Bug#692439: tomcat6: CVE-2012-2733 CVE-2012-3439

Package: tomcat6 Severity: grave Tags: security Justification: user security hole Please see http://tomcat.apache.org/security-6.html Since Wheezy is frozen, please apply isolated security fixes and do not update to a new upstream release. BTW, is it really necessary to have both tomcat6 and

Bug#692440: tomcat7: CVE-2012-2733 CVE-2012-3439

Package: tomcat7 Severity: grave Tags: security Justification: user security hole Please see http://tomcat.apache.org/security-7.html Since Wheezy is frozen, please apply isolated security fixes instead of updating to a new upstream release. Cheers, Moritz __ This is the maintainer

Bug#692442: CVE-2012-5783: Insecure certificate validation

Package: commons-httpclient Severity: important Tags: security Please see Section 7.5 of this paper: http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf This has been assigned CVE-2012-5783. I'm not sure if we can backport more correct certificate validation to 3.x, but independent of that it might

Processed: Re: jspwiki does depend on tomcat6

Processing control commands: notfound -1 2.8.0-5 Bug #656153 [jspwiki] jspwiki: postinst failure: chown: invalid user: `tomcat6' No longer marked as found in versions jspwiki/2.8.0-5. fixed -1 2.8.0-5 Bug #656153 [jspwiki] jspwiki: postinst failure: chown: invalid user: `tomcat6' Marked as

Bug#692455: jspwiki: modifies conffiles (policy 10.7.3): /etc/jspwiki/jspwiki.properties

Package: jspwiki Version: 2.8.0-5 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, during a test with piuparts I noticed your package modifies conffiles. This is forbidden by the policy, see http://www.debian.org/doc/debian-policy/ch-files.html#s-config-files 10.7.3: