On Fri, Mar 06, 2020 at 03:17:09PM +0100, Andreas Tille wrote: > On Fri, Mar 06, 2020 at 12:24:56AM +0100, Markus Koschany wrote: > > Hi Andreas, > > > > Am 05.03.20 um 09:34 schrieb Andreas Tille: > > > Hi, > > > > > > I was wondering, whether there is a chance to get CVE-2020-1938 fixed in > > > Tomcat8 in Stretch? If the chances are low possibly backporting Tomcat9 > > > to stretch-backports-sloppy would be a feasible way to go for me. What > > > would you recomment? > > > > I intend to fix tomcat8 in Stretch soon. I hope to fix tomcat9 in Buster > > too but wouldn't mind if someone beat me to it. > > I'd really welcome if you or anybody who might beat you would care for > this. I'm pretty sure that I will not put my incompetent hands on it if > I know you will do this in a foreseable time frame. > > > Please note that the AJP connector is disabled by default in Debian and > > one may argue that only those users who use it with untrusted services > > (not recommended) are really affected. > > I've verified that this part of the configuration was not changed in our > case. Thanks a lot for the helpful hint > > Andreas.
Any news about the tomcat backport? Kind regards Andreas. -- http://fam-tille.de