Hi Markus, Thanks for looking into the issue.
On Sun, Jan 22, 2017 at 09:28:31PM +0100, Markus Koschany wrote: > On Fri, 20 Jan 2017 21:34:16 +0100 Salvatore Bonaccorso > <car...@debian.org> wrote: > > Source: netbeans > > Version: 8.1+dfsg3-1 > > Severity: important > > Tags: security upstream fixed-upstream > > Control: fixed -1 8.2+dfsg1-1 > > > > Hi, > > > > the following vulnerability was published for netbeans. > > > > CVE-2016-5537[0]: > > Hi, > > I must admit I have no idea how to fix this in 8.1 because I cannot find > any information about what specific part of Netbeans is affected and > whether a minimal patch exists. It is also not clear if 8.2 in > experimental is affected or not because I had to replace several modules > with the ones shipped in 8.1 otherwise the package won't even compile. I agree, upstream has not really provided any usefull information, and we have somehow to trust Oracle here, that 8.2 contains the fix. I'm confident, since the 8.2 version gives now a warning, if you try to import a project from a zip file containing members with "../". But I was unable to determine the exact code change. I'm not sure about the options. 1/ try to determine the required changes and backport them to 8.1 ideally, but seems a bit hard. 2/ live with the issue, and once stretch is a stable release mark it as no-dsa as well there. 3/ Ask release team if having 8.2+dfsg1-1 in stretch, but I guess that unblock is not feasible anymore now. 4/ something missing? Regards, and sorry for not beeing more helpfull here, Salvatore