Package: mojarra
Version: 2.0.3-3
Severity: critical
Tags: security

Please remove mojarra source package from Debian as it has been unmaintained and
contains several unfixed security vulnerabilities with no replies from
maintainer.

https://packages.debian.org/source/sid/mojarra
http://packages.qa.debian.org/m/mojarra.html
https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=mojarra

CVE-2012-2672: https://bugs.debian.org/677194 Jun 2012
CVE-2013-5855: https://bugs.debian.org/740586 Mar 2014

Moritz commented to this in private email:

"""
Unmaintained packages should be removed, but spring build-depends on
one of the libs from mojarra:

jmm@pisco:~$ build-rdeps libjsf-api-java
Reverse Build-depends in main:
------------------------------

libspring-java

So it needs to be checked whether that can be dropped from Spring.
"""

If maintainer shows some activity I could help to get these issues fixed.

---
Henri Salo

Attachment: signature.asc
Description: Digital signature

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to