On 12/05/2012 11:43 PM, Moritz Muehlenhoff wrote: > Package: tomcat6 > Severity: grave > Tags: security > Justification: user security hole > > More Tomcat security issues have been disclosed: > http://tomcat.apache.org/security-6.html > > The page contains links to the upstream fixes. > > BTW, is there a specific reason why both tomcat6 and tomcat7 are present in > Wheezy? > This will duplicate all efforts for security updates in Wheezy.
Hi Moritz, I have an updated package that includes the patches for these 3 CVEs and am doing some smoke-testing now. But before I upload, I have a question about what is permissible to include in the upload. I'd like to rename the patches that were included in the 6.0.35-5+nmu1 upload so they follow the same naming convention as the other patches in the package and include the origin patch header. (As you point out, after all, we'll be supporting this package for a long time to come.) Also, I'd like to "quilt refresh" the patches in the package, as they're getting a bit fuzzy. So, no substantive or real packaging changes, but the interdiff will be a bit larger. Is that okay, or should I upload with only the new patches for the CVEs applied? Regarding tomcat6 and tomcat7, although they are certainly related, they implement different versions of the servlet and JSP specifications [1], and there are a number still organizations running applications developed for/tested on tomcat6 in production. There is a migration guide for going from 6.x to 7.x that must be taken into consideration [2]. But specifically for Debian, there are still a number of packages in wheezy that depend explicitly on tomcat6 and/or libservlet2.5-java. According to popcon, tomcat6 is about 5x more popular than tomcat7, and libservlet2.5 is quite popular indeed [3,4]. Thank you, tony [1] http://tomcat.apache.org/whichversion.html [2] http://tomcat.apache.org/migration-7.html [3] http://qa.debian.org/popcon.php?package=tomcat6 [4] http://qa.debian.org/popcon.php?package=tomcat7
signature.asc
Description: OpenPGP digital signature