Le 23/09/2014 10:17, Raphael Hertzog a écrit : > This looks like a possible compromise (although the lack of init script > doesn't mean that nobody can use it, it's always possible to start it from > a custom script).
Ok I'll drop the glassfish-appserv package in the next upload. I agree it may be possible to start it manually, but I don't think someone really installed an incomplete package of an outdated application server and tweaked it manually for hours instead of simply downloading a fully functioning and updated version from the upstream website. > Can you verify the 3 open CVE and confirm that they only concern > glassfish-appserv? There's almost no information but it says > once "Unspecified vulnerability in the CORBA ORB component in Sun > GlassFish Enterprise Server 2.1.1" and "Unspecified vulnerability in > the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1". After running a quick grep I confirm the corba stuff is limited to the appserv part. As for the other packages: - glassfish-activation: obsolete API now provided by the JDK, it's being phased out - glassfish-mail: gradually replaced by the more recent javamail package - glassfish-javaee: JavaEE spec APIs, mostly interfaces without code - glassfish-jmac-api: JSR 196 API, interfaces and beans without code - glassfish-toplink-essentials: Object to relational DB mapping Looking at the vulnerabilities: - CVE-2013-5816 mentions an issue related to Metro which is the webservices layer of Glassfish. Webservices are only in the appserv part. - CVE-2013-3827 is related to Java Server Faces, but I couldn't find any code related to JSF (grep -R 'import javax.faces') > For Jessie/Sid, it still seems a pretty bad idea to release with such > an outdated package. Do you have plans to update it? I can get a look but I suspect this isn't a trivial task and it may require several new packages. For now we are mainly focused on removing tomcat6 which is going to be EOLed during the Jessie lifecycle. Since this is the most popular Java package I think we have to prioritize it over the other updates. Emmanuel Bourg
Description: OpenPGP digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.