Bug#853998: marked as done (CVE-2017-3250 / CVE-2017-3249 / CVE-2017-3247 / CVE-2016-5528 / CVE-2016-5519)

Fri, 03 Feb 2017 08:30:23 -0800 

Your message dated Fri, 3 Feb 2017 17:25:57 +0100
with message-id <[email protected]>
and subject line Re: Bug#853998: CVE-2017-3250 / CVE-2017-3249 / CVE-2017-3247 
/ CVE-2016-5528 / CVE-2016-5519
has caused the Debian Bug report #853998,
regarding CVE-2017-3250 / CVE-2017-3249 / CVE-2017-3247 / CVE-2016-5528 / 
CVE-2016-5519
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
853998: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853998
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: glassfish
Severity: grave
Tags: security

So Oracle has these lovely, unspecified vulnerabilities reported against 
Glassfish,
but it's my understanding that the Debian package only provides a minor subset
what usually constitutes Java, so could you have a look, which of 

http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html

might possibly affect the Debian package?

Cheers,
        Moritz

--- End Message ---
--- Begin Message --- 
On Fri, Feb 03, 2017 at 12:16:07AM +0100, Emmanuel Bourg wrote:
> Le 2/02/2017 à 23:08, Moritz Muehlenhoff a écrit :
> 
> > So Oracle has these lovely, unspecified vulnerabilities reported against 
> > Glassfish,
> > but it's my understanding that the Debian package only provides a minor 
> > subset
> > what usually constitutes Java, so could you have a look, which of 
> > 
> > http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
> > 
> > might possibly affect the Debian package?
> 
> I think this is unlikely to affect our packages. We only have two
> specification packages (glassfish-javaee and glassfish-jmac-api) and an
> Object/Relational mapper (glassfish-toplink-essentials) that is never
> used at runtime.

OK, I've marked these as not-affected in the security tracker, then.

Cheers,
        Moritz

--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
[email protected] for discussions and questions.

Reply via email to