Bug#695250: tomcat6: CVE-2012-4534 CVE-2012-4431 CVE-2012-3546
Moritz Muehlenhoff
jmm at inutil.org
Fri Dec 7 08:15:02 UTC 2012
On Thu, Dec 06, 2012 at 10:23:17PM -0800, tony mancill wrote:
> On 12/05/2012 11:43 PM, Moritz Muehlenhoff wrote:
> > Package: tomcat6
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > More Tomcat security issues have been disclosed:
> > http://tomcat.apache.org/security-6.html
> >
> > The page contains links to the upstream fixes.
> >
> > BTW, is there a specific reason why both tomcat6 and tomcat7 are present in Wheezy?
> > This will duplicate all efforts for security updates in Wheezy.
>
> Hi Moritz,
>
> I have an updated package that includes the patches for these 3 CVEs and
> am doing some smoke-testing now. But before I upload, I have a question
> about what is permissible to include in the upload. I'd like to rename
> the patches that were included in the 6.0.35-5+nmu1 upload so they
> follow the same naming convention as the other patches in the package
> and include the origin patch header. (As you point out, after all,
> we'll be supporting this package for a long time to come.) Also, I'd
> like to "quilt refresh" the patches in the package, as they're getting a
> bit fuzzy. So, no substantive or real packaging changes, but the
> interdiff will be a bit larger. Is that okay, or should I upload with
> only the new patches for the CVEs applied?
Release managers are busy enough already, so please keep it as minimal
as possible.
> Regarding tomcat6 and tomcat7, although they are certainly related, they
> implement different versions of the servlet and JSP specifications [1],
> and there are a number still organizations running applications
> developed for/tested on tomcat6 in production. There is a migration
> guide for going from 6.x to 7.x that must be taken into consideration [2].
>
> But specifically for Debian, there are still a number of packages in
> wheezy that depend explicitly on tomcat6 and/or libservlet2.5-java.
> According to popcon, tomcat6 is about 5x more popular than tomcat7, and
> libservlet2.5 is quite popular indeed [3,4].
Ok, but tomcat6 should be removed for jessie, then.
Cheers,
Moritz
More information about the pkg-java-maintainers
mailing list