On 08/23/2014 04:28 AM, Henri Salo wrote: > Package: mojarra > Version: 2.0.3-3 > Severity: critical > Tags: security > > Please remove mojarra source package from Debian as it has been unmaintained > and > contains several unfixed security vulnerabilities with no replies from > maintainer. > > https://packages.debian.org/source/sid/mojarra > http://packages.qa.debian.org/m/mojarra.html > https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=mojarra > > CVE-2012-2672: https://bugs.debian.org/677194 Jun 2012 > CVE-2013-5855: https://bugs.debian.org/740586 Mar 2014 > > Moritz commented to this in private email: > > """ > Unmaintained packages should be removed, but spring build-depends on > one of the libs from mojarra: > > jmm@pisco:~$ build-rdeps libjsf-api-java > Reverse Build-depends in main: > ------------------------------ > > libspring-java > > So it needs to be checked whether that can be dropped from Spring. > """ > > If maintainer shows some activity I could help to get these issues fixed. > > --- > Henri Salo
Hi Henri, I'm not claiming that we shouldn't consider removing this, but we should be aware that there will be a considerable cascade effect from this. Without mojarra in the archive, src:libspring-java will not build, and taking a look at just one of the libspring-java binary packages, we see: $ reverse-depends -b libspring-web-java Reverse-Build-Depends-Indep =========================== * acegi-security * activemq * jenkins * libshib-common-java * libxbean-java * mule * red5 * tiles Reverse-Build-Depends ===================== * jasypt * libspring-security-2.0-java * libspring-webflow-2.0-java Now, let's see what happens with libxbean-java: $ reverse-depends -b libxbean-java Reverse-Build-Depends-Indep =========================== * activemq * maven-plugin-tools * plexus-containers * plexus-containers1.5 As you continue to pull the thread (try plexus-containers), the cascade widens. All of those would become FTBFS and thus should also be removed. (And maybe that's the "right" thing to do - we need to talk about how much can be reasonably supported by the Java Team.) My request would be that we give this revisit this bug in a week's time (after DebConf). DC14 will be the first time for some members of the Java Team to meet face-to-face and get to discuss the state of team maintenance. Zooming back down to the specific issue at hand, we may be able to resolve the current CVEs quickly with an upload of mojarra 2.2.8. Packaging help is always welcome. Thank you, tony
Description: OpenPGP digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.