org/security-6.html
>
> The page contains links to the upstream fixes.
>
> BTW, is there a specific reason why both tomcat6 and tomcat7 are present in Wheezy?
> This will duplicate all efforts for security updates in Wheezy.
Hi Moritz,
I have an updated package that includes the patches for these 3 CVEs and
am doing some smoke-testing now. But before I upload, I have a question
about what is permissible to include in the upload. I'd like to rename
the patches that were included in the 6.0.35-5+nmu1 upload so they
follow the same naming convention as the other patches in the package
and include the origin patch header. (As you point out, after all,
we'll be supporting this package for a long time to come.) Also, I'd
like to "quilt refresh" the patches in the package, as they're getting a
bit fuzzy. So, no substantive or real packaging changes, but the
interdiff will be a bit larger. Is that okay, or should I upload with
only the new patches for the CVEs applied?
Regarding tomcat6 and tomcat7, although they are certainly related, they
implement different versions of the servlet and JSP specifications [1],
and there are a number still organizations running applications
developed for/tested on tomcat6 in production. There is a migration
guide for going from 6.x to 7.x that must be taken into consideration [2].
But specifically for Debian, there are still a number of packages in
wheezy that depend explicitly on tomcat6 and/or libservlet2.5-java.
According to popcon, tomcat6 is about 5x more popular than tomcat7, and
libservlet2.5 is quite popular indeed [3,4].
Thank you,
tony
[1] http://tomcat.apache.org/whichversion.html
[2] http://tomcat.apache.org/migration-7.html
[3] http://qa.debian.org/popcon.php?package=tomcat6
[4] http://qa.debian.org/popcon.php?package=tomcat7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20121206/59fa83b3/attachment.pgp>
More information about the pkg-java-maintainers
mailing list