On Mon, May 14, 2012 at 12:13:50AM +0200, Damien Raude-Morvan wrote:
>Le dimanche 13 mai 2012 18:54:38, Steve McIntyre a Ã©crit :
>> >Sadly, no :/ I must admit that Oracle does not publish details of its
>> >fixes so it's hard to confirm firmly what's component is exactly
>> >I'll try to revive my contact @Oracle to get some feedback on this
>> >issue (on future security issues).
>> Any news on this?
>I'll just start by restating my initial comment on both issues :
>We don't build any real "Glassfish Server" but just some parts of API
>library used as Java EE specifications. As for any specification, this is just
>collection of interfaces and don't have much more implementations than dumb or
>So I don't think that CVE-2010-4438 or CVE-2011-5035 affect Debian binary
OK, fair enough.
>But I cannot be 100% sure since :
>- Upstream bugtracker  doesn't contains ref to those security issues
>- My Oracle contact (GlassFish community manager) only told me that
>"CVE-2011-5035 is integrated in GlassFish 3.1.1 Patch 2 (an update to 3.1.1
>for paying customers). The fix is in the trunk and will be integrated in the
>3.1.2 release scheduled for later this quarter"
>I don't think I'll do further investigation on those issues...
>At least, there is one instructing thing : we have to think twice before
>integrating of a full blown Glassfish JEE server (ie. not just API) into
>as from my point of view Glassfish Security is not handled as an open source
Yes, I'd have to agree with that. :-(
If you're *reasonably* confident that we're not affected by those
CVE issues, is it worth maybe dropping the severity of the Debian bugs
Steve McIntyre, Cambridge, UK. st...@einval.com
There's no sensation to compare with this
Suspended animation, A state of bliss
This is the maintainer address of Debian's Java team
debian-j...@lists.debian.org for discussions and questions.