Control: severity -1 normal Am 07.05.20 um 17:58 schrieb Michael Meier: [...] > The application doesn't use ajp. > > The sense of using unattended-upgrades and debian stable (no breaking > changes on updates) is not to read each security announcement in before. > > I'm not working in an area, where anybody would (be able to) pay for that.
It is not feasible to detect any possible incompatibility beforehand because it heavily depends on the apps in use. Debian stable updates work 99% of the time without major issues but there will never be a 100% success rate because some problems are unrelated or simply not under Debian control. Setting up a test server before deploying updates to a production environment is the way to go here. >> If that does not solve your problem, then we need more information about >> your setup and configuration to debug the problem but note that we ship >> the latest upstream version basically unmodified, so this would be most >> likely an upstream bug. > > I could trace it back to the zk library used: > > https://bz.apache.org/bugzilla/show_bug.cgi?id=64097 > > https://tracker.zkoss.org/browse/ZK-4510 > > That seems to be a really really weird bug. If I understand it > correctly, it's the fault of zk, but I'm not 100% sure. > > Anyway, as it seems if I manage to update the project to the new zk > major version, it's supposed to work again. Ok, as I previously thought, it is an upstream bug but not in Tomcat itself but in el-api. Updating the zk library for your app might resolve the issue. I wonder if we need to upgrade src:el-api in Debian too. I think it is best when Emmanuel Bourg chimes in here. Regards, Markus
signature.asc
Description: OpenPGP digital signature