Bugfixes and updates to tomcat9 package?

Asked by Evren Yurtesen


Do updates to this package come directly from upstream Debian? I am just wondering as there are a bunch of open bug reports and there does not seem to be any activity.


It seems like there are patches in Debian package which was never included in Ubuntu package which was not updated after 2020. Is there an explanation of why this is happening? and is there a way to help out with updates of this package?


Revision history for this message
Best Manfred Hampl (m-hampl) said (last edit ):

Which Ubuntu release are you referring to?

If you look at https://launchpad.net/ubuntu/+source/tomcat9 you can see the version numbers of the tomcat9 packages in Ubuntu. For bionic and focal there is "ubuntu" in the version string, so that are packages with Ubuntu-originated modifications. Impish and jammy contain packages that directly come from Debian (without any Ubuntu-specific changes). The version in impish is the one which was current in Debian about half a year ago, at the time when impish was developed.

Furthermore the tomcat9 package in Ubuntu is in the "universe" category, so it is community-maintained.
Everybody including you is invited to prepare a debdiff with patches to fix the bugs.

Revision history for this message
Evren Yurtesen (eyurtese-g) said :

Hi Manfred, I meant "focal" in general. But there is one issue which effects "jammy" also (#1962493). This issue is not possible to resolve with a patch unfortunately.

Thank you for the information. It is quite handy to be able to identify modified packages by looking at the "ubuntu" in the version string. I have to admit, I still have lots of wiki pages go through about this process. Sometimes it is hard to continue without being guided by a real person. So, thank you for responding. Earlier, I even was in #ubuntu-motu channel in freenode and it is more or less deserted.

If you check the changelog files in my original message, there are already some patches from debian package imported before. Can't the rest simply be imported to the "ubuntu" package? I hope this was correct as I tried to make a sync request: https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1964987

Although the wiki (https://wiki.ubuntu.com/SyncRequestProcess) says this is not necessary if "our version of the package has no Ubuntu changes". In this case for example tomcat9 package has no Ubuntu changes. So why was not it synced automatically?

Will it get synced? or did I do something incorrect?

Revision history for this message
Manfred Hampl (m-hampl) said :

There seems to be a misunderstanding with respect to feature freeze and exceptions.
These apply only to the Ubuntu release in development (currently jammy) and not older releases like focal.
The correct word in that case is SRU - Stable Release Update, please see FAQ #3037: “no rolling release”.

Revision history for this message
Evren Yurtesen (eyurtese-g) said :

The FAQ seems to apply to version changes. It says: "Ubuntu is no rolling release. This means that package versions usually are not updated to higher versions than the one initially provided with a certain Ubuntu release.". It is confusing as what I suggested to sync was same version. Focal has 9.0.31-1 and Buster security has 9.0.31-1.

What you seem to be suggesting is after Ubuntu release packages are never synced from upstream even if they are the same versions(with extra patches). Therefore extra work must be done to submit same patches to Ubuntu release. If it is so the FAQ could be improved perhaps.

While it seems somewhat redundant. It is not hard to copy the patches around. You said "Everybody including you is invited to prepare a debdiff with patches to fix the bugs." Is there a wiki entry with a small example?
I guess this might be the one which should be followed? https://packaging.ubuntu.com/html/fixing-a-bug.html#submitting-the-fix-and-getting-it-included

Revision history for this message
Manfred Hampl (m-hampl) said :

The FAQ was not written for your question, but for cases like "I am running an older Ubuntu release that has package xy version whatever and now there is a higher version available upstream". Nevertheless I linked it because the SRU and backport concepts are applicable also in this case.
Please note that the current version of tomcat9 in Ubuntu and the one in Debian differ. Even if the main version string is identical, this is a package update that is subject to the rules.
Caution: If I remember the sorting order correctly, then the Debian version number 9.0.31-1~deb10u6 is lower than the current Ubuntu version string 9.0.31-1ubuntu0.1!

Yes, you identified the packaging page that is relevant.

Revision history for this message
Evren Yurtesen (eyurtese-g) said :

Hi Manfred,

Thanks for all the info, it has been very useful so far! I made a debdiff and attached to a bug report related to missing security patches of tomcat package
I am not sure if everything is good or not there. It took a while to build the package and try.

The manual at:
says if marked as patch, Ubuntu Sponsors would be automatically added. But it does not seem to be added. I have manually added Ubuntu Security Sponsors. I do not know if they were alerted or not.

One more question, is the changelog formatting mentioned here:
a requirement? Because packages seem to have debian changelogs which are formatted differently up until freeze. I tried to obey the wiki instructions, but felt kind of silly to have two different formats in changelog?

Is there an easier (or more correct) way to get some feedback about my progress?


Revision history for this message
Manfred Hampl (m-hampl) said :

The debdiff looks good to me (maybe except the release name that probably should be focal-security). What I cannot judge is whether it works as desired (I am not running any tomcat servers myself).

I do not really understand your remark about changelog formatting.

Revision history for this message
Evren Yurtesen (eyurtese-g) said :

Thanks for checking the debdiff. Do you mean: "tomcat9 (9.0.31-1ubuntu0.2) UNRELEASED; urgency=medium" in changelog? I thought it was some automatic entry. I guess if it is accepted, somebody can fix it when patching? or ?

You brought up an interesting point. How do I know that somebody got the message and will test/accept/reject this debdiff? When should one start getting worried?

About changelog. As an example for entry of a patch which is both in Ubuntu and Debian package:

Debian changelog -> https://metadata.ftp-master.debian.org/changelogs//main/t/tomcat9/tomcat9_9.0.31-1~deb10u6_changelog

  * Fix CVE-2020-11996:
    A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat could
    trigger high CPU usage for several seconds. If a sufficient number of such
    requests were made on concurrent HTTP/2 connections, the server could
    become unresponsive.

But same entry in Ubuntu changelog -> http://changelogs.ubuntu.com/changelogs/pool/universe/t/tomcat9/tomcat9_9.0.31-1ubuntu0.1/changelog

  * SECURITY UPDATE: HTTP/2 Denial of Service
    - debian/patches/CVE-2020-11996.patch: improve performance of closing
      idle HTTP/2 streams
    - CVE-2020-11996

Is it really required to re-format text when importing a patch from Debian? I was just wondering as the Ubuntu changelog before freeze and Debian changelog are exactly same before the freeze. Also it felt quite time consuming :)

Revision history for this message
Manfred Hampl (m-hampl) said :

I am sorry, but my experience with bug fixing is very limited and I cannot answer your last questions in comment #8.

Revision history for this message
Bernard Stafford (bernard010) said :
Revision history for this message
Evren Yurtesen (eyurtese-g) said :

Thanks Manfred Hampl, that solved my question.