RFC: tomcat8 in the remaining jessie lifecycle

I am working on tomcat8 to address the two currently outstanding CVEs. After I approached him for some guidance, Markus Koschany pointed out that upstream has made an [END OF LIFE] announcement for Tomcat 8.0. Support ends on 30th June. The patches for the two currently outsanding CVEs apply

Re: Guidance on tomcat8 update for (LTS) jessie

On Wed, Jun 27, 2018 at 08:33:48AM -0400, Antoine Beaupré wrote: > > As an outsider not very familiar with Tomcat, I guess the main question > I would like to answer before figuring this out would be what kind of > compatibility garantees does Tomcat provide between versions. If it > respects

[SECURITY] [DLA 1408-1] simplesamlphp security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: simplesamlphp Version: 1.13.1-2+deb8u2 CVE ID : CVE-2017-12868 CVE-2017-12872 CVE-2017-12872 / CVE-2017-12868 The (1) Htpasswd authentication source in the authcrypt module and (2) SimpleSAML_Session

[SECURITY] [DLA 1409-1] mosquitto security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: mosquitto Version: 1.3.4-2+deb8u2 CVE ID : CVE-2017-7651 CVE-2017-7652 CVE-2017-7651 fix to avoid extraordinary memory consumption by crafted CONNECT packet from unauthenticated client CVE-2017-7652

Accepted mosquitto 1.3.4-2+deb8u2 (source amd64 all) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 29 Jun 2018 19:03:02 +0200 Source: mosquitto Binary: mosquitto libmosquitto1 libmosquitto-dev libmosquittopp1 libmosquittopp-dev mosquitto-clients python-mosquitto python3-mosquitto mosquitto-dbg Architecture: source amd64

Accepted simplesamlphp 1.13.1-2+deb8u2 (source all) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 29 Jun 2018 18:55:01 +0200 Source: simplesamlphp Binary: simplesamlphp Architecture: source all Version: 1.13.1-2+deb8u2 Distribution: jessie-security Urgency: high Maintainer: Thijs Kinkhorst Changed-By: Thorsten Alteholz

[SECURITY] [DLA 1407-1] mariadb-10.0 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: mariadb-10.0 Version: 10.0.35-0+deb8u1 CVE ID : CVE-2017-10268 CVE-2017-10378 CVE-2018-2562 CVE-2018-2612 CVE-2018-2622 CVE-2018-2640 CVE-2018-2665 CVE-2018-2668 CVE-2018-2755

Accepted mariadb-10.0 10.0.35-0+deb8u1 (source amd64 all) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 22 Jun 2018 09:23:13 +0200 Source: mariadb-10.0 Binary: libmariadbd-dev mariadb-common mariadb-client-core-10.0 mariadb-client-10.0 mariadb-server-core-10.0 mariadb-test-10.0 mariadb-server-10.0 mariadb-server mariadb-client

[SECURITY] [DLA 1406-1] firefox-esr security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: firefox-esr Version: 52.9.0esr-1~deb8u1 CVE ID : CVE-2018-5156 CVE-2018-5188 CVE-2018-12359 CVE-2018-12360 CVE-2018-12362 CVE-2018-12363 CVE-2018-12364 CVE-2018-12365 CVE-2018-12366

[SECURITY] [DLA 1405-1] libgcrypt20 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libgcrypt20 Version: 1.6.3-2+deb8u5 CVE ID : CVE-2018-0495 It was discovered that Libgcrypt is prone to a local side-channel attack allowing recovery of ECDSA private keys. For Debian 8 "Jessie", these problems

Accepted libgcrypt20 1.6.3-2+deb8u5 (source all amd64) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 22 Jun 2018 11:35:48 +0200 Source: libgcrypt20 Binary: libgcrypt20-doc libgcrypt20-dev libgcrypt20-dbg libgcrypt20 libgcrypt20-udeb libgcrypt11-dev Architecture: source all amd64 Version: 1.6.3-2+deb8u5 Distribution:

Re: mercurial new test packages

Antoine, > >> I am not sure why the test suite fails nor why the output varies from > >> one build to the next. Once a package is built, however, it passes the > >> test suite reliably. […] > Sure. I guess I see this from the perspective of "does the actual fix > work or not" as well. ;) Sorry