On 08/23/2014 04:28 AM, Henri Salo wrote:
> Package: mojarra
> Version: 2.0.3-3
> Severity: critical
> Tags: security
> 
> Please remove mojarra source package from Debian as it has been unmaintained 
> and
> contains several unfixed security vulnerabilities with no replies from
> maintainer.
> 
> https://packages.debian.org/source/sid/mojarra
> http://packages.qa.debian.org/m/mojarra.html
> https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=mojarra
> 
> CVE-2012-2672: https://bugs.debian.org/677194 Jun 2012
> CVE-2013-5855: https://bugs.debian.org/740586 Mar 2014
> 
> Moritz commented to this in private email:
> 
> """
> Unmaintained packages should be removed, but spring build-depends on
> one of the libs from mojarra:
> 
> jmm@pisco:~$ build-rdeps libjsf-api-java
> Reverse Build-depends in main:
> ------------------------------
> 
> libspring-java
> 
> So it needs to be checked whether that can be dropped from Spring.
> """
> 
> If maintainer shows some activity I could help to get these issues fixed.
> 
> ---
> Henri Salo

Hi Henri,

I'm not claiming that we shouldn't consider removing this, but we should
be aware that there will be a considerable cascade effect from this.
Without mojarra in the archive, src:libspring-java will not build, and
taking a look at just one of the libspring-java binary packages, we see:

$ reverse-depends -b libspring-web-java
Reverse-Build-Depends-Indep
===========================
* acegi-security
* activemq
* jenkins
* libshib-common-java
* libxbean-java
* mule
* red5
* tiles

Reverse-Build-Depends
=====================
* jasypt
* libspring-security-2.0-java
* libspring-webflow-2.0-java

Now, let's see what happens with libxbean-java:

$ reverse-depends -b libxbean-java
Reverse-Build-Depends-Indep
===========================
* activemq
* maven-plugin-tools
* plexus-containers
* plexus-containers1.5

As you continue to pull the thread (try plexus-containers), the cascade
widens.  All of those would become FTBFS and thus should also be
removed.  (And maybe that's the "right" thing to do - we need to talk
about how much can be reasonably supported by the Java Team.)

My request would be that we give this revisit this bug in a week's time
(after DebConf).  DC14 will be the first time for some members of the
Java Team to meet face-to-face and get to discuss the state of team
maintenance.

Zooming back down to the specific issue at hand, we may be able to
resolve the current CVEs quickly with an upload of mojarra 2.2.8.

Packaging help is always welcome.

Thank you,
tony

Attachment: signature.asc
Description: OpenPGP digital signature

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to