Bug#860068: Processed: Re: Bug#860068: tomcat8: CVE-2017-5647

[Salvatore Bonaccorso]

Hi,

On Tue, Apr 11, 2017 at 05:24:25PM +0200, Markus Koschany wrote:
> Am 11.04.2017 um 17:18 schrieb Salvatore Bonaccorso:
> > Hi Markus,
> > 
> > On Tue, Apr 11, 2017 at 02:18:14PM +0000, Debian Bug Tracking System wrote:
> >> Processing control commands:
> >>
> >>> merge 860068 860069 860070 860071
> >> Bug #860068 [src:tomcat8] tomcat8: CVE-2017-5647
> >> Bug #860069 [src:tomcat8] tomcat8: CVE-2017-5648
> >> Marked as found in versions tomcat8/8.5.11-1.
> >> Bug #860068 [src:tomcat8] tomcat8: CVE-2017-5647
> >> Marked as found in versions tomcat8/8.5.11-1.
> >> Bug #860071 [src:tomcat8] tomcat8: CVE-2017-5651
> >> Marked as found in versions tomcat8/8.0.14-1.
> >> Bug #860070 [src:tomcat8] tomcat8: CVE-2017-5650
> >> Marked as found in versions tomcat8/8.0.14-1.
> >> Merged 860068 860069 860070 860071
> > 
> > Why the merge? I was a exlicit choice to open 4 bugs due to the
> > different CVE's and different affected versions (note that two affect
> > 8.0.14-1 and two only 8.5.11-1 but not the version in jessie).
> 
> Hi,
> 
[...]
> I suggest to use the found/fixed tags as
> needed.

NB: Which is exactly what I did (see the different found versions), to
track correctly the version as well in BTS. But now it would treat
e.g.  CVE-2017-5650 as well as found in 8.0.14-1 which is not true.

Anyway, thanks a lot for taking care of those CVEs and fixing them!

Regards,
Salvatore