On Mon, 22 Sep 2014, Emmanuel Bourg wrote:
> Glasshfish is an important package for the Java ecosystem as it provides
> JavaEE specification APIs used to build many other packages.
> The CVEs reported are most likely related to the complete application
> server which is almost unused in Debian (the glassfish-appserv package
> has a low popcon and no reverse dependencies). Removing this package
> should address the security concerns (yet, the package contains no init
> script to run it as a daemon, so the risk is already zero since nobody
> can use it).
This looks like a possible compromise (although the lack of init script
doesn't mean that nobody can use it, it's always possible to start it from
a custom script).
Can you verify the 3 open CVE and confirm that they only concern
glassfish-appserv? There's almost no information but it says
once "Unspecified vulnerability in the CORBA ORB component in Sun
GlassFish Enterprise Server 2.1.1" and "Unspecified vulnerability in
the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1".
For Squeeze LTS, we can't really remove a single binary package with an
update since the update leaves in its own squeeze-lts repository and this
would not remove the package in the main "squeeze" repo. Christoph, is it
possible to mark only a single binary package as unsupported?
For Jessie/Sid, it still seems a pretty bad idea to release with such
an outdated package. Do you have plans to update it?
Raphaël Hertzog ◈ Debian Developer
Discover the Debian Administrator's Handbook:
This is the maintainer address of Debian's Java team
debian-j...@lists.debian.org for discussions and questions.