Le 09/12/2017 à 23:29, Moritz Mühlenhoff a écrit :
> I'd say let's kick it out, then. We have a build dependency (and run time
> dependencies) on libspring-java, can we axe it out there?
jasperreports is just a build dependency of some unused parts of
libspring-java. No application in Debian needs it at run time. So these
vulnerabilities can be safely ignored in the stable releases.
This is the maintainer address of Debian's Java team
debian-j...@lists.debian.org for discussions and questions.