<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:"Open Sans";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";
        mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Ballontekst Char";
        margin:0cm;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";
        mso-fareast-language:EN-US;}
span.BallontekstChar
        {mso-style-name:"Ballontekst Char";
        mso-style-priority:99;
        mso-style-link:Ballontekst;
        font-family:"Tahoma","sans-serif";}
span.E-mailStijl19
        {mso-style-type:personal-compose;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
span.apple-converted-space
        {mso-style-name:apple-converted-space;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;
        font-family:"Calibri","sans-serif";
        mso-fareast-language:EN-US;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=NL link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-US>Hi Ubuntu Devel list,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>I don’t really know where to ask this question so I’m email you guys hoping that you can help point me in the right direction.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>We’ve recently had an security audit done on one of our business applications and one of the issues discovered was that the ubuntu tomcat7 package that we were using contained several exploits. I did some checking and it appears that apache has already implemented all these fixes in the official tomcat7 package but they do not appear to be backported in the tomcat 7 precise package that is currently available.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>It appears that the last security / bugfix update on the precise package was the first of April 2013.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>In particular our application was found vulnerable to the following CVE’s: </span><strong><span lang=EN-US style='font-size:10.0pt;font-family:"Open Sans";color:black'>Important: Session fixation</span></strong><span class=apple-converted-space><span lang=EN-US style='font-size:10.0pt;font-family:"Open Sans";color:black'> </span></span><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2067"><span lang=EN-US style='font-size:10.0pt;font-family:"Open Sans"'>CVE-2013-2067</span></a><span lang=EN-US> / </span><strong><span lang=EN-US style='font-size:10.0pt;font-family:"Open Sans";color:black'>Information disclosure</span></strong><span class=apple-converted-space><span lang=EN-US style='font-size:10.0pt;font-family:"Open Sans";color:black'> </span></span><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4286"><span lang=EN-US style='font-size:10.0pt;font-family:"Open Sans"'>CVE-2013-4286</span></a> <span lang=EN-US>which can also be found on the apache website: <a href="http://tomcat.apache.org/security-7.html">http://tomcat.apache.org/security-7.html</a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Are there any plans to update the current Ubuntu Tomcat 7 precise package to contain all the latest vulnerability fixes? If so could any of you give me a clue as to what the timeline would be for this update?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Thanks in advance.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Regards,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>V. Schurink<o:p></o:p></span></p></div></body></html>