Am Mon, Mar 01, 2021 at 10:54:31AM +0100 schrieb Salvatore Bonaccorso: > Hi Emmanuel, > > On Sat, May 30, 2020 at 02:50:32PM +0200, Emmanuel Bourg wrote: > > Control: severity -1 important > > > > Le 22/05/2020 à 22:51, Salvatore Bonaccorso a écrit : > > > > > The following vulnerability was published for jodd. I'm filling it as > > > RC severity since altough one might dispute the severity for the issue > > > itself, it looks that in Debian there was ever only one upload of > > > jodd, there are no reverse (build) dependencies neither. > > > > > > Is the package acutally of some use or planned use? > > > > Thank you for the report Salvatore. > > > > jodd is a new dependency of JMeter 3, I haven't finished the packaging yet. > > > > Note that the fix for CVE-2018-21234 merely adds an optional > > whitelisting feature to check the classes being deserialized. But the > > default behavior is still the same (no check), so the charge of > > addressing the vulnerability is actually shifted to the applications > > using jodd. > > Back when we lowered the severity this above was the reasoning, but > jmeter 3 is not in bullseye. > > So should we remove src:yodd to at least not be included in bullseye? > According to dak this is no problem to do: > > carnil@coccia:~$ dak rm --suite=testing -n -R jodd > Will remove the following packages from testing: > > jodd | 3.8.6-1.1 | source > libjodd-java | 3.8.6-1.1 | all > > Maintainer: Debian Java Maintainers > <pkg-java-maintain...@lists.alioth.debian.org> > > ------------------- Reason ------------------- > > ---------------------------------------------- > > Checking reverse dependencies... > No dependency problem found. > > carnil@coccia:~$
Hi Emmanuel, let's remove jodd from bullseye until it gets actually used, ok? I can file an RM bug with the release team. Cheers, Moritz __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.