Re: Package TOMCAT 9.0.54 for Ubuntu 20.04

Fri, 08 Jul 2022 11:56:52 -0700 

Rhea,

On 7/8/22 05:53, Rhea Moubarak wrote:

I asked Ubuntu-devel-discus if it's possible to integrate TOMCAT 9.0.54 in the 
official repositories of Ubuntu 20.04 as it helps fixing major security issues 
on TOMCAT installations.

(https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2022-July/019297.html)



They responded with the following:


Hi Rhea,



but gladly this isn't plain 9.0.31.



There was a similar bug request [1] which got resolved a while ago in [2] and I 
think has solved all those security issues in the 9.0.31 version that is in 
Focal.







On the other side there is the SRU policy [3] which prevents too big version 
jumps unless there is extra focus on stability and testing which needs further 
effort and dedication which for tomcat9 being only in universe isn't provided 
by anyone at the moment.







[1]: https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1915911



[2]: https://launchpad.net/ubuntu/+source/tomcat9/9.0.31-1ubuntu0.2



[3]: https://wiki.ubuntu.com/StableReleaseUpdates


Is it possible from anyone from your side to help with the stability
and testing of the version 9.0.54 to satisfy the SRU policy of Ubuntu?
We are all volunteers. If you'd like to volunteer to assemble the information we'd need to fulfill such a "stability and testing" plan, we might be able to move forward.
The Debian and Ubuntu teams track this project and incorporate patches (which is how *those* projects work, not Apache Tomcat which releases new versions for security fixes) for security issues as appropriate.
Whatever is in 9.0.54 that you need might actually be available through the Ubuntu package repository under the package whose nominal version number appears to be "9.0.31". You should read the release notes of the package history to see what security items have been addressed in their latest version. You may find that apache-tomcat-9.0.31-ubuntu-rev48 (or whatever) addresses all of the reported CVEs between 9.0.31 and 9.0.54 even if the version number hasn't changed.
If you have a security auditor who is looking at software version numbers instead of the effective security provided from the package, you may have to either switch auditors, or switch package managers/repositories to one which meets your auditors requirements. 

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to