Control: severity -1 normal

Am 07.05.20 um 17:58 schrieb Michael Meier:
[...]
> The application doesn't use ajp.
> 
> The sense of using unattended-upgrades and debian stable (no breaking
> changes on updates) is not to read each security announcement in before.
> 
> I'm not working in an area, where anybody would (be able to) pay for that.

It is not feasible to detect any possible incompatibility beforehand
because it heavily depends on the apps in use. Debian stable updates
work 99% of the time without major issues but there will never be a 100%
success rate because some problems are unrelated or simply not under
Debian control. Setting up a test server before deploying updates to a
production environment is the way to go here.

>> If that does not solve your problem, then we need more information about
>> your setup and configuration to debug the problem but note that we ship
>> the latest upstream version basically unmodified, so this would be most
>> likely an upstream bug.
> 
> I could trace it back to the zk library used:
> 
> https://bz.apache.org/bugzilla/show_bug.cgi?id=64097
> 
> https://tracker.zkoss.org/browse/ZK-4510
> 
> That seems to be a really really weird bug. If I understand it
> correctly, it's the fault of zk, but I'm not 100% sure.
> 
> Anyway, as it seems if I manage to update the project to the new zk
> major version, it's supposed to work again.

Ok, as I previously thought, it is an upstream bug but not in Tomcat
itself but in el-api. Updating the zk library for your app might resolve
the issue. I wonder if we need to upgrade src:el-api in Debian too. I
think it is best when Emmanuel Bourg chimes in here.

Regards,

Markus

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to