Bug#894979: ca-certificates-java: SSL error: "the trustAnchors parameter must be non-empty"

[Raphael Hertzog]

retitle -1 ca-certificates-java: does not work with OpenJDK 9, applications 
fail with InvalidAlgorithmParameterException: the trustAnchors parameter must 
be non-empty
severity -1 serious
thanks

Hello,

On Thu, 05 Apr 2018, George B. wrote:
> I am getting an error when connecting to HTTPS from java. Looking around
> the problem always seems to talk about this package, but please
> re-assign if something else is to blame.

I confirm the issue. If you have only OpenJDK 9 installed, then the
/etc/ssl/certs/java/cacerts file generated by the postinst (or the
ca-certificates hook) is not working and will lead to errors like the one
you showed.

Work-around:
$ sudo apt install openjdk-8-jre
$ sudo rm /etc/ssl/certs/java/cacerts
$ sudo update-ca-certificates --fresh

This works because /etc/ca-certificates/update.d/jks-keystore prefers
OpenJDK 8 over OpenJDK 9.

> Testing with the following code (I don't really know any Java and it's
> the first thing I found to test with):
> https://gist.github.com/4ndrej/4547029

This was really useful to debug the issue, thank you! My failing java
application was much bigger and harder to strace.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#795244: ca-certificates-java.jar - String index out of range: -1

[Raphael Hertzog]

Hello,

On Wed, 12 Aug 2015, Christian Hammers wrote:
> It does not work though:
> 
> # java -Xmx64m -jar 
> /usr/share/ca-certificates-java/ca-certificates-java.jar -storepass changeit

That's because the program expects data on standard input. A list of
certificates to add (prefixed with "+") or remove (prefixed with "-").

I'm not sure that there's a real issue here.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#879002: Should the package be removed?

[Raphael Hertzog]

Source: libpam4j
Severity: serious

Hello,

I just came across libpam4j while handlinge CVE-2017-12197 and I noticed
that:
- the package has not seen an update since 2012
- the package has no reverse dependency in Debian
- upstream seems to have disappeared (the current Homepage URL is dead
  and I could not find any other upstream code repository)

So I would suggest to drop this package from Debian. If you agree, please
reassign the bug to ftp.debian.org and retitle it into "RM: libpam4j --
ROM; unmaintained, no reverse dependency"

Thank you.
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#879001: CVE-2017-12197: libpam4j: Account check bypass

[Raphael Hertzog]

Source: libpam4j
Version: 1.4-2
Severity: grave
Tags: security

Hi,

the following vulnerability was published for libpam4j.

CVE-2017-12197[0]: libpam4j: Account check bypass

PAM.authentication() does not call pam_acct_mgmt(). As a consequence, the
PAM account is not properly verified. Any user with a valid password but
with deactivated or disabled account is able to log in.

https://bugzilla.redhat.com/show_bug.cgi?id=1503103

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-12197
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12197

Please adjust the affected versions in the BTS as needed.



-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Wheezy update of lucene-solr?

[Raphael Hertzog]

Dear maintainers,

The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of lucene-solr:
https://security-tracker.debian.org/tracker/CVE-2017-3163

Would you like to take care of this yourself?

I noticed that lucene-solr is seriously out-of-date compared to upstream,
even in unstable which has the same upstream version as jessie which
is almost the same as wheezy... it would be nice to get back in sync with
upstream to make it easier to handle security updates

In any case, if you want to handle the wheezy update, please follow the
workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-...@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of lucene-solr updates
for the LTS releases.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#802671: Tentative patches for version 1.44

[Raphael Hertzog]

On Fri, 04 Dec 2015, Markus Koschany wrote:
> thanks for your work on this bug. We intend to upload version 1.51 of
> bouncycastle to unstable this weekend since we were able to upgrade all
> reverse-dependencies except one so far. Are there any new information
> regarding the patches for Jessie? Shall we still wait with an upload or
> is it safe to use the three existing patches?

Upstream told me that the supplementary fixes will be released in
version 1.54 as they are not urgent and that we can release the current
set of fixes for now.

He suggested to run the ECPointTest unit tests against the backported code
though. I did not check yet what this involves... and whether unit tests
are run automatically during build or not.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#802671: Tentative patches for version 1.44

[Raphael Hertzog]

Hi,

On Fri, 04 Dec 2015, Markus Koschany wrote:
> thanks for your work on this bug. We intend to upload version 1.51 of
> bouncycastle to unstable this weekend since we were able to upgrade all
> reverse-dependencies except one so far. Are there any new information
> regarding the patches for Jessie? Shall we still wait with an upload or
> is it safe to use the three existing patches?

I pinged Peter since I had no further news from him. I propose to wait a
little bit longer for the jessie upload.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#802671: Tentative patches for version 1.44

[Raphael Hertzog]

On Fri, 20 Nov 2015, Raphael Hertzog wrote:
> On Fri, 23 Oct 2015, Raphael Hertzog wrote:
> > I have asked an upstream developer (Peter Dettman) to review it.
> 
> He reviewed them and came up with further suggestions. So there's a third
> patch (attached) to apply on top of the two patches that I already
> submitted. I sent him the third patch for review too.

Tha patch is also OK according to Peter. However he asked me to not
yet release the update as further improvements in public key/point
validation are being made.

I'll the bug in the loop when I have more details, in the next few days in
theory.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#802671: Tentative patches for version 1.44

[Raphael Hertzog]

On Fri, 23 Oct 2015, Raphael Hertzog wrote:
> I have asked an upstream developer (Peter Dettman) to review it.

He reviewed them and came up with further suggestions. So there's a third
patch (attached) to apply on top of the two patches that I already
submitted. I sent him the third patch for review too.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Implement further updates suggested by Petter Dettman after review
of the first two patches. His intructions were the following:

> I think the treatment of the cofactor (h, getH()) for
> ECCurve.Fp needs more attention. The current validity checks for ECPoint
> rely on there being a cofactor provided to check against, but as updated
> by this patch, all ECCurve.Fp simply return null from getH().
> 
> Specifying the cofactor for all the "built-in" curves was preparatory
> work that these validation commits relied on so in their current state
> the patches effectively skip an important check for most of the built-in
> Fp curves, which probably defeats the purpose.
> 
> The "h == null" in ECPoint.satisfiesCofactor is not ideal even in the
> current code, but it's tolerable if all the built-in curves actually do
> specify a cofactor.
> 
> I would recommend that you add the ECCurve.Fp constructor that allows to
> specify cofactor (and order if you like), then change all the curve
> registry classes:
> ECGOST3410NamedCurves
> SECNamedCurves
> TeleTrusTNamedCurves
> X962NamedCurves
> 
> so that they use the new constructor. Then change ECCurve.java so that
> the cofactor (and order - can keep calling them h, n in the code) are
> actually stored in the base class and returned correctly for ECCurve.Fp.
> 
> All the values you need are of course available in the latest code.
> Unfortunately there's quite a lot of them, but the changes should be
> fairly mechanical.

--- a/src/org/bouncycastle/asn1/cryptopro/ECGOST3410NamedCurves.java
+++ b/src/org/bouncycastle/asn1/cryptopro/ECGOST3410NamedCurves.java
@@ -6,6 +6,7 @@ import java.util.Hashtable;
 
 import org.bouncycastle.asn1.DERObjectIdentifier;
 import org.bouncycastle.crypto.params.ECDomainParameters;
+import org.bouncycastle.math.ec.ECConstants;
 import org.bouncycastle.math.ec.ECCurve;
 import org.bouncycastle.math.ec.ECFieldElement;
 import org.bouncycastle.math.ec.ECPoint;
@@ -27,7 +28,9 @@ public class ECGOST3410NamedCurves
 ECCurve.Fp curve = new ECCurve.Fp(
 mod_p, // p
 new BigInteger("115792089237316195423570985008687907853269984665640564039457584007913129639316"), // a
-new BigInteger("166")); // b
+new BigInteger("166"), // b
+mod_q,
+ECConstants.ONE);
 
 ECDomainParameters ecParams = new ECDomainParameters(
 curve,
@@ -44,7 +47,9 @@ public class ECGOST3410NamedCurves
 curve = new ECCurve.Fp(
 mod_p, // p
 new BigInteger("115792089237316195423570985008687907853269984665640564039457584007913129639316"),
-new BigInteger("166"));
+new BigInteger("166"),
+mod_q,
+ECConstants.ONE);
 
 ecParams = new ECDomainParameters(
 curve,
@@ -61,7 +66,9 @@ public class ECGOST3410NamedCurves
 curve = new ECCurve.Fp(
 mod_p, // p
 new BigInteger("57896044618658097711785492504343953926634992332820282019728792003956564823190"), // a
-new BigInteger("28091019353058090096996979000309560759124368558014865957655842872397301267595")); // b
+new BigInteger("28091019353058090096996979000309560759124368558014865957655842872397301267595"), // b
+mod_q,
+ECConstants.ONE);
 
 ecParams = new ECDomainParameters(
 curve,
@@ -78,7 +85,9 @@ public class ECGOST3410NamedCurves
 curve = new ECCurve.Fp(
 mod_p, // p
 new BigInteger("70390085352083305199547718019018437841079516630045180471284346843705633502616"),
-new BigInteger("32858"));
+new BigInteger("32858"),
+mod_q,
+ECConstants.ONE);
 
 ecParams = new ECDomainParameters(
 curve,
@@ -94,7 +103,9 @@ public class ECGOST3410NamedCurves
 curve = new ECCurve.Fp(
 mod_p, // p
 new BigInteger("70390085352083305199547718019018437841079516630045180471284346843705633502616"), // a
-new BigInteger("32858")); // b
+new BigInteger("32858"), // b
+mod_q,
+ECConstants.ONE);

Bug#802671: Tentative patches for version 1.44

[Raphael Hertzog]

Hello,

I have backported the relevant commits to version 1.44 and the result
is in the attached patches. The package builds fine but I have not
tested it and I'm not sure how to properly test it... if you have
suggestions, I'm happy to hear them.

I have asked an upstream developer (Peter Dettman) to review it.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
>From 5cb2f0578e6ec8f0d67e59d05d8c4704d8e05f83 Mon Sep 17 00:00:00 2001
From: Peter Dettman 
Date: Tue, 22 Jul 2014 19:23:34 +0700
Subject: [PATCH] Add automatic EC point validation for decoded points and for
 multiplier outputs.
Origin: upstream, https://github.com/bcgit/bc-java/commit/5cb2f05
Bug-Debian: https://bugs.debian.org/802671

Backporting notes of Raphaël Hertzog:
* core/src/main/java/org/bouncycastle/ in current git
  was src/org/bouncycastle/ in 1.44
* DSTU4145PointEncoder.java does not exist in 1.44 (introduced
  in 158b54f). Dropped the changes.
* AbstractECMultiplier.java does not exist in 1.44 but changes to
  AbstractECMultiplier.java mean that we must run
  ECAlgorithms.validatePoint() on any result of the multiply() function of
  any object implementing ECMultiplier. Done on:
  - FpNafMultiplier.java
  - ReferenceMultiplier.java
  - WNafMultiplier.java
  - WTauNafMultiplier.java
* …/math/ec/custom/* were not present in 1.44. Dropped the corresponding
  changes.
* Remaining changes have been manually backported:
  - ECPointTest.java: done
  - ReferenceMultiplier.java: done, added validatePoint() call on result
  - ECAlgorithms.java: done
  - ECPoint.java: done
- Fp does not yet support getCompressionYTilde(), dropped from
  AbstractFp
- F2m does not yet support checkCurveEquation()
- dropped constructors accepting 4 params (with "zs") as ECPoint()
  does not support it, and dropped all code path that made use of this.zs
  since it's not available, basically everything related to non-affine
  coordinate system
  - ECCurve.java:
- Hunk 1: validatePoint() not backported as there is no createPoint() call
  to replace. Instead ensure decodePoint() return value satisfies
  ECAlgorithms.validatePoint()
- Hunk 2: no importPoint() (and no createPoint() usage found)
- Hunk 3: useless (no-op change)
- Hunk 4: useless (no-op change)
- Hunk 5: validation on generated point at end of function
- Hunk 6: done
- Hunk 7: done (auto-applied)
- Hunk 8/9: ECCurve is abstract and has no constructor, don't call
  parent constructors in Fp constructors (which happens in code
  from hunk 7 adding AbstractFp)
- Hunk 10: ECCurve.Fp does not have decompressPoint() in 1.44, so the whole
  AbstractFp class was in fact useless, drop it and make Fp extends
  ECCurve again.
  End of hunk not applied, the AbstractF2m class is not needed as its
  sole purpose is to factorize a call to buildField() that version
  1.44 does not have.
- Hunk 11/12/13: Not applied as we don't introduce AbstractF2m.
- Hunk 14: yp is already initialized as null in 1.44.
- Hunk 15: decompressPoint() is really implemented differently... and
  even has different parameters. Just add the final check for yp==null
  and don't change the logic in the function.
---
 .../bouncycastle/asn1/ua/DSTU4145PointEncoder.java |  20 +-
 .../bouncycastle/math/ec/AbstractECMultiplier.java |   8 +-
 .../org/bouncycastle/math/ec/ECAlgorithms.java |  56 -
 .../java/org/bouncycastle/math/ec/ECCurve.java | 183 +-
 .../java/org/bouncycastle/math/ec/ECPoint.java | 270 ++---
 .../bouncycastle/math/ec/ReferenceMultiplier.java  |  28 +--
 .../math/ec/custom/djb/Curve25519.java |  29 +--
 .../math/ec/custom/djb/Curve25519Point.java|  17 +-
 .../math/ec/custom/sec/SecP192K1Curve.java |  33 +--
 .../math/ec/custom/sec/SecP192K1Point.java |  19 +-
 .../math/ec/custom/sec/SecP192R1Curve.java |  29 +--
 .../math/ec/custom/sec/SecP192R1Point.java |  19 +-
 .../math/ec/custom/sec/SecP224K1Curve.java |  33 +--
 .../math/ec/custom/sec/SecP224K1Point.java |  19 +-
 .../math/ec/custom/sec/SecP224R1Curve.java |  29 +--
 .../math/ec/custom/sec/SecP224R1Point.java |  18 +-
 .../math/ec/custom/sec/SecP256K1Curve.java |  33 +--
 .../math/ec/custom/sec/SecP256K1Point.java |  19 +-
 .../math/ec/custom/sec/SecP256R1Curve.java |  29 +--
 .../math/ec/custom/sec/SecP256R1Point.java |  18 +-
 .../math/ec/custom/sec/SecP384R1Curve.java |  29 +--
 .../math/ec/custom/sec/SecP384R1Point.java |  18 +-
 .../math/ec/custom/sec/SecP521R1Curve.java |  29 +--
 .../math/ec/custom/sec/SecP521R1Point.java |  18 +-
 .../org/bouncycastle/math/ec/test/ECPointTest.java |  33 +--
 

Bug#802671: CVE-2015-7940 assigned

[Raphael Hertzog]

Control: retitle -1 CVE-2015-7940: bouncycastle: ECC private keys can be 
recovered via invalid curve attack

FTR, this issue has been assigned CVE-2015-7940

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#798650: CVE-2015-5262: https calls ignore http.socket.timeout during SSL Handshake

[Raphael Hertzog]

Control: tag -1 + security patch

(this is not about commons-httpclient but about httpcomponents-client)

On Fri, 11 Sep 2015, Guido Günther wrote:
> > Note that according to HTTPCLIENT-1478 [1] this was completely fixed in
> > the version 4.3.6. So if this is really a security issue the
> > httpcomponents-client package in stable and oldstable is also affected.
> 
> I do think so but I haven't checked yet and
[...]
> claim that it's not yet reproduced for httpcomponents-client 4.2.x
> that's why I didn't file a but for httpcomponents-client yet until
> this is investigated further.

I did look into the source code and it looks like that this was a
regression in 4.3.x. So only jessie is affected. squeeze, wheezy (and
likely sid) seem to be fine.

Coming back to commons-httpclient:

RedHat produced a patch here:
https://bugzilla.redhat.com/attachment.cgi?id=1072467=diff
Part of https://bugzilla.redhat.com/show_bug.cgi?id=1259892

BTW, would it not be possible to get rid of commons-httpclient
if it has been obsoleted by httpcomponents-client ?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#795027: jarwrapper: Does not work when installed in chroot while already active outside the chroot

[Raphael Hertzog]

Control: tag -1 + patch

On Sun, 09 Aug 2015, Raphaël Hertzog wrote:
 A patch will follow.

Please find attached the suggested patch. Applies on your current git.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
From 60638e0e74c16704c2f27d8357ebed228a3d8175 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Hertzog?= hert...@debian.org
Date: Sun, 9 Aug 2015 22:09:04 +0200
Subject: [PATCH] Install proper /usr/share/binfmts/jarwrapper

And do not rely on postinst snippet setting up a local configuration.

Closes: #779895, #795027
Sponsored-by: Offensive Security
---
 debian/changelog | 8 
 debian/jarwrapper.install| 1 +
 debian/jarwrapper.postinst   | 4 ++--
 debian/jarwrapper.prerm  | 4 ++--
 jarwrapper-binfmt/jarwrapper | 4 
 5 files changed, 17 insertions(+), 4 deletions(-)
 create mode 100644 jarwrapper-binfmt/jarwrapper

diff --git a/debian/changelog b/debian/changelog
index a90d991..90cea54 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+javatools (0.53) UNRELEASED; urgency=medium
+
+  * Install proper /usr/share/binfmts/jarwrapper instead of relying on
+postinst snippet setting up a local configuration.
+Closes: #779895, #795027
+
+ -- Raphaël Hertzog hert...@debian.org  Sun, 09 Aug 2015 21:57:52 +0200
+
 javatools (0.52) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/jarwrapper.install b/debian/jarwrapper.install
index 4372877..1f7f79f 100644
--- a/debian/jarwrapper.install
+++ b/debian/jarwrapper.install
@@ -1,3 +1,4 @@
 jardetector /usr/bin
 jarwrapper /usr/bin
 java-arch.sh /usr/share/jarwrapper
+jarwrapper-binfmt/jarwrapper /usr/share/binfmts
diff --git a/debian/jarwrapper.postinst b/debian/jarwrapper.postinst
index e746d83..f150bf6 100644
--- a/debian/jarwrapper.postinst
+++ b/debian/jarwrapper.postinst
@@ -2,8 +2,8 @@
 
 set -e
 
-if test -x /usr/sbin/update-binfmts ; then 
-   update-binfmts --install jarwrapper /usr/bin/jarwrapper --magic 'PK\x03\x04' --detector /usr/bin/jardetector
+if [ $1 = configure ]  which update-binfmts /dev/null 21; then
+update-binfmts --import jarwrapper
 fi
 
 #DEBHELPER#
diff --git a/debian/jarwrapper.prerm b/debian/jarwrapper.prerm
index 8c8b89c..32d05a4 100644
--- a/debian/jarwrapper.prerm
+++ b/debian/jarwrapper.prerm
@@ -2,8 +2,8 @@
 
 set -e
 
-if test -x /usr/sbin/update-binfmts ; then 
-   update-binfmts --remove jarwrapper /usr/bin/jarwrapper 
+if [ $1 = remove ]  which update-binfmts /dev/null 21; then
+update-binfmts --package jarwrapper --remove jarwrapper /usr/bin/jarwrapper
 fi
 
 #DEBHELPER#
diff --git a/jarwrapper-binfmt/jarwrapper b/jarwrapper-binfmt/jarwrapper
new file mode 100644
index 000..5d8f3fe
--- /dev/null
+++ b/jarwrapper-binfmt/jarwrapper
@@ -0,0 +1,4 @@
+package jarwrapper
+detector /usr/bin/jardetector
+interpreter /usr/bin/jarwrapper
+magic PK\x03\x04
-- 
2.5.0

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#779895: Suggested patch

[Raphael Hertzog]

Control: tag -1 + patch

Please consider applying the attached patch.

-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
From 60638e0e74c16704c2f27d8357ebed228a3d8175 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Hertzog?= hert...@debian.org
Date: Sun, 9 Aug 2015 22:09:04 +0200
Subject: [PATCH] Install proper /usr/share/binfmts/jarwrapper

And do not rely on postinst snippet setting up a local configuration.

Closes: #779895, #795027
Sponsored-by: Offensive Security
---
 debian/changelog | 8 
 debian/jarwrapper.install| 1 +
 debian/jarwrapper.postinst   | 4 ++--
 debian/jarwrapper.prerm  | 4 ++--
 jarwrapper-binfmt/jarwrapper | 4 
 5 files changed, 17 insertions(+), 4 deletions(-)
 create mode 100644 jarwrapper-binfmt/jarwrapper

diff --git a/debian/changelog b/debian/changelog
index a90d991..90cea54 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+javatools (0.53) UNRELEASED; urgency=medium
+
+  * Install proper /usr/share/binfmts/jarwrapper instead of relying on
+postinst snippet setting up a local configuration.
+Closes: #779895
+
+ -- Raphaël Hertzog hert...@debian.org  Sun, 09 Aug 2015 21:57:52 +0200
+
 javatools (0.52) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/jarwrapper.install b/debian/jarwrapper.install
index 4372877..1f7f79f 100644
--- a/debian/jarwrapper.install
+++ b/debian/jarwrapper.install
@@ -1,3 +1,4 @@
 jardetector /usr/bin
 jarwrapper /usr/bin
 java-arch.sh /usr/share/jarwrapper
+jarwrapper-binfmt/jarwrapper /usr/share/binfmts
diff --git a/debian/jarwrapper.postinst b/debian/jarwrapper.postinst
index e746d83..f150bf6 100644
--- a/debian/jarwrapper.postinst
+++ b/debian/jarwrapper.postinst
@@ -2,8 +2,8 @@
 
 set -e
 
-if test -x /usr/sbin/update-binfmts ; then 
-   update-binfmts --install jarwrapper /usr/bin/jarwrapper --magic 'PK\x03\x04' --detector /usr/bin/jardetector
+if [ $1 = configure ]  which update-binfmts /dev/null 21; then
+update-binfmts --import jarwrapper
 fi
 
 #DEBHELPER#
diff --git a/debian/jarwrapper.prerm b/debian/jarwrapper.prerm
index 8c8b89c..32d05a4 100644
--- a/debian/jarwrapper.prerm
+++ b/debian/jarwrapper.prerm
@@ -2,8 +2,8 @@
 
 set -e
 
-if test -x /usr/sbin/update-binfmts ; then 
-   update-binfmts --remove jarwrapper /usr/bin/jarwrapper 
+if [ $1 = remove ]  which update-binfmts /dev/null 21; then
+update-binfmts --package jarwrapper --remove jarwrapper /usr/bin/jarwrapper
 fi
 
 #DEBHELPER#
diff --git a/jarwrapper-binfmt/jarwrapper b/jarwrapper-binfmt/jarwrapper
new file mode 100644
index 000..5d8f3fe
--- /dev/null
+++ b/jarwrapper-binfmt/jarwrapper
@@ -0,0 +1,4 @@
+package jarwrapper
+detector /usr/bin/jardetector
+interpreter /usr/bin/jarwrapper
+magic PK\x03\x04
-- 
2.5.0

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#783233: CVE-2014-8111: mod_jk ignores JkUnmount rules for subtrees of previous JkMount rules

[Raphael Hertzog]

Source: libapache-mod-jk
Severity: serious 
Tags: security

Hi,

the following vulnerability was published for libapache-mod-jk.

CVE-2014-8111[0]:
| Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount
| rules for subtrees of previous JkMount rules, which allows remote
| attackers to access otherwise restricted artifacts via unspecified
| vectors.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities  Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-8111
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8111
Please adjust the affected versions in the BTS as needed.

The upstream fix is here: http://svn.apache.org/r1647017

Feel freet to lower the severiy if you believe the issue to be minor. I'm
not familiar enough with the software to be able to judge.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#780102: About the security issues affecting libjbcrypt-java in Squeeze

[Raphael Hertzog]

Hello dear maintainer(s),

the Debian LTS team recently reviewed the security issue(s) affecting your
package in Squeeze:
https://security-tracker.debian.org/tracker/CVE-2015-0886

We decided that we would not prepare a squeeze security update (usually
because the security impact is low and that we concentrate our limited
resources on higher severity issues and on the most widely used packages).
That said the squeeze users would most certainly benefit from a fixed
package.

If you want to work on such an update, you're welcome to do so. Please
try to follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-...@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. However please make sure to
submit a tested package.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: squeeze update of libspring-2.5-java?

[Raphael Hertzog]

Hello Emmanuel,

On Tue, 24 Feb 2015, Emmanuel Bourg wrote:
 CVE-2011-3923 seems to be a Struts vulnerability, why is it assigned to
 Spring?

I asked Salvatore Bonaccorso car...@debian.org to review this since
he confirmed that assignation a while ago... he double checked and
it was a mistake (the CVE assignation has been fixed now).

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

squeeze update of libspring-2.5-java?

[Raphael Hertzog]

[ CC Damien Raude-Morvan draz...@debian.org who handled the last
  security upload ]

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of libspring-2.5-java (this source
package only exists in squeeze currently):
https://security-tracker.debian.org/tracker/CVE-2011-3923

Would you like to take care of this yourself? We are still understaffed so
any help is always highly appreciated.

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-...@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

squeeze update of jruby?

[Raphael Hertzog]

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of your jruby:
https://security-tracker.debian.org/tracker/CVE-2012-5370
https://security-tracker.debian.org/tracker/CVE-2011-4838

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-...@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

security update of commons-httpclient?

[Raphael Hertzog]

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of your commons-httpclient:
https://security-tracker.debian.org/tracker/CVE-2012-6153

It would be nice if you could take care of this update as
the package is not high enough on our priority list and
we seem to never manage to find the time.

And the same seems to apply for the stable security team
since this issue is still open in all releases despite
a friendly ping from Moritz last december.

Yet the package seems to be relatively important in the java world since
it's a reverse dependency of quite a few other packages...

So it would be nice to have some action going. I don't want
to raise the severity to serious at this point of the release but it's
not good for Debian to leave security issues unattended for so long.
So can someone take the responsibility to provide fixed packages
for our releases?

I have included Alberto Fernández Martínez in copy since he's the last
person having uploaded the package in... 2012!

Thank you in advance!

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: If you want to handle the upload to squeeze-lts by yourself, please
follow the instructions here:
http://wiki.debian.org/LTS/Development
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

squeeze update of axis?

[Raphael Hertzog]

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of your package:
https://security-tracker.debian.org/tracker/CVE-2014-3596
https://security-tracker.debian.org/tracker/CVE-2012-5784

Would you like to take care of this yourself? It's probably not
too complicated since a Wheezy update happened a few months ago
and that it's the same upstream version in both releases.

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-...@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#760733: libspring-java: CVE-2014-0225

[Raphael Hertzog]

Hello Stephen,

On Mon, 08 Sep 2014, Stephen Nelson wrote:
  For what it's worth, CVE-2014-3578 was assigned to a directory traversal
  vulnerability in libspring-java
  ( http://www.pivotal.io/security/cve-2014-3578)

 Thanks for letting us know about this one. I've had a quick look and it
 might be more difficult to fix given that there hasn't been a specific
 commit made in a later version of Spring which could be backported.
 However, I will look into this in more detail and report back to the BTS
 for this bug.

I haven't seen any followup yet. Do you still plan to do the required
investigation?

This bug is one of Jessie's remaining release critical bugs so it would
be nice if there could be some progress. (Of course, packaging a new
upstream version can also be considered by release team members
if backporting is too much work)

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#762690: libhibernate-validator-java: affected by CVE-2014-3558

[Raphael Hertzog]

On Sun, 02 Nov 2014 23:38:30 +0100 Emmanuel Bourg ebo...@apache.org wrote:
 libhibernate-validator-java is only used as a build dependency of
 libhibernate3-java. No package depends on it at runtime, so the risk of
 being affected by this vulnerability is rather low, if not zero.

Thank you for this information but it's not really a satisfactory answer.

We can't knowingly ship libraries with serious security issues. It's not
the first time I see that kind of answers from the java team. Please
at least package new upstream versions with the appropriate security fixes.

I can understand that backporting security patches might be difficult but
packaging new upstream versions is the basis of our work in Debian. We
can't stay with outdated versions and known vulnerabilities for ever.

Please send a call for help on debian-devel(-announce) if you are not able
to do the basic work of keeping your packages up-to-date. Then the
publicity team might relay your message further... and maybe you'll find
some supplementary volunteers.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: Glassfish security support (in Squeeze)

[Raphael Hertzog]

On Thu, 25 Sep 2014, Christoph Biedl wrote:
 Raphael Hertzog wrote...
 
  For Squeeze LTS, we can't really remove a single binary package with an
  update since the update leaves in its own squeeze-lts repository and this
  would not remove the package in the main squeeze repo.
 
 To me, this sounds like a solution for the problem (I did not repeat
 the dependency check, though). So where's the problem? Those who did
 not configure squeeze-lts in sources.list are on unsupported grounds
 anyway.

How so? Imagine someone with glassfish-appserver installed. He has no
other binary packages from glassfish. We push an update in squeeze-lts
that drops glassfish-appserver. For APT, the latest version of the package
is the one in squeeze and the user doesn't see any update.

So the only solution would be to provide an empty binary package saying
that the package is no longer supported but that would break his
installation and he would be forced to downgrade to keep it running
despite the known security problems.

None of those solutions look satisfying.

  Christoph, is it
  possible to mark only a single binary package as unsupported?
 
 Unfortunately no but I consider this a sound feature request.
 Especially if you decide to go this way, I'll put some priority onto
 it. Let me know in due course.

I think we would like to pursue this path, yes. Would you like a wishlist
bug report for this?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Discover the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#762690: libhibernate-validator-java: affected by CVE-2014-3558

[Raphael Hertzog]

Package: libhibernate-validator-java
Severity: serious
Tags: security

Hi,
the following vulnerability was published for libhibernate-validator-java.

CVE-2014-3558[0]:
It was discovered that the implementation of
org.hibernate.validator.util.ReflectionHelper together with the permissions
required to run Hibernate Validator under the Java Security Manager could allow
a malicious application deployed in the same application container to execute
several actions with escalated privileges, which might otherwise not be
possible. This flaw could be used to perform various attacks, including but not
restricted to, arbitrary code execution in systems that are otherwise secured
by the Java Security Manager.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities  Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3558
https://security-tracker.debian.org/tracker/CVE-2014-3558
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3558
Please adjust the affected versions in the BTS as needed.

The upstream fixes seem very involved and they have been pushed only
on newer versions of the package: 4.2.1, 4.3.2, and 5.1.2 respectively.
See https://hibernate.atlassian.net/browse/HV-912

Please switch to a new upstream version ASAP in unstable and help the
security team and the LTS team to provide patched versions in stable/oldstable.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Discover the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: Glassfish security support (in Squeeze)

[Raphael Hertzog]

Hi Emmanuel,

On Mon, 22 Sep 2014, Emmanuel Bourg wrote:
 Glasshfish is an important package for the Java ecosystem as it provides
 JavaEE specification APIs used to build many other packages.
 
 The CVEs reported are most likely related to the complete application
 server which is almost unused in Debian (the glassfish-appserv package
 has a low popcon and no reverse dependencies). Removing this package
 should address the security concerns (yet, the package contains no init
 script to run it as a daemon, so the risk is already zero since nobody
 can use it).

This looks like a possible compromise (although the lack of init script
doesn't mean that nobody can use it, it's always possible to start it from
a custom script).

Can you verify the 3 open CVE and confirm that they only concern
glassfish-appserv? There's almost no information but it says
once Unspecified vulnerability in the CORBA ORB component in Sun
GlassFish Enterprise Server 2.1.1 and Unspecified vulnerability in
the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1.

For Squeeze LTS, we can't really remove a single binary package with an
update since the update leaves in its own squeeze-lts repository and this
would not remove the package in the main squeeze repo. Christoph, is it
possible to mark only a single binary package as unsupported?

For Jessie/Sid, it still seems a pretty bad idea to release with such
an outdated package. Do you have plans to update it?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Discover the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#762444: Insecure certificate validation CVE-2014-3596

[Raphael Hertzog]

Package: axis
Severity: grave
Tags: security

Hi,
the following vulnerability was published for axis.

CVE-2014-3596[0]:
| The getCN function in Apache Axis 1.4 and earlier does not properly
| verify that the server hostname matches a domain name in the subject's
| Common Name (CN) or subjectAltName field of the X.509 certificate,
| which allows man-in-the-middle attackers to spoof SSL servers via a
| certificate with a subject that specifies a common name in a field
| that is not the CN field.  NOTE: this issue exists because of an
| incomplete fix for CVE-2012-5784.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities  Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3596
https://security-tracker.debian.org/tracker/CVE-2014-3596
https://issues.apache.org/jira/browse/AXIS-2905
Please adjust the affected versions in the BTS as needed.

As is turns out, the fix for CVE-2012-5784 was incomplete and
there's an updated patch available provided by RedHat:
https://issues.apache.org/jira/secure/attachment/12662672/CVE-2014-3596.patch

Please update replace debian/patches/06-fix-CVE-2012-5784.patch with this
one.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Discover the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

[Raphael Hertzog]

Hi,

On Mon, 18 Aug 2014, Salvatore Bonaccorso wrote:
 On Thu, Aug 14, 2014 at 11:43:32PM +0200, Emmanuel Bourg wrote:
  Is there an example available somewhere of a subject improperly parsed
  by commons-httpclient/3.1-10.2? This would help backporting the fix to
  this version.
 
 I think this is already fixed in 3.1-10.2, see the Red Hat bug as
 reference and See https://bugs.debian.org/692442#56 and and following
 mails.

I don't understand this from those mails. On the contrary, RedHat
did update their packages with a new patch on top of the former
patch:
https://git.centos.org/blob/rpms!jakarta-commons-httpclient/5acb7f7b3e637c3a6d072e3f037a3c4abb6c48af/SOURCES!jakarta-commons-httpclient-CVE-2014-3577.patch

And the Debian package still have the old version of getCN().

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Discover the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Glassfish security support (in Squeeze)

[Raphael Hertzog]

Hello,

while triaging CVE affecting Debian Squeeze I came on glassfish:
https://security-tracker.debian.org/tracker/source-package/glassfish

From what I gathered, Oracle doesn't provide any useful information to
apply a targeted fix on the current package. The 2.1.x branch is also
no longer maintained upstream.

The only solution would be to import new upstream versions but I think
this is out of scope for such a package, particularly when the current
Debian maintainers have not provided such an updated package yet (I
just filed #762462 about this).

Thus I believe that we should mark the package as end-of-life and
recognize officially our inability to handle this package.

If there are no objections, I'll file a bug against
debian-security-support to request this. CC to the security team in case
they want to request the same for Wheezy.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Discover the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#649476: fop: Failure confirmed with 1:1.0.dfsg2-3 but not with 1:0.95.dfsg-11

[Raphael Hertzog]

On Wed, 07 Dec 2011, Vincent Hobeika wrote:
 I confirm this bug for 1:1.0.dfsg2-3. However on 1:0.95.dfsg-11 I was
 able to produce the User Guide.pdf without any problem.

Yes, the build used to work with the old fop.

 I have started a thread on fop users mailing list. We are trying to
 find the defective snippet but it's quite hard due to the heavy file
 size.
 
 Do you have a diff of the User Guide.fo from where it started to fail 
 building?

Not really, this file is generated from a docbook file with an xslt
stylesheet. It might be that all versions of the file fail with the new
fop...

One could try a git bisect on a git-svn repository created from
http://svn.fedorahosted.org/svn/publican/trunk/publican/ but I'm not sure
it would lead to something useful.

Why not trying to find the problematic commit in the fop history instead?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Pre-order a copy of the Debian Administrator's Handbook and help
liberate it: http://debian-handbook.info/liberation/



__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#549737: libgnucrypto-java: FTBFS: rm: cannot remove `debian/libgnucrypto-java/usr/share/info/dir': No such file or directory

[Raphael Hertzog]

On Mon, 26 Oct 2009, Lucas Nussbaum wrote:
 No, the build was done with version 1.15.4. You need to build-depend on
 install-info, which is no longer provided directly by dpkg.
 
 dpkg people, wouldn't it make sense to depend on install-info in dpkg,

No, the whole point of using Breaks against info readers was to avoid
adding a Depends on it.

 or better, to make the wrapper fail more noisily? It seems that this
 change is going to silently break lots of builds.

The change happened quite some time ago, I don't think it will break many
builds. Feel free to suggest another wording but I'm not sure that
making it fail (instead of warn) will improve the situation wrt package
installability/buildability.

Cheers,
-- 
Raphaël Hertzog



___
pkg-java-maintainers mailing list
pkg-java-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers