tomcat7 precise package missing security fixes and/or updates

[Robie Basak]

Hi Vincent,

On Tue, Dec 09, 2014 at 03:01:07PM +0100, Vincent schurink wrote:
> It appears that the last security / bugfix update on the precise package was
> the first of April 2013.
> 
> In particular our application was found vulnerable to the following CVE's:
> Important: Session fixation
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2067> CVE-2013-2067
> / Information disclosure
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4286> CVE-2013-4286
> which can also be found on the apache website:
> http://tomcat.apache.org/security-7.html

Yes - the Ubuntu CVE tracker
(http://people.canonical.com/~ubuntu-security/cve/) agrees:

http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2067.html

http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4286.html

> Are there any plans to update the current Ubuntu Tomcat 7 precise package to
> contain all the latest vulnerability fixes? If so could any of you give me a
> clue as to what the timeline would be for this update?

Since tomcat7 in 12.04 is in universe, it is not looked after directly
by the Ubuntu security team. They will still review and accept fixes,
but only if somebody from the wider community provides an update. If
this is a concern to you, you should stick to using packages from main
only.

So: no plans, unless somebody provides appropriate debdiffs, in which
case they will be reviewed and uploaded if acceptable. See
https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures and
https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation for information
on how to provide an acceptable update and on having it sponsored.

HTH,

Robie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20141209/db3243ca/attachment.sig>