Hi Raphael, I think this is a trivial update, the version of Axis hasn't changed since Squeeze and it should be as simple as dropping the CVE-2014-3596 patch from axis/1.4-22 into the version 1.4-12 currently in Squeeze (it also addresses CVE-2012-5784).
Emmanuel Bourg Le 18/02/2015 18:03, Raphael Hertzog a écrit : > Hello dear maintainer(s), > > the Debian LTS team would like to fix the security issues which are > currently open in the Squeeze version of your package: > https://security-tracker.debian.org/tracker/CVE-2014-3596 > https://security-tracker.debian.org/tracker/CVE-2012-5784 > > Would you like to take care of this yourself? It's probably not > too complicated since a Wheezy update happened a few months ago > and that it's the same upstream version in both releases. > > If yes, please follow the workflow we have defined here: > http://wiki.debian.org/LTS/Development > > If that workflow is a burden to you, feel free to just prepare an > updated source package and send it to debian-...@lists.debian.org > (via a debdiff, or with an URL pointing to the the source package, > or even with a pointer to your packaging repository), and the members > of the LTS team will take care of the rest. Indicate clearly whether you > have tested the updated package or not. > > If you don't want to take care of this update, it's not a problem, we > will do our best with your package. Just let us know whether you would > like to review and/or test the updated package before it gets released. > > Thank you very much. > > Raphaël Hertzog, > on behalf of the Debian LTS team. > > PS: A member of the LTS team might start working on this update at > any point in time. You can verify whether someone is registered > on this update in this file: > https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup > __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.