On 30.03.2015 14:46, Raphael Hertzog wrote: [...] > No it's correct, the last CVE issue was mis-assigned to that package. That > said there are other java packages in need of some love. > > For example commons-httpclient has been waiting for months: > https://security-tracker.debian.org/tracker/source-package/commons-httpclient
Yes, I saw that. I think the severity should have been serious right from the start. Last week I prepared a patch for commons-httpclient [1] and I am confident it fixes CVE-2012-6153 and CVE-2014-3577. However I struggle with finding a test case which verifies the patch really addresses the issue. I will try to contact upstream and ask them for support. Cheers, Markus [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758086#50
signature.asc
Description: OpenPGP digital signature