On Sun, 02 Nov 2014 23:38:30 +0100 Emmanuel Bourg <ebo...@apache.org> wrote:
> libhibernate-validator-java is only used as a build dependency of
> libhibernate3-java. No package depends on it at runtime, so the risk of
> being affected by this vulnerability is rather low, if not zero.

Thank you for this information but it's not really a satisfactory answer.

We can't knowingly ship libraries with serious security issues. It's not
the first time I see that kind of answers from the java team. Please
at least package new upstream versions with the appropriate security fixes.

I can understand that backporting security patches might be difficult but
packaging new upstream versions is the basis of our work in Debian. We
can't stay with outdated versions and known vulnerabilities for ever.

Please send a call for help on debian-devel(-announce) if you are not able
to do the basic work of keeping your packages up-to-date. Then the
publicity team might relay your message further... and maybe you'll find
some supplementary volunteers.

Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

This is the maintainer address of Debian's Java team
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to