On Thu, Feb 18, 2016 at 06:24:17PM +0100, Markus Koschany wrote:
> Am 18.02.2016 um 18:10 schrieb Emmanuel Bourg:
> > Le 18/02/2016 14:45, Markus Koschany a écrit :
> >
> >> According to [1] Tomcat 6 in Wheezy is still affected by a couple of
> >> security vulnerabilities that were already fixed in Squeeze-LTS and
> >> Jessie. Would it be sensible to apply the same changes (backporting the
> >> 6.0.41 release to Wheezy too) or are there any reasons why this has not
> >> been done before? Has anybody spoken with the Security Team about Tomcat
> >> security updates in general? Do they approve of backporting newer
> >> upstream releases?
> >
> > Hi Markus,
> >
> > I vaguely remember trying to backport the fixes and giving up due to the
> > complexity. Also the lack of tests in Tomcat 6 makes this operation
> > rather risky. That's why the LTS Team decided to package a more recent
> > release in Squeeze.
> >
> > I don't know if the Security Team would accept a new upstream release
> > for Wheezy. Since the LTS Team is probably going to upgrade the package
> > when they take over the maintenance in April we could ask the Security
> > Team to do this upgrade earlier.
>
> I am in favor of this solution, especially because we haven't heard
> anything negative about this approach for Squeeze-LTS. If the Security
> Team agrees I am going ahead and backport this release to Wheezy, test
> the package and send the debdiff to them.
Ok, please go ahead.
Cheers,
Moritz
