Le 18/02/2016 14:45, Markus Koschany a écrit : > According to [1] Tomcat 6 in Wheezy is still affected by a couple of > security vulnerabilities that were already fixed in Squeeze-LTS and > Jessie. Would it be sensible to apply the same changes (backporting the > 6.0.41 release to Wheezy too) or are there any reasons why this has not > been done before? Has anybody spoken with the Security Team about Tomcat > security updates in general? Do they approve of backporting newer > upstream releases?
Hi Markus, I vaguely remember trying to backport the fixes and giving up due to the complexity. Also the lack of tests in Tomcat 6 makes this operation rather risky. That's why the LTS Team decided to package a more recent release in Squeeze. I don't know if the Security Team would accept a new upstream release for Wheezy. Since the LTS Team is probably going to upgrade the package when they take over the maintenance in April we could ask the Security Team to do this upgrade earlier. Emmanuel Bourg
