Hello, The packages glassfish-* shipped in all the version of Debian are version 2.1.1. The glassfish v2 open souce code hasn't received any updates since 2010, not even critical security updates. ( https://svn.java.net/svn/glassfish~svn/trunk/v2/ ) Only the Oracle Enterprise version is still maintained. Even if those are not the full server stack ( http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=653964 ), they may contains security flaws. We just don't know, right?
The v3 version is very stable and actively maintained. I would consider shipping it instead of v2. Thanks, Benjamin Jaton
