Am 09.12.2017 um 23:43 schrieb Emmanuel Bourg: > Le 09/12/2017 à 23:29, Moritz Mühlenhoff a écrit : > >> I'd say let's kick it out, then. We have a build dependency (and run time >> dependencies) on libspring-java, can we axe it out there? > > jasperreports is just a build dependency of some unused parts of > libspring-java. No application in Debian needs it at run time. So these > vulnerabilities can be safely ignored in the stable releases.
The situation with jasperreports is not great. I understand your reasoning but I agree with Moritz that this is a more general issue with jasperreports. My motivation to upgrade the library back in 2015 from version 4 to 6 was libspring-java because this is something I use personally and it is also a quite important piece of Java software. However we should always be able to assess security vulnerabilities. Just hoping that nobody will ever use the Debian library in some other context is negligent. I would be really disappointed when I built an Java app with Debian's system libraries and then I have to find out that it is basically unsupported and contains security holes because it is "just" a build-dependency for some other project. To be fair: CVE-2017-5533 and CVE-2017-5528 probably do not affect us because we ship the Jasperreports Library and not the server. Please correct me if I am wrong. Thus said maybe you are able to find the relevant changes or you get a more helpful reply from the support guys. Otherwise I would try to disable jasperreports in libspring-java which appears to be optional. (I know probably requires another patch...) For reference here is the link to my support request: https://community.jaspersoft.com/questions/1072461/security-update-cve-2017-14941-cve-2017-5528-cve-2017-5529 Regards, Markus
Description: OpenPGP digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.