I am working on tomcat8 to address the two currently outstanding CVEs.
After I approached him for some guidance, Markus Koschany pointed out
that upstream has made an [END OF LIFE] announcement for Tomcat 8.0.
Support ends on 30th June.
The patches for the two currently outsanding CVEs apply relatively
easily to the 8.0 package in jessie. However, the lack of upstream
support presents a significant complication going forward.
I recommend the following:
- Announce that following the upstream EOL, tomcat8 will no longer be
supported in jessie
- One of:
+ Discontinue updates for tomcat8 altogether
+ Sync tomcat8 in jessie with the version in stretch (which still
receives upstream support)
+ Sync tomcat8 in jessie with the latest upstream (this only makes
sense if the same is done in stretch)
The announcement should indicate which of the options will be employed
going forward. The most sensible approach seems to be the second.
Assuming that users will eventually have to upgrade to stretch, the
tomcat8 8.0 -> 8.5 upgrade will be something that has to be done
eventually. The main drawback, it would seem, is that the package name
is the same and so users who are accustomed to allowing automatic
security updates might be surprised by the significant change.
Comments and suggestions are most welcome.
After I have completed the current update that is needed, I will work on
drafting an announcement and post it for review and comments.
Regards,
-Roberto
[END OF LIFE] https://tomcat.apache.org/tomcat-80-eol.html
--
Roberto C. Sánchez
