ELTS report March 2024
======================

1. ELA-1071-1. Issued a security update for tomcat8 fixing 2 CVE in Stretch.
               I triaged CVE-2024-21733 as postponed because the error
               reporting problem is of minor importance and failing tests
               indicate that the patch may break existing setups.

2. ELA-1076-1. Issued a security update for tomcat8 fixing 2 CVE in Jessie.
               I triaged CVE-2024-21733 as postponed because the error
               reporting problem is of minor importance and failing tests
               indicate that the patch may break existing setups.

3. ELA-1077-1. Issued a security update for tomcat7 fixing 2 CVE in Jessie.
               Similar to tomcat8 I marked CVE-2024-21733 as postponed until we
               have determined the root cause of the failing tests.

4. I reviewed all currently ignored or postponed CVE for jetty9 in Stretch. I
   clarified that CVE-2023-36479 and CVE-2022-2047 are ignored rather than
   postponed. The former is a very specific vulnerability related to Jetty's CGI
   capabilities. It is recommended to use the preferred Fast CGI instead.
   CVE-2022-2047 is a minor issue which also can be worked around
   programmatically.