Processed: Re: Bug#959937: tomcat9: update to tomcat9:amd64 9.0.31-1~deb10u1 breaks application

[Debian Bug Tracking System]

Processing control commands:

> severity -1 normal
Bug #959937 [tomcat9] tomcat9: update to tomcat9:amd64 9.0.31-1~deb10u1 breaks 
application
Severity set to 'normal' from 'grave'

-- 
959937: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959937
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#959937: tomcat9: update to tomcat9:amd64 9.0.31-1~deb10u1 breaks application

[Markus Koschany]

Control: severity -1 normal

Am 07.05.20 um 17:58 schrieb Michael Meier:
[...]
> The application doesn't use ajp.
> 
> The sense of using unattended-upgrades and debian stable (no breaking
> changes on updates) is not to read each security announcement in before.
> 
> I'm not working in an area, where anybody would (be able to) pay for that.

It is not feasible to detect any possible incompatibility beforehand
because it heavily depends on the apps in use. Debian stable updates
work 99% of the time without major issues but there will never be a 100%
success rate because some problems are unrelated or simply not under
Debian control. Setting up a test server before deploying updates to a
production environment is the way to go here.

>> If that does not solve your problem, then we need more information about
>> your setup and configuration to debug the problem but note that we ship
>> the latest upstream version basically unmodified, so this would be most
>> likely an upstream bug.
> 
> I could trace it back to the zk library used:
> 
> https://bz.apache.org/bugzilla/show_bug.cgi?id=64097
> 
> https://tracker.zkoss.org/browse/ZK-4510
> 
> That seems to be a really really weird bug. If I understand it
> correctly, it's the fault of zk, but I'm not 100% sure.
> 
> Anyway, as it seems if I manage to update the project to the new zk
> major version, it's supposed to work again.

Ok, as I previously thought, it is an upstream bug but not in Tomcat
itself but in el-api. Updating the zk library for your app might resolve
the issue. I wonder if we need to upgrade src:el-api in Debian too. I
think it is best when Emmanuel Bourg chimes in here.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#959937: tomcat9: update to tomcat9:amd64 9.0.31-1~deb10u1 breaks application

[Michael Meier]

On 07.05.20 06:31, Markus Koschany wrote:


Am 07.05.20 um 10:04 schrieb Michael Meier:

Package: tomcat9
Version: 9.0.16-4
Severity: grave
Justification: renders package unusable

I've just been called out of bed.
As it seems unattended-upgrades upgraded on a debian buster server
from:9.0.16-4 to 9.0.31-1~deb10u1
One of the installed webapps throws following error when trying to use it:

[https-openssl-nio-8443-exec-13] ERROR org.zkoss.zk.ui.metainfo.Property -
Failed to assign [value=${i18n:rt('Benutzername')}] to 
Unable to find ExpressionFactory of type: # Licensed to the Apache Software
Foundation (ASF) under one or more

Downgrading to 9.0.16-4 solves the issue.

Have you read the changelog or the Debian security announcement before
upgrading Tomcat 9 ? Does your application require the AJP protocol to
work? Then you probably need to slightly change your Tomcat
configuration. For more information please also refer to the official
documentation at

   https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html


The application doesn't use ajp.

The sense of using unattended-upgrades and debian stable (no breaking 
changes on updates) is not to read each security announcement in before.


I'm not working in an area, where anybody would (be able to) pay for that.



If that does not solve your problem, then we need more information about
your setup and configuration to debug the problem but note that we ship
the latest upstream version basically unmodified, so this would be most
likely an upstream bug.


I could trace it back to the zk library used:

https://bz.apache.org/bugzilla/show_bug.cgi?id=64097

https://tracker.zkoss.org/browse/ZK-4510

That seems to be a really really weird bug. If I understand it 
correctly, it's the fault of zk, but I'm not 100% sure.


Anyway, as it seems if I manage to update the project to the new zk 
major version, it's supposed to work again.

Bug#959937: tomcat9: update to tomcat9:amd64 9.0.31-1~deb10u1 breaks application

[Markus Koschany]

Am 07.05.20 um 10:04 schrieb Michael Meier:
> Package: tomcat9
> Version: 9.0.16-4
> Severity: grave
> Justification: renders package unusable
> 
> I've just been called out of bed.
> As it seems unattended-upgrades upgraded on a debian buster server
> from:9.0.16-4 to 9.0.31-1~deb10u1
> One of the installed webapps throws following error when trying to use it:
> 
> [https-openssl-nio-8443-exec-13] ERROR org.zkoss.zk.ui.metainfo.Property -
> Failed to assign [value=${i18n:rt('Benutzername')}] to 
> Unable to find ExpressionFactory of type: # Licensed to the Apache Software
> Foundation (ASF) under one or more
> 
> Downgrading to 9.0.16-4 solves the issue.

Have you read the changelog or the Debian security announcement before
upgrading Tomcat 9 ? Does your application require the AJP protocol to
work? Then you probably need to slightly change your Tomcat
configuration. For more information please also refer to the official
documentation at

  https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html


If that does not solve your problem, then we need more information about
your setup and configuration to debug the problem but note that we ship
the latest upstream version basically unmodified, so this would be most
likely an upstream bug.

Regards,

Markus Koschany



signature.asc
Description: OpenPGP digital signature

Bug#959937: tomcat9: update to tomcat9:amd64 9.0.31-1~deb10u1 breaks application

[Michael Meier]

Package: tomcat9
Version: 9.0.16-4
Severity: grave
Justification: renders package unusable

I've just been called out of bed.
As it seems unattended-upgrades upgraded on a debian buster server
from:9.0.16-4 to 9.0.31-1~deb10u1
One of the installed webapps throws following error when trying to use it:

[https-openssl-nio-8443-exec-13] ERROR org.zkoss.zk.ui.metainfo.Property -
Failed to assign [value=${i18n:rt('Benutzername')}] to 
Unable to find ExpressionFactory of type: # Licensed to the Apache Software
Foundation (ASF) under one or more

Downgrading to 9.0.16-4 solves the issue.



-- System Information:
Debian Release: 10.3
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (400, 'testing'), (300, 
'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.5.0-2-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_USER, TAINT_WARN, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages tomcat9 depends on:
ii  lsb-base10.2019051400
ii  systemd 245.5-2~bpo10+1
ii  tomcat9-common  9.0.16-4
ii  ucf 3.0038+nmu1

Versions of packages tomcat9 recommends:
pn  libtcnative-1  

Versions of packages tomcat9 suggests:
pn  tomcat9-admin 
pn  tomcat9-docs  
pn  tomcat9-examples  
pn  tomcat9-user  

-- no debconf information