Package TOMCAT 9.0.54 for Ubuntu 20.04

[Rhea Moubarak <Rh...@intm.fr>]

Hello,



I asked Ubuntu-devel-discus if it's possible to integrate TOMCAT 9.0.54 in the official repositories of Ubuntu 20.04 as it helps fixing major security issues on TOMCAT installations.

(https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2022-July/019297.html)



They responded with the following:

>> Hi Rhea,

>> but gladly this isn't plain 9.0.31.

>> There was a similar bug request [1] which got resolved a while ago in [2] and I think has solved all those security issues in the 9.0.31 version that is in Focal.

>>

>> On the other side there is the SRU policy [3] which prevents too big version jumps unless there is extra focus on stability and testing which needs further effort and dedication which for tomcat9 being only in universe isn't provided by anyone at the moment.

>>

>> [1]: https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1915911

>> [2]: https://launchpad.net/ubuntu/+source/tomcat9/9.0.31-1ubuntu0.2

>> [3]: https://wiki.ubuntu.com/StableReleaseUpdates





Is it possible from anyone from your side to help with the stability and testing of the version 9.0.54 to satisfy the SRU policy of Ubuntu?



Thank you in advance.



Regards,

Rhea

Re: Package TOMCAT 9.0.54 for Ubuntu 20.04

[Christopher Schultz <ch...@christopherschultz.net>]

Rhea,

On 7/12/22 02:58, Rhea Moubarak wrote:
> This is the link to the bug we are facing:
> https://bz.apache.org/bugzilla/show_bug.cgi?id=64195
> 
> Is it fixed in 9.0.31?

Do you mean "is it fixed in the latest Tomcat 9.0.31 package available 
from Ubuntu?"

I think you'd have to ask Ubuntu that.

You might be able to find it in the changelog:

$ apt-get changelog tomcat9

Which version of Ubuntu are you using?

By the way, the bug you reference was never fixed. It was marked as a 
duplicate of this one: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=64202 (which WAS fixed).

This was not flagged as a security bug. You originally asked about 
security bugs, but this one is not listed as a security fix. So it's 
unlikely to have been back-ported to the Ubuntu repository.

-chris

> -----Original Message-----
> From: Christopher Schultz <ch...@christopherschultz.net>
> Sent: Friday, July 8, 2022 8:57 PM
> To: users@tomcat.apache.org
> Subject: Re: Package TOMCAT 9.0.54 for Ubuntu 20.04
> 
> Rhea,
> 
> On 7/8/22 05:53, Rhea Moubarak wrote:
>> I asked Ubuntu-devel-discus if it's possible to integrate TOMCAT 9.0.54 in the official repositories of Ubuntu 20.04 as it helps fixing major security issues on TOMCAT installations.
>>
>> (https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2022-July/0192
>> 97.html)
>>
>>
>>
>> They responded with the following:
>>
>>>> Hi Rhea,
>>
>>>> but gladly this isn't plain 9.0.31.
>>
>>>> There was a similar bug request [1] which got resolved a while ago in [2] and I think has solved all those security issues in the 9.0.31 version that is in Focal.
>>
>>>>
>>
>>>> On the other side there is the SRU policy [3] which prevents too big version jumps unless there is extra focus on stability and testing which needs further effort and dedication which for tomcat9 being only in universe isn't provided by anyone at the moment.
>>
>>>>
>>
>>>> [1]: https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1915911
>>
>>>> [2]: https://launchpad.net/ubuntu/+source/tomcat9/9.0.31-1ubuntu0.2
>>
>>>> [3]: https://wiki.ubuntu.com/StableReleaseUpdates
>>
>> Is it possible from anyone from your side to help with the stability
>> and testing of the version 9.0.54 to satisfy the SRU policy of Ubuntu?
> 
> We are all volunteers. If you'd like to volunteer to assemble the information we'd need to fulfill such a "stability and testing" plan, we might be able to move forward.
> 
> The Debian and Ubuntu teams track this project and incorporate patches (which is how *those* projects work, not Apache Tomcat which releases new versions for security fixes) for security issues as appropriate.
> 
> Whatever is in 9.0.54 that you need might actually be available through the Ubuntu package repository under the package whose nominal version number appears to be "9.0.31". You should read the release notes of the package history to see what security items have been addressed in their latest version. You may find that apache-tomcat-9.0.31-ubuntu-rev48 (or
> whatever) addresses all of the reported CVEs between 9.0.31 and 9.0.54 even if the version number hasn't changed.
> 
> If you have a security auditor who is looking at software version numbers instead of the effective security provided from the package, you may have to either switch auditors, or switch package managers/repositories to one which meets your auditors requirements.
> 
> -chris
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Package TOMCAT 9.0.54 for Ubuntu 20.04

[Rhea Moubarak <Rh...@intm.fr>]

Hello,

This is the link to the bug we are facing: https://bz.apache.org/bugzilla/show_bug.cgi?id=64195

Is it fixed in 9.0.31?

Thank you for your help.

Best,
Rhea

-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net> 
Sent: Friday, July 8, 2022 8:57 PM
To: users@tomcat.apache.org
Subject: Re: Package TOMCAT 9.0.54 for Ubuntu 20.04

Rhea,

On 7/8/22 05:53, Rhea Moubarak wrote:
> I asked Ubuntu-devel-discus if it's possible to integrate TOMCAT 9.0.54 in the official repositories of Ubuntu 20.04 as it helps fixing major security issues on TOMCAT installations.
> 
> (https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2022-July/0192
> 97.html)
> 
> 
> 
> They responded with the following:
> 
>>> Hi Rhea,
> 
>>> but gladly this isn't plain 9.0.31.
> 
>>> There was a similar bug request [1] which got resolved a while ago in [2] and I think has solved all those security issues in the 9.0.31 version that is in Focal.
> 
>>>
> 
>>> On the other side there is the SRU policy [3] which prevents too big version jumps unless there is extra focus on stability and testing which needs further effort and dedication which for tomcat9 being only in universe isn't provided by anyone at the moment.
> 
>>>
> 
>>> [1]: https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1915911
> 
>>> [2]: https://launchpad.net/ubuntu/+source/tomcat9/9.0.31-1ubuntu0.2
> 
>>> [3]: https://wiki.ubuntu.com/StableReleaseUpdates
> 
> Is it possible from anyone from your side to help with the stability 
> and testing of the version 9.0.54 to satisfy the SRU policy of Ubuntu?

We are all volunteers. If you'd like to volunteer to assemble the information we'd need to fulfill such a "stability and testing" plan, we might be able to move forward.

The Debian and Ubuntu teams track this project and incorporate patches (which is how *those* projects work, not Apache Tomcat which releases new versions for security fixes) for security issues as appropriate.

Whatever is in 9.0.54 that you need might actually be available through the Ubuntu package repository under the package whose nominal version number appears to be "9.0.31". You should read the release notes of the package history to see what security items have been addressed in their latest version. You may find that apache-tomcat-9.0.31-ubuntu-rev48 (or
whatever) addresses all of the reported CVEs between 9.0.31 and 9.0.54 even if the version number hasn't changed.

If you have a security auditor who is looking at software version numbers instead of the effective security provided from the package, you may have to either switch auditors, or switch package managers/repositories to one which meets your auditors requirements.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Package TOMCAT 9.0.54 for Ubuntu 20.04

[Christopher Schultz <ch...@christopherschultz.net>]

Rhea,

On 7/8/22 05:53, Rhea Moubarak wrote:
> I asked Ubuntu-devel-discus if it's possible to integrate TOMCAT 9.0.54 in the official repositories of Ubuntu 20.04 as it helps fixing major security issues on TOMCAT installations.
> 
> (https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2022-July/019297.html)
> 
> 
> 
> They responded with the following:
> 
>>> Hi Rhea,
> 
>>> but gladly this isn't plain 9.0.31.
> 
>>> There was a similar bug request [1] which got resolved a while ago in [2] and I think has solved all those security issues in the 9.0.31 version that is in Focal.
> 
>>>
> 
>>> On the other side there is the SRU policy [3] which prevents too big version jumps unless there is extra focus on stability and testing which needs further effort and dedication which for tomcat9 being only in universe isn't provided by anyone at the moment.
> 
>>>
> 
>>> [1]: https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1915911
> 
>>> [2]: https://launchpad.net/ubuntu/+source/tomcat9/9.0.31-1ubuntu0.2
> 
>>> [3]: https://wiki.ubuntu.com/StableReleaseUpdates
> 
> Is it possible from anyone from your side to help with the stability
> and testing of the version 9.0.54 to satisfy the SRU policy of Ubuntu?

We are all volunteers. If you'd like to volunteer to assemble the 
information we'd need to fulfill such a "stability and testing" plan, we 
might be able to move forward.

The Debian and Ubuntu teams track this project and incorporate patches 
(which is how *those* projects work, not Apache Tomcat which releases 
new versions for security fixes) for security issues as appropriate.

Whatever is in 9.0.54 that you need might actually be available through 
the Ubuntu package repository under the package whose nominal version 
number appears to be "9.0.31". You should read the release notes of the 
package history to see what security items have been addressed in their 
latest version. You may find that apache-tomcat-9.0.31-ubuntu-rev48 (or 
whatever) addresses all of the reported CVEs between 9.0.31 and 9.0.54 
even if the version number hasn't changed.

If you have a security auditor who is looking at software version 
numbers instead of the effective security provided from the package, you 
may have to either switch auditors, or switch package 
managers/repositories to one which meets your auditors requirements.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org