Your message dated Tue, 3 Jul 2012 23:02:45 +0200
with message-id <[email protected]>
and subject line Re: CVE-2010-4438 / CVE-2011-5035
has caused the Debian Bug report #653964,
regarding glassfish predictable hash collisions
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
653964: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=653964
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: glassfish
Severity: serious
Tags: security
Hi,
It was reported that Glassfish is affected by the predictable hash collisions
attack that made its rounds around the net this week. This is tracked at
http://security-tracker.debian.org/tracker/CVE-2011-5035
Can you ensure that fixed packages are uploaded to sid as soon as possible,
and assert whether a fix for lenny and squeeze would be necessary?
Cheers,
Thijs
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
On Mon, May 14, 2012 at 03:50:30PM +0100, Steve McIntyre wrote:
> >- Upstream bugtracker [1] doesn't contains ref to those security issues
> >- My Oracle contact (GlassFish community manager) only told me that
> >"CVE-2011-5035 is integrated in GlassFish 3.1.1 Patch 2 (an update to 3.1.1
> >for paying customers). The fix is in the trunk and will be integrated in the
> >3.1.2 release scheduled for later this quarter"
> >
> >I don't think I'll do further investigation on those issues...
> >At least, there is one instructing thing : we have to think twice before
> >integrating of a full blown Glassfish JEE server (ie. not just API) into
> >Debian
> >as from my point of view Glassfish Security is not handled as an open source
> >should.
>
> Yes, I'd have to agree with that. :-(
>
> If you're *reasonably* confident that we're not affected by those
> CVE issues, is it worth maybe dropping the severity of the Debian bugs
> from serious?
I'm closing the bug. Even if that issue should affect Debian against all odds,
it will be fixed when the generic hash collision countermeasures are integrated
in openjdk-7 (which will very likely be part of Wheezy at least).
Cheers,
Moritz
--- End Message ---
