Rhea,
On 7/12/22 02:58, Rhea Moubarak wrote:
This is the link to the bug we are facing:
https://bz.apache.org/bugzilla/show_bug.cgi?id=64195
Is it fixed in 9.0.31?
Do you mean "is it fixed in the latest Tomcat 9.0.31 package available
from Ubuntu?"
I think you'd have to ask Ubuntu that.
You might be able to find it in the changelog:
$ apt-get changelog tomcat9
Which version of Ubuntu are you using?
By the way, the bug you reference was never fixed. It was marked as a
duplicate of this one:
https://bz.apache.org/bugzilla/show_bug.cgi?id=64202 (which WAS fixed).
This was not flagged as a security bug. You originally asked about
security bugs, but this one is not listed as a security fix. So it's
unlikely to have been back-ported to the Ubuntu repository.
-chris
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Friday, July 8, 2022 8:57 PM
To: users@tomcat.apache.org
Subject: Re: Package TOMCAT 9.0.54 for Ubuntu 20.04
Rhea,
On 7/8/22 05:53, Rhea Moubarak wrote:
I asked Ubuntu-devel-discus if it's possible to integrate TOMCAT 9.0.54 in the
official repositories of Ubuntu 20.04 as it helps fixing major security issues
on TOMCAT installations.
(https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2022-July/0192
97.html)
They responded with the following:
Hi Rhea,
but gladly this isn't plain 9.0.31.
There was a similar bug request [1] which got resolved a while ago in [2] and I
think has solved all those security issues in the 9.0.31 version that is in
Focal.
On the other side there is the SRU policy [3] which prevents too big version
jumps unless there is extra focus on stability and testing which needs further
effort and dedication which for tomcat9 being only in universe isn't provided
by anyone at the moment.
[1]: https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1915911
[2]: https://launchpad.net/ubuntu/+source/tomcat9/9.0.31-1ubuntu0.2
[3]: https://wiki.ubuntu.com/StableReleaseUpdates
Is it possible from anyone from your side to help with the stability
and testing of the version 9.0.54 to satisfy the SRU policy of Ubuntu?
We are all volunteers. If you'd like to volunteer to assemble the information we'd need
to fulfill such a "stability and testing" plan, we might be able to move
forward.
The Debian and Ubuntu teams track this project and incorporate patches (which
is how *those* projects work, not Apache Tomcat which releases new versions for
security fixes) for security issues as appropriate.
Whatever is in 9.0.54 that you need might actually be available through the Ubuntu
package repository under the package whose nominal version number appears to be
"9.0.31". You should read the release notes of the package history to see what
security items have been addressed in their latest version. You may find that
apache-tomcat-9.0.31-ubuntu-rev48 (or
whatever) addresses all of the reported CVEs between 9.0.31 and 9.0.54 even if
the version number hasn't changed.
If you have a security auditor who is looking at software version numbers
instead of the effective security provided from the package, you may have to
either switch auditors, or switch package managers/repositories to one which
meets your auditors requirements.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
