On Thu, Dec 06, 2012 at 10:23:17PM -0800, tony mancill wrote: > On 12/05/2012 11:43 PM, Moritz Muehlenhoff wrote: > > Package: tomcat6 > > Severity: grave > > Tags: security > > Justification: user security hole > > > > More Tomcat security issues have been disclosed: > > http://tomcat.apache.org/security-6.html > > > > The page contains links to the upstream fixes. > > > > BTW, is there a specific reason why both tomcat6 and tomcat7 are present in > > Wheezy? > > This will duplicate all efforts for security updates in Wheezy. > > Hi Moritz, > > I have an updated package that includes the patches for these 3 CVEs and > am doing some smoke-testing now. But before I upload, I have a question > about what is permissible to include in the upload. I'd like to rename > the patches that were included in the 6.0.35-5+nmu1 upload so they > follow the same naming convention as the other patches in the package > and include the origin patch header. (As you point out, after all, > we'll be supporting this package for a long time to come.) Also, I'd > like to "quilt refresh" the patches in the package, as they're getting a > bit fuzzy. So, no substantive or real packaging changes, but the > interdiff will be a bit larger. Is that okay, or should I upload with > only the new patches for the CVEs applied?
Release managers are busy enough already, so please keep it as minimal as possible. > Regarding tomcat6 and tomcat7, although they are certainly related, they > implement different versions of the servlet and JSP specifications [1], > and there are a number still organizations running applications > developed for/tested on tomcat6 in production. There is a migration > guide for going from 6.x to 7.x that must be taken into consideration [2]. > > But specifically for Debian, there are still a number of packages in > wheezy that depend explicitly on tomcat6 and/or libservlet2.5-java. > According to popcon, tomcat6 is about 5x more popular than tomcat7, and > libservlet2.5 is quite popular indeed [3,4]. Ok, but tomcat6 should be removed for jessie, then. Cheers, Moritz __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.