Bug#695250: tomcat6: CVE-2012-4534 CVE-2012-4431 CVE-2012-3546

Moritz Muehlenhoff jmm at inutil.org
Fri Dec 7 08:15:02 UTC 2012 

On Thu, Dec 06, 2012 at 10:23:17PM -0800, tony mancill wrote:
> On 12/05/2012 11:43 PM, Moritz Muehlenhoff wrote:
> > Package: tomcat6
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> > 
> > More Tomcat security issues have been disclosed:
> > http://tomcat.apache.org/security-6.html
> > 
> > The page contains links to the upstream fixes.
> > 
> > BTW, is there a specific reason why both tomcat6 and tomcat7 are present in Wheezy?
> > This will duplicate all efforts for security updates in Wheezy.
> 
> Hi Moritz,
> 
> I have an updated package that includes the patches for these 3 CVEs and
> am doing some smoke-testing now.  But before I upload, I have a question
> about what is permissible to include in the upload.  I'd like to rename
> the patches that were included in the 6.0.35-5+nmu1 upload so they
> follow the same naming convention as the other patches in the package
> and include the origin patch header.  (As you point out, after all,
> we'll be supporting this package for a long time to come.)  Also, I'd
> like to "quilt refresh" the patches in the package, as they're getting a
> bit fuzzy.  So, no substantive or real packaging changes, but the
> interdiff will be a bit larger.  Is that okay, or should I upload with
> only the new patches for the CVEs applied?

Release managers are busy enough already, so please keep it as minimal
as possible.
 
> Regarding tomcat6 and tomcat7, although they are certainly related, they
> implement different versions of the servlet and JSP specifications [1],
> and there are a number still organizations running applications
> developed for/tested on tomcat6 in production.  There is a migration
> guide for going from 6.x to 7.x that must be taken into consideration [2].
> 
> But specifically for Debian, there are still a number of packages in
> wheezy that depend explicitly on tomcat6 and/or libservlet2.5-java.
> According to popcon, tomcat6 is about 5x more popular than tomcat7, and
> libservlet2.5 is quite popular indeed [3,4].

Ok, but tomcat6 should be removed for jessie, then.

Cheers,
        Moritz

More information about the pkg-java-maintainers mailing list