> Hi Andreas
> I've uploaded both packages to mentors.
> commons-httpclient -> bug #692442 CVE-2012-5783
> axis -> bug #692650 CVE-2012-5784
> Since axis uses commons-httpclient, we need fix and upload both
> packages.
> Upstream has ignored axis patch, and rejected commons-httpclient patch.
> Basically, they say commons-httpclient is EOL and they don't want to
> spend time on it. They maybe would apply the patch to the SVN, but
> without revision and without releasing.

According to redhat, there is already an upstream patch for
httpclient, and it differs from yours in some ways:

Please coordinate with them on that fix.

> I've tested the patches and they work ok. So I think it's fine to
> upload.

Please coordinate the axis patch with redhat since they don't have a
solution in their bug tracker yet either.  They will review your work:

Best wishes,

This is the maintainer address of Debian's Java team
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to