On 23.01.2017 07:23, Salvatore Bonaccorso wrote: > Hi Markus, > > Thanks for looking into the issue. [...] > I agree, upstream has not really provided any usefull information, and > we have somehow to trust Oracle here, that 8.2 contains the fix. I'm > confident, since the 8.2 version gives now a warning, if you try to > import a project from a zip file containing members with "../". But I > was unable to determine the exact code change. > > I'm not sure about the options. > > 1/ try to determine the required changes and backport them to 8.1 > ideally, but seems a bit hard. > 2/ live with the issue, and once stretch is a stable release mark it > as no-dsa as well there. > 3/ Ask release team if having 8.2+dfsg1-1 in stretch, but I guess that > unblock is not feasible anymore now. > 4/ something missing? > > Regards, and sorry for not beeing more helpfull here, > Salvatore
Hi Salvatore, definitely not your fault and thanks for reporting, much appreciated as always. At the moment I think I will mark it as no-dsa in Stretch, 8.2 isn't ready for prime time yet but in the future it will eventually close this bug report. Of course if someone else can point me to the commit/fix/patch I will try to get this into Stretch. Regards, Markus
signature.asc
Description: OpenPGP digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
