Bug#611138: CVE-2010-4438 / CVE-2011-5035
On Mon, May 14, 2012 at 12:13:50AM +0200, Damien Raude-Morvan wrote: Hi all, Le dimanche 13 mai 2012 18:54:38, Steve McIntyre a écrit : Sadly, no :/ I must admit that Oracle does not publish details of its fixes so it's hard to confirm firmly what's component is exactly impacted. I'll try to revive my contact @Oracle to get some feedback on this issue (on future security issues). Hi, Any news on this? I'll just start by restating my initial comment on both issues : - We don't build any real Glassfish Server but just some parts of API library used as Java EE specifications. As for any specification, this is just a collection of interfaces and don't have much more implementations than dumb or stub code. - So I don't think that CVE-2010-4438 or CVE-2011-5035 affect Debian binary packages. OK, fair enough. But I cannot be 100% sure since : - Upstream bugtracker [1] doesn't contains ref to those security issues - My Oracle contact (GlassFish community manager) only told me that CVE-2011-5035 is integrated in GlassFish 3.1.1 Patch 2 (an update to 3.1.1 for paying customers). The fix is in the trunk and will be integrated in the 3.1.2 release scheduled for later this quarter I don't think I'll do further investigation on those issues... At least, there is one instructing thing : we have to think twice before integrating of a full blown Glassfish JEE server (ie. not just API) into Debian as from my point of view Glassfish Security is not handled as an open source should. Yes, I'd have to agree with that. :-( If you're *reasonably* confident that we're not affected by those CVE issues, is it worth maybe dropping the severity of the Debian bugs from serious? -- Steve McIntyre, Cambridge, UK.st...@einval.com There's no sensation to compare with this Suspended animation, A state of bliss -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#611138: CVE-2010-4438
On Wed, Jan 04, 2012 at 09:12:31PM +0100, Damien Raude-Morvan wrote: On 01/01/2012 19:47, Julien Cristau wrote: Hi, Hi Julien, On Wed, Jan 26, 2011 at 19:46:32 +0100, Damien Raude-Morvan wrote: So I don't think Debian package is affected by this issue, but we'll have to wait until Oracle/Glassfish team publish some source code to confirm ths. Did that happen in the last year? Sadly, no :/ I must admit that Oracle does not publish details of its fixes so it's hard to confirm firmly what's component is exactly impacted. I'll try to revive my contact @Oracle to get some feedback on this issue (on future security issues). Hi, Any news on this? -- Steve McIntyre, Cambridge, UK.st...@einval.com This dress doesn't reverse. -- Alden Spiess -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#611138: CVE-2010-4438 / CVE-2011-5035
Hi all, Le dimanche 13 mai 2012 18:54:38, Steve McIntyre a écrit : Sadly, no :/ I must admit that Oracle does not publish details of its fixes so it's hard to confirm firmly what's component is exactly impacted. I'll try to revive my contact @Oracle to get some feedback on this issue (on future security issues). Hi, Any news on this? I'll just start by restating my initial comment on both issues : - We don't build any real Glassfish Server but just some parts of API library used as Java EE specifications. As for any specification, this is just a collection of interfaces and don't have much more implementations than dumb or stub code. - So I don't think that CVE-2010-4438 or CVE-2011-5035 affect Debian binary packages. But I cannot be 100% sure since : - Upstream bugtracker [1] doesn't contains ref to those security issues - My Oracle contact (GlassFish community manager) only told me that CVE-2011-5035 is integrated in GlassFish 3.1.1 Patch 2 (an update to 3.1.1 for paying customers). The fix is in the trunk and will be integrated in the 3.1.2 release scheduled for later this quarter I don't think I'll do further investigation on those issues... At least, there is one instructing thing : we have to think twice before integrating of a full blown Glassfish JEE server (ie. not just API) into Debian as from my point of view Glassfish Security is not handled as an open source should. [1] http://java.net/jira/browse/GLASSFISH Cheers, -- Damien - Debian Developper http://wiki.debian.org/DamienRaudeMorvan signature.asc Description: This is a digitally signed message part.
Bug#611138: CVE-2010-4438
On 01/01/2012 19:47, Julien Cristau wrote: Hi, Hi Julien, On Wed, Jan 26, 2011 at 19:46:32 +0100, Damien Raude-Morvan wrote: So I don't think Debian package is affected by this issue, but we'll have to wait until Oracle/Glassfish team publish some source code to confirm ths. Did that happen in the last year? Sadly, no :/ I must admit that Oracle does not publish details of its fixes so it's hard to confirm firmly what's component is exactly impacted. I'll try to revive my contact @Oracle to get some feedback on this issue (on future security issues). Cheers, -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#611138: CVE-2010-4438
Hi, On Wed, Jan 26, 2011 at 19:46:32 +0100, Damien Raude-Morvan wrote: So I don't think Debian package is affected by this issue, but we'll have to wait until Oracle/Glassfish team publish some source code to confirm ths. Did that happen in the last year? Cheers, Julien -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#611138: CVE-2010-4438
Hi, Le mardi 25 janvier 2011 23:02:18, Moritz Muehlenhoff a écrit : See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4438 Please get in touch with Oracle to check, what unspecified vulnerability they fixed... From CVE abstract : Sun GlassFish Enterprise Server contains a flaw related to the 'Java Message Service (JMS)' sub-component that may allow a local attacker to have a partial affect on integrity and confidentiality and cause a denial of service. No further details have been provided. As we hardly build any real Glassfish Server but just some parts of API library from Java EE specifications. FYI, /usr/share/java/glassfish-jms.jar is just a collection of interfaces and don't have any implementations of a JMS server. So I don't think Debian package is affected by this issue, but we'll have to wait until Oracle/Glassfish team publish some source code to confirm ths. Cheers, -- Damien - Debian Developper http://wiki.debian.org/DamienRaudeMorvan signature.asc Description: This is a digitally signed message part.
Bug#611138: CVE-2010-4438
On Wed, Jan 26, 2011 at 07:46:32PM +0100, Damien Raude-Morvan wrote: Hi, Le mardi 25 janvier 2011 23:02:18, Moritz Muehlenhoff a écrit : See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4438 Please get in touch with Oracle to check, what unspecified vulnerability they fixed... From CVE abstract : Sun GlassFish Enterprise Server contains a flaw related to the 'Java Message Service (JMS)' sub-component that may allow a local attacker to have a partial affect on integrity and confidentiality and cause a denial of service. No further details have been provided. As we hardly build any real Glassfish Server but just some parts of API library from Java EE specifications. FYI, /usr/share/java/glassfish-jms.jar is just a collection of interfaces and don't have any implementations of a JMS server. So I don't think Debian package is affected by this issue, but we'll have to wait until Oracle/Glassfish team publish some source code to confirm ths. Ok, I've updated the Security Tracker to mark it as not-affected. I wasn't aware that the Debian Glassfish package doesn't provide the full stack. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#611138: CVE-2010-4438
user release.debian@packages.debian.org usertag 611138 + squeeze-can-defer tag 611138 + squeeze-ignore thanks On Wed, 2011-01-26 at 22:34 +0100, Moritz Mühlenhoff wrote: On Wed, Jan 26, 2011 at 07:46:32PM +0100, Damien Raude-Morvan wrote: So I don't think Debian package is affected by this issue, but we'll have to wait until Oracle/Glassfish team publish some source code to confirm ths. Ok, I've updated the Security Tracker to mark it as not-affected. I wasn't aware that the Debian Glassfish package doesn't provide the full stack. In that case, this sounds like a fix could be deferred until after the release, if it's required at all; tagging as not a blocker. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#611138: CVE-2010-4438
Processing commands for cont...@bugs.debian.org: user release.debian@packages.debian.org Setting user to release.debian@packages.debian.org (was a...@adam-barratt.org.uk). usertag 611138 + squeeze-can-defer Bug#611138: CVE-2010-4438 There were no usertags set. Usertags are now: squeeze-can-defer. tag 611138 + squeeze-ignore Bug #611138 [glassfish] CVE-2010-4438 Added tag(s) squeeze-ignore. thanks Stopping processing here. Please contact me if you need assistance. -- 611138: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611138 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#611138: CVE-2010-4438
Package: glassfish Severity: grave Tags: security See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4438 Please get in touch with Oracle to check, what unspecified vulnerability they fixed... Cheers, Moritz -- System Information: Debian Release: 6.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org