Thanks for your work on this! I have some comments though:
* the patches have DEP-3 comments (great!) but they point to a web page. I
think it would be much better to include that URL in the description, then use
an Origin stanza for the commits, and 'Bug: <url to upstream bug>'. If you are
backporting patches, you should use 'Origin: backport, <commit url>' and the
description should discuss your backporting. This will greatly speed up
sponsoring, especially for non-trivial patchsets like this one
* looking at the patch commits most of them seem fine, but could you explain
CVE-2012-0022.patch and CVE-2012-3439.patch a bit more?
You also didn't note the testing performed. I recalled that tomcat7 has a
testsuite but that it wasn't enabled in the build in Ubuntu 11.10 and 12.04
LTS. After applying your patches, I ran the testsuite and it fails with:
test-compile:
[mkdir] Created dir:
/home/jamie/ubuntu/sbuild/tomcat7/oneiric/fix/tomcat7-7.0.21/output/testclasses
[javac] Compiling 152 source files to
/home/jamie/ubuntu/sbuild/tomcat7/oneiric/fix/tomcat7-7.0.21/output/testclasses
[javac]
/home/jamie/ubuntu/sbuild/tomcat7/oneiric/fix/tomcat7-7.0.21/test/org/apache/catalina/authenticator/TesterDigestAuthenticatorPerformance.java:263:
cannot find symbol
[javac] symbol : method setCnonceCacheSize(int)
[javac] location: class
org.apache.catalina.authenticator.DigestAuthenticator
[javac] authenticator.setCnonceCacheSize(100);
[javac] ^
[javac] Note: Some input files use or override a deprecated API.
[javac] Note: Recompile with -Xlint:deprecation for details.
[javac] 1 error
BUILD FAILED
In an effort to make this easier to test going forward, I have created debdiffs
for oneiric and precise (attached) that add a 'testsuite' target. In essence,
you would:
1. apply your patches
2. as root in a chroot:
# apt-get build-dep tomcat7
# apt-get install junit4 libjstl1.1-java libjakarta-taglibs-standard-java
3. as a normal user in the same chroot:
$ debian/rules testsuite
See debian/README.source in my attached debdiff for details (and a known
testsuite failure).
NAK until the testsuite failures are addressed. As per our sponsoring
procedures, I am assigning you to the bug and unsubscribing ubuntu-
security-sponsors. Please resubscribe when you have updated debdiffs
that pass the testsuite. Thanks again for your work on this!
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-3439
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1115053
Title:
Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
