Am 29.03.2016 um 23:01 schrieb Moritz Mühlenhoff: > On Tue, Mar 29, 2016 at 10:03:56PM +0200, Markus Koschany wrote: >> The Security Team decided to mark the issues in Jessie as no-dsa because >> we only ship the servlet API and documentation in this release which >> can't be affected by security vulnerabilities at all. I wouldn't mind >> uploading the 6.0.45+dfsg-1~deb8u1 to Jessie but I think we can safely >> ignore the version number skew in this case. All Wheezy users who update >> to Jessie will keep 6.0.45+dfsg-1~deb7u1 for the servlet API and Jessie >> only users will continue to use 6.0.41. They will not be placed in a >> worse position. >> >> If you feel more comfortable with an updated source package in Jessie, I >> will gladly upload this one to Jessie. > > I missed the wheezy > jessie version skew aspect. In that case let's also > upgrade tomcat6 in jessie even though it's a NOP. > > But all those rdeps of libservlet2.5-java should really be upgraded > to libservlet3.1-java.
I have updated the Tomcat 6 package in Jessie. I'm attaching the debdiff between the version in wheezy-security and this one for comparison. Shall I upload to security-master or to jessie directly? Regards, Markus
tomcat6_jessie.debdiff.gz
Description: application/gzip
signature.asc
Description: OpenPGP digital signature
