Am 09.12.2017 um 23:43 schrieb Emmanuel Bourg:
> Le 09/12/2017 à 23:29, Moritz Mühlenhoff a écrit :
>> I'd say let's kick it out, then. We have a build dependency (and run time
>> dependencies) on libspring-java, can we axe it out there?
> jasperreports is just a build dependency of some unused parts of
> libspring-java. No application in Debian needs it at run time. So these
> vulnerabilities can be safely ignored in the stable releases.

The situation with jasperreports is not great. I understand your
reasoning but I agree with Moritz that this is a more general issue with
jasperreports. My motivation to upgrade the library back in 2015 from
version 4 to 6 was libspring-java because this is something I use
personally and it is also a quite important piece of Java software.

However we should always be able to assess security vulnerabilities.
Just hoping that nobody will ever use the Debian library in some other
context is negligent. I would be really disappointed when I built an
Java app with Debian's system libraries and then I have to find out that
it is basically unsupported and contains security holes because it is
"just" a build-dependency for some other project.

To be fair: CVE-2017-5533 and CVE-2017-5528 probably do not affect us
because we ship the Jasperreports Library and not the server. Please
correct me if I am wrong.

Thus said maybe you are able to find the relevant changes or you get a
more helpful reply from the support guys. Otherwise I would try to
disable jasperreports in libspring-java which appears to be optional. (I
know probably requires another patch...)

For reference here is the link to my support request:



Attachment: signature.asc
Description: OpenPGP digital signature

This is the maintainer address of Debian's Java team
Please use for discussions and questions.

Reply via email to