On Apr/15, Markus Koschany wrote:
> I have prepared a patch for CVE-2014-3577 (commons-httpclient).  The
> patch is identical to the Jessie / Sid fix. Do you consider this
> vulnerability important enough for a DSA or do you prefer a point
> release update?
this issue was marked "no-dsa" some time ago (see
https://security-tracker.debian.org/tracker/CVE-2014-3577), so a
point-release update will be the way to go.
This is the maintainer address of Debian's Java team
debian-j...@lists.debian.org for discussions and questions.