I filed upstream bug


and asked for more information about security vulnerabilities in general.

The relevant issues are public now:

CVE-2017-7559 was addressed in version 1.4.23 or 2.0.1. Since 2.0.1
requires the servlet 4.0 API which is currently not available in Debian
I'm opting for 1.4.23. I still need to find the relevant commit to be
able to backport the fix to Stretch.

Attachment: signature.asc
Description: OpenPGP digital signature

This is the maintainer address of Debian's Java team
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to