Bug#611130: CVE-2010-2087
On Sun, May 13, 2012 at 09:23:45PM +0200, Moritz Mühlenhoff wrote: On Sun, May 13, 2012 at 05:52:05PM +0100, Steve McIntyre wrote: On Sun, Oct 02, 2011 at 05:53:48PM -0430, Miguel Landaeta wrote: #tag 611130 + idontgiveadamn tag 611130 + moreinfo kthxbye Upstream doesn't answer any request about this bug. I sent emails, I posted in their discussion forum and even joined their irc channel to ask a couple of question about this bug. I didn't receive any answer, I can say I was completely ignored. There is no info at Mitre website and AFAIK this issue is not fixed in any other free software distribution. I don't have time neither interest on this, good luck to anybody interested in fixing this bug. Be aware of uncooperative upstream. Given this, this package looks like a prime candidate for removal from the archive to be honest. Thoughts? I concur, but libspring build-depends on it, something which needs to be addressed somehow. Ick. :-( -- Steve McIntyre, Cambridge, UK.st...@einval.com Support the Campaign for Audiovisual Free Expression: http://www.eff.org/cafe/ __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#672892: Provide furniture libraries in separate package
Package: sweethome3d Version: 3.4+dfsg-1 Severity: wishlist Please consider packaging extras, like furniture libraries, into separate packages. Thanks, -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.3.0-trunk-amd64 (SMP w/8 CPU cores) Locale: LANG=en_NZ, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages sweethome3d depends on: ii icedtea-netx-common 1.2-2 ii java-wrappers 0.1.25 ii java3ds-fileloader 1.2+dfsg-1 ii libbatik-java 1.7+dfsg-1 ii libfreehep-graphicsio-svg-java 2.1.1-3 ii libitext-java 2.1.7-3 ii libjava3d-java 1.5.2+dfsg-7 ii libsunflow-java 0.07.2.svn396+dfsg-9 ii openjdk-6-jre 6b24-1.11.1-6 sweethome3d recommends no packages. sweethome3d suggests no packages. -- no debconf information -- .''`. martin f. krafft madduck@d.o Related projects: : :' : proud Debian developer http://debiansystem.info `. `'` http://people.debian.org/~madduckhttp://vcs-pkg.org `- Debian - when you have better things to do than fixing systems digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current) __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#611138: CVE-2010-4438 / CVE-2011-5035
On Mon, May 14, 2012 at 12:13:50AM +0200, Damien Raude-Morvan wrote: Hi all, Le dimanche 13 mai 2012 18:54:38, Steve McIntyre a écrit : Sadly, no :/ I must admit that Oracle does not publish details of its fixes so it's hard to confirm firmly what's component is exactly impacted. I'll try to revive my contact @Oracle to get some feedback on this issue (on future security issues). Hi, Any news on this? I'll just start by restating my initial comment on both issues : - We don't build any real Glassfish Server but just some parts of API library used as Java EE specifications. As for any specification, this is just a collection of interfaces and don't have much more implementations than dumb or stub code. - So I don't think that CVE-2010-4438 or CVE-2011-5035 affect Debian binary packages. OK, fair enough. But I cannot be 100% sure since : - Upstream bugtracker [1] doesn't contains ref to those security issues - My Oracle contact (GlassFish community manager) only told me that CVE-2011-5035 is integrated in GlassFish 3.1.1 Patch 2 (an update to 3.1.1 for paying customers). The fix is in the trunk and will be integrated in the 3.1.2 release scheduled for later this quarter I don't think I'll do further investigation on those issues... At least, there is one instructing thing : we have to think twice before integrating of a full blown Glassfish JEE server (ie. not just API) into Debian as from my point of view Glassfish Security is not handled as an open source should. Yes, I'd have to agree with that. :-( If you're *reasonably* confident that we're not affected by those CVE issues, is it worth maybe dropping the severity of the Debian bugs from serious? -- Steve McIntyre, Cambridge, UK.st...@einval.com There's no sensation to compare with this Suspended animation, A state of bliss __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#670756: Tuxguitar does not start
In my opinion libswt-gtk-3.5-java and libswt-3-gtk-java are not in conflict, generally it's ok to have them installed both. The problem is in tuxguitar package itself which will not work with SWT 3.5. So I suggest that we make tuxguitar to conflict with libswt-gtk-3.5-java (and maybe also with libswt-gtk-3.4-java and libswt-gtk-3.6-java I see in Grant's package list too). On 14.5.2012 06:08, Grant Diffey wrote: so my installed package list is nevyn@cetacea:~$ dpkg -l libswt* Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ NameVersion Description +++-===-===-== ii libswt-cairo-gtk-3-jni 3.7.2-2 Standard Widget Toolkit for GTK+ Cairo JNI library ii libswt-glx-gtk-3-jni3.7.2-2 Standard Widget Toolkit for GTK+ GLX JNI library ii libswt-gnome-gtk-3-jni 3.7.2-2 Standard Widget Toolkit for GTK+ GNOME JNI library un libswt-gnome-gtk-3.5-jni none (no description available) un libswt-gnome-gtk-3.6-jni none (no description available) ii libswt-gtk-3-java 3.7.2-2 Standard Widget Toolkit for GTK+ Java library un libswt-gtk-3-java-gcj none (no description available) ii libswt-gtk-3-jni3.7.2-2 Standard Widget Toolkit for GTK+ JNI library un libswt-gtk-3.4-java none (no description available) un libswt-gtk-3.4-jni none (no description available) ii libswt-gtk-3.5-java 3.5.1-5 Standard Widget Toolkit for GTK+ Java library un libswt-gtk-3.5-java-gcj none (no description available) ii libswt-gtk-3.5-jni 3.5.1-5 Standard Widget Toolkit for GTK+ JNI library ii libswt-gtk-3.6-java 3.6.2-1 Standard Widget Toolkit for GTK+ Java library un libswt-gtk-3.6-java-gcj none (no description available) ii libswt-gtk-3.6-jni 3.6.2-1 Standard Widget Toolkit for GTK+ JNI library ii libswt-webkit-gtk-3-jni 3.7.2-2 Standard Widget Toolkit for GTK+ WebKit JNI library un libswt3.2-gtk-gcj none (no description available) un libswt3.2-gtk-java none (no description available) un libswt3.2-gtk-jni none (no description available) so yes ii libswt-gtk-3.5-jni 3.5.1-5 Standard Widget Toolkit for GTK+ JNI library is installed. if this breaks with the new version of libswt-3-gtk-java should it not conflict? __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Processed: severity of 611138 is serious, severity of 653964 is serious
Processing commands for cont...@bugs.debian.org: severity 611138 serious Bug #611138 [glassfish] CVE-2010-4438 Severity set to 'serious' from 'grave' severity 653964 serious Bug #653964 [glassfish] glassfish predictable hash collisions Ignoring request to change severity of Bug 653964 to the same value. thanks Stopping processing here. Please contact me if you need assistance. -- 611138: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611138 653964: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=653964 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#670756: Tuxguitar does not start
On 05/14/2012 08:18 AM, Jakub Adam wrote: In my opinion libswt-gtk-3.5-java and libswt-3-gtk-java are not in conflict, generally it's ok to have them installed both. The problem is in tuxguitar package itself which will not work with SWT 3.5. So I suggest that we make tuxguitar to conflict with libswt-gtk-3.5-java (and maybe also with libswt-gtk-3.4-java and libswt-gtk-3.6-java I see in Grant's package list too). Hi Jakub, There are times in the past when tuxguitar explicitly depended on libswt-gtk-3.5-jar, so it seems odd to say that tuxguitar won't work with it. What seems to be the case is that tuxguitar won't work when both -3.5 and -3 packages are install. Could it be due to the version of libswt-gtk-3-java that was used when the tuxguitar binary was built? (That is, should it be a versioned dependency on libswt-gtk-3-java?) Also, I'm able to install both libswt-gtk-3.5-java and libswt-3-gtk-java in a clean chroot and still run tuxguitar without a problem. In any event, I'm not trying to contradict your assertion; merely understand it. Cheers, tony signature.asc Description: OpenPGP digital signature __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#670756: Tuxguitar does not start
On 2012-05-15 06:38, tony mancill wrote: On 05/14/2012 08:18 AM, Jakub Adam wrote: In my opinion libswt-gtk-3.5-java and libswt-3-gtk-java are not in conflict, generally it's ok to have them installed both. The problem is in tuxguitar package itself which will not work with SWT 3.5. So I suggest that we make tuxguitar to conflict with libswt-gtk-3.5-java (and maybe also with libswt-gtk-3.4-java and libswt-gtk-3.6-java I see in Grant's package list too). Hi Jakub, There are times in the past when tuxguitar explicitly depended on libswt-gtk-3.5-jar, so it seems odd to say that tuxguitar won't work with it. What seems to be the case is that tuxguitar won't work when both -3.5 and -3 packages are install. Could it be due to the version of libswt-gtk-3-java that was used when the tuxguitar binary was built? (That is, should it be a versioned dependency on libswt-gtk-3-java?) Also, I'm able to install both libswt-gtk-3.5-java and libswt-3-gtk-java in a clean chroot and still run tuxguitar without a problem. In any event, I'm not trying to contradict your assertion; merely understand it. Cheers, tony I believe that swt uses alternatives for the swt.jar, so if you have an older version of libswt-*-java providing the alternative without (all) the relevant -jni package = boom. Now that should not be possible to do, but it is... un libswt-gnome-gtk-3.5-jninone [...] un libswt-gnome-gtk-3.6-jninone [...] [...] ii libswt-gtk-3.5-java 3.5.1-5 [...] ii libswt-gtk-3.6-java 3.6.2-1 [...] Presumably the dependency relations on the old -jni packages (or on the old -java packages) are not strong enough. Personally, I think the swt alternatives is... weird at best. So I would vote for breaking the old packages to force their removal and then remove the usage of alternatives in Wheezy+1. I think the original idea was to allow co-installation of two (API/ABI) incompatiable swt jars to smoothing transitions - however they are not going to enabled at the same time, so we would end up breaking some programs during a transition anyway. ~Niels __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
