On Mon, May 14, 2012 at 12:13:50AM +0200, Damien Raude-Morvan wrote:
Hi all,
Le dimanche 13 mai 2012 18:54:38, Steve McIntyre a écrit :
Sadly, no :/ I must admit that Oracle does not publish details of its
fixes so it's hard to confirm firmly what's component is exactly
impacted.
I'll try to revive my contact @Oracle to get some feedback on this
issue (on future security issues).
Hi,
Any news on this?
I'll just start by restating my initial comment on both issues :
-
We don't build any real Glassfish Server but just some parts of API
library used as Java EE specifications. As for any specification, this is just
a
collection of interfaces and don't have much more implementations than dumb or
stub code.
-
So I don't think that CVE-2010-4438 or CVE-2011-5035 affect Debian binary
packages.
OK, fair enough.
But I cannot be 100% sure since :
- Upstream bugtracker [1] doesn't contains ref to those security issues
- My Oracle contact (GlassFish community manager) only told me that
CVE-2011-5035 is integrated in GlassFish 3.1.1 Patch 2 (an update to 3.1.1
for paying customers). The fix is in the trunk and will be integrated in the
3.1.2 release scheduled for later this quarter
I don't think I'll do further investigation on those issues...
At least, there is one instructing thing : we have to think twice before
integrating of a full blown Glassfish JEE server (ie. not just API) into
Debian
as from my point of view Glassfish Security is not handled as an open source
should.
Yes, I'd have to agree with that. :-(
If you're *reasonably* confident that we're not affected by those
CVE issues, is it worth maybe dropping the severity of the Debian bugs
from serious?
--
Steve McIntyre, Cambridge, UK.st...@einval.com
There's no sensation to compare with this
Suspended animation, A state of bliss
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers.
Please use
debian-j...@lists.debian.org for discussions and questions.
