Bug#898935: migrate fix to stretch security

Am 24.08.2018 um 09:30 schrieb Bogdan Veringioiu: > Hello all, > > is there any plan to migrate the fix to stretch security ? > > I would be interested in the fixes for CVE-2018-1304, CVE-2018-1305 > (resolved in 7.0.88, and in 8.5.32-1 testing) which are important for a > security certification

Bug#902861: axis: FTBFS with Java 10 due to com.sun.net.ssl removal

Am 24.08.2018 um 01:00 schrieb Emmanuel Bourg: >> This issue was apparently fixed in version 1.10.4-2. Axis can be rebuilt >> from source again. > > Actually the issue was triggered by the automatic use of the --release > javac option in ant/1.10.3-2, the flag removed the internal com.sun.net >

Bug#888547: CVE-2017-1000190

Am 23.08.2018 um 15:55 schrieb Emmanuel Bourg: > On 23/08/2018 13:14, Markus Koschany wrote: >> Apparently upstream doesn't consider this "to be their problem". Since >> simple-xml has no reverse-dependencies and the current uploader is MIA, >> I think we should

Bug#888547: CVE-2017-1000190

Apparently upstream doesn't consider this "to be their problem". Since simple-xml has no reverse-dependencies and the current uploader is MIA, I think we should consider requesting the removal of simple-xml. Markus signature.asc Description: OpenPGP digital signature __ This is the maintainer

Bug#906785: version warping patch is overly aggressive

Am 21.08.2018 um 19:47 schrieb Keith Packard: [...] > We only discovered that ant was the source of trouble by comparing the > output of a project built using that and another project build using a > simple Makefile. > > If you're going to stop supporting older API versions, I'd suggest that >

Bug#906785: version warping patch is overly aggressive

Am 21.08.2018 um 18:49 schrieb Bdale Garbee: > Markus Koschany writes: [...] >> I think the patch could be removed for OpenJDK 11 but should be applied >> for OpenJDK 12 again. All build tools already emit a deprecation warning >> for source/target 1.6, so developers and

Bug#906785: version warping patch is overly aggressive

Hi Bdale, we all assumed that OpenJDK 11 will remove support for source/target 1.6. After a discussion on the OpenJDK mailing list they decided to postpone this change for OpenJDK 12. [1] The current patch simplifies our packaging work because we don't have to manually fix packages that still

Bug#903428: javadocs generated by javahelper include jquery

Hi tony, Am 11.08.2018 um 20:12 schrieb tony mancill: [...] > Hi Markus, > > I'm glad that you were able to discuss this directly with Matthias, and > thank you for sharing the gist of that conversation. For our sanity, I > will take a look to see if we can get the severity of the lintian >

Bug#903428: javadocs generated by javahelper include jquery

FTR: I have talked to Matthias Klose (doko) at DebConf18 about the embedding of jquery into javadoc packages. He pointed me to a similar discussion in doxygen which also embeds jquery while building doc packages. In short he doesn't consider it to be a worthwhile task because there is a risk of

Re: libjide-oss-java_3.7.4+dfsg-1_source.changes REJECTED

Hi, Am 29.07.2018 um 09:18 schrieb Chris Lamb: > apo, > >>> binary:libjide-oss-java-doc is NEW. > […] >> this error message is very strange. I have never removed the >> libjide-oss-java-doc binary package from src:libjide-oss-java. It does >> no longer exist in Debian. Any ideas why? > > Could

Re: libjide-oss-java_3.7.4+dfsg-1_source.changes REJECTED

Am 29.07.2018 um 08:19 schrieb Debian FTP Masters: > > > Source-only uploads to NEW are not allowed. > > binary:libjide-oss-java-doc is NEW. Hello, this error message is very strange. I have never removed the libjide-oss-java-doc binary package from src:libjide-oss-java. It does no longer

Bug#899183:

Am 27.07.2018 um 18:21 schrieb Andrea Vacondio: > Ok, I see that 2.0.11-1 works correctly but I'm a bit lost. I compiled > PDFBox using openjdk 10.0.2 with target/source 1.7 but I still get the > issue with my generated fontbox jar... see mine on the left has the > ByteBuffer return type causing

Bug#899183:

Am 27.07.2018 um 15:12 schrieb Andrea Vacondio: > Why not compile with --release 7 ? This way the generated bundle should > work with java 7 and above, or am I missing something? > My app is hit by this > https://bugs.launchpad.net/ubuntu/+source/pdfsam/+bug/1781130 and users > are currently

Bug#886394:

Hello Andrea, Am 20.07.2018 um 15:52 schrieb Andrea Vacondio: > PDFsam is developed using Java 8 and JavaFX. It should work on higher > versions provided they come with their JavaFX, as far as I know Oracle > JDK still bundles JavaFX, with a plan to separate the two soon. OpenJDK > already

Bug#857939: [libtcnative-1] Does not work without symlink

Am 18.07.2018 um 13:41 schrieb Harald Dunkel: > Asking all Java Standard Edition users to perform some manual > configuration steps is not helpful. They will just dislike both > your package and openjdk for being different to the "real" > Java version they are used to. > > Just my $0.02. Regards

Bug#903428: Got hit by #903428 too

Am 17.07.2018 um 01:15 schrieb Martin Quinson: > Hello, > > I'm building a package that provide some javadoc, so I got hit by that > bug myself too. The solution you propose (dropping javadoc packages) > does not exactly fit my needs, I must say ;) [...] A quick solution is to depend on

Bug#903428: javadocs generated by javahelper include jquery

Hi tony, Am 17.07.2018 um 07:00 schrieb tony mancill: [...] > > Hi Markus, > > Fair enough. I can see the value in providing javadoc (or at least a > way to build the javadoc) for older versions of libraries. > > I think Martin Quinson's suggestion of "shim" jquery package has some > merit.

Bug#903916: undertow: Keep it out of Buster

Source: undertow Version: 1.4.25-1 Severity: serious I am filing this bug report to prevent the migration of undertow to testing and subsequently being part of the next stable release Debian 10, "Buster". This was also briefly discussed with the Security Team. Reasons: - Undertow is regularly

Bug#903428: javadocs generated by javahelper include jquery

Hi tony, Am 10.07.2018 um 05:22 schrieb tony mancill: [...] > I'm in favor of dropping the -java-doc packages completely and instead > using our time and effort to improve the state of our runtime libraries, > toolchain and application packages. (It would be a different story if > we were

Bug#903428: javadocs generated by javahelper include jquery

Am 09.07.2018 um 23:35 schrieb Emmanuel Bourg: > Le 09/07/2018 à 23:29, Markus Koschany a écrit : > >> We should really aim for the simplest solution. Actually I don't see any >> need to patch the javadoc tool because we could easily solve this at the >> packaging level. J

Bug#903428: javadocs generated by javahelper include jquery

Am 09.07.2018 um 23:26 schrieb Emmanuel Bourg: > Le 09/07/2018 à 23:14, Markus Koschany a écrit : > >> I believe the use case of viewing javadoc outside of a Debian >> system is negligible and we should just symlink jquery. > > Viewing an API documentation from a lib*-

Bug#903428: javadocs generated by javahelper include jquery

Am 09.07.2018 um 23:01 schrieb Emmanuel Bourg: > Le 09/07/2018 à 22:41, Christoph Berg a écrit : > >> Or even better, have javadoc put in the symlink. > > Not a good idea. The javadoc generated would no longer be usable outside > Debian. Developers would no longer be able to generate the javadoc

Bug#902991: tomcat 7.0.56-3+really7.0.88-* regression

Control: retitle -1 jetty8: missing symlink to tomcat-coyote.jar Control: reassign -1 libjetty8-extra-java Control: found -1 8.1.16-4 Am 05.07.2018 um 09:35 schrieb Sébastien QUESSON: [...] > With tomcat-coyote-7.0.56-3+really7.0.88-2, UriUtil class is found: > jar tvf

Bug#902991: tomcat 7.0.56-3+really7.0.88-* regression

Hello, Am 04.07.2018 um 17:54 schrieb Sébastien QUESSON: [...] > Caused by: > javax.servlet.ServletException: java.lang.NoClassDefFoundError: > org/apache/tomcat/util/buf/UriUtil > ... > Caused by: > java.lang.NoClassDefFoundError: org/apache/tomcat/util/buf/UriUtil > at >

Bug#902776: libpdfbox-java: CVE-2018-8036

Control: owner -1 ! signature.asc Description: OpenPGP digital signature __ This is the maintainer address of Debian's Java team . Please use debian-j...@lists.debian.org for discussions and questions.

Bug#902776: libpdfbox-java: CVE-2018-8036

Package: libpdfbox-java X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for libpdfbox-java. CVE-2018-8036[0]: Vendor: The Apache Software Foundation Versions Affected: Apache PDFBox 1.8.0 to 1.8.14 Apache PDFBox 2.0.0 to

Bug#902670: tomcat7: version number causes exception in osgi startup

Am 30.06.2018 um 02:04 schrieb EmTeedee: > Hi, > > On 29/06/2018 18:05, Markus Koschany wrote: >> Ok, that makes sense. If this is the only MANIFEST file that needs an update, >> we can patch it with the next update. > > I changed the version number in

Re: lucene-solr in Debian : why not version 7.3.1?

Hi, Am 18.06.2018 um 13:07 schrieb Alastair McKinstry: > Hi, > > I'm wondering why lucene-solr in Debian is stuck at version 3.6.2 > (|+dfsg-13) rather than moving to 7.3.1.| > > |The package appears to be actively maintained (last upload last month) > - are there dependency issues,etc?| > >

Bug#891957: netbeans "loading module" modules.netbinox NullPointerException

Control: reopen -1 It seems there is another issue with libequinox-osgi-java. Building Netbeans from source works again but I still get the NullPointerException. signature.asc Description: OpenPGP digital signature __ This is the maintainer address of Debian's Java team

Bug#882525: jaxb 2.3.0.1-2 FTBFS

Control: reopen -1 jaxb 2.3.0.1-2 fails to build from source. Reopening. signature.asc Description: OpenPGP digital signature __ This is the maintainer address of Debian's Java team . Please use

Bug#882525: netbeans FTBFS with jaxb 2.3.0

Am 29.05.2018 um 14:53 schrieb Emmanuel Bourg: [...] > Well, I disagree with your analysis but since it seems you are having a > bad day I'm not going to argue and annoy you further with this issue. > I'm just asking for the severity to remain below RC until the Java 9 fix > migrates to testing.

Bug#882525: netbeans FTBFS with jaxb 2.3.0

Am 29.05.2018 um 14:00 schrieb Emmanuel Bourg: > Le 29/05/2018 à 13:51, Markus Koschany a écrit : > >> I can't remember. Feel free to try and implement your workaround but >> don't lower the severity of an 100 % RC bug until then. > > This issue matches the definition o

Bug#882525: netbeans FTBFS with jaxb 2.3.0

Am 29.05.2018 um 13:46 schrieb Emmanuel Bourg: > Le 29/05/2018 à 13:07, Markus Koschany a écrit : > >> I have already tried that weeks ago but to no avail. > > Did you try replacing the Ant task with an task invoking > the xjc command? I can't remember. Feel free to t

Bug#882525: netbeans FTBFS with jaxb 2.3.0

Am 29.05.2018 um 13:28 schrieb Emmanuel Bourg: > Le 29/05/2018 à 13:07, Markus Koschany a écrit : > >> I have already tried that weeks ago but to no avail. I think the >> severity should remain RC until jaxb is updated to fix this issue. It >> blocks any way to fix o

Bug#681726: Eclipse is 6 Years Behind in Debian

Hello, Am 25.05.2018 um 21:50 schrieb Josh Blagden: > Hi folks, > >     I just wanted to make the observation that Debian has had the same > version of Eclipse for the last six years. When can we expect to see a > new version to the Debian repository? Maybe when a solar and lunar eclipse happen

Bug#899374: batik: CVE-2018-8013

This is apparently upstream bug BATIK-1222 https://issues.apache.org/jira/browse/BATIK-1222 Patch: https://svn.apache.org/viewvc?view=revision=1831241 signature.asc Description: OpenPGP digital signature __ This is the maintainer address of Debian's Java team

Bug#899332: CVE-2018-8012: Apache ZooKeeper Quorum Peer mutual authentication

Package: zookeeper X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Fixed: 3.4.10-1 Hi, The following vulnerability was published for zookeeper. CVE-2018-8012[0]: | No authentication/authorization is enforced when a server attempts to | join a quorum in Apache ZooKeeper

Bug#899183: sub...@bugs.debian.org

Control: retitle -1 libpdfbox2-java: Hello, Am 20.05.2018 um 14:23 schrieb Martin Kittel: > Package: libpdfbox2-java > Version: 2.0.9-1 > Severity: important > > Dear Maintainer, > > I get the exception below when running my Java program using > libpdfbox2-java. I tried running the program

Bug#891956: Your mail

Am 14.05.2018 um 22:21 schrieb Rafi Rubin: > The dependencies for 3.8.1-11 end up requiring libequinox-osgi-java >= > 3.9.1 (through eclipse-rcp), which doesn't have > /usr/lib/eclipse/plugins/org.eclipse.osgi_3.8.1.dist.jar > > > Going back to stable, 3.8.1-10 for the eclipse packages at least

Bug#896929: java.ext.dirs is gone

Hi, Am 09.05.2018 um 13:42 schrieb PaulLiu: > Hi Markus, > > > Any suggest lib for replacements of rxtx?? There is an open issue about the current (non-)activity of rxtx development. https://github.com/rxtx/rxtx/issues/13 Someone suggested to use

Bug#896929: java.ext.dirs is gone

Am 01.05.2018 um 15:48 schrieb deb...@fau.xxx: > I traced this problem to RXTXCommDriver.java:415: > System.getProperty("java.ext.dirs") comes back null. It's illegal to > -Djava.ext.dirs on Java 10/11. The easiest fix appears to be to add a > second argument (default value) of the empty string,

Bug#896604: lucene-solr: CVE-2018-1308 XXE in DataImportHandler

Package: lucene-solr X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for lucene-solr. CVE-2018-1308[0]: | This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 | relates to an XML external entity expansion (XXE) in

Bug#896439: gradle-debian-helper points to an invalid java api directory

Am 21.04.2018 um 19:57 schrieb Emmanuel Bourg: > Hi Tiago, > > I don't think gradle-debian-helper should depend on default-jdk-doc by > default, this is a rather big dependency and it's preferable to keep it > optional to speed up the builds a bit. I think the packages using >

Bug#893312: lombok FTBFS with openjdk-9

I've fixed the original errors in Javac.java but there are more later on due to our friend OpenPain 9. I had no choice but to upgrade to a newer lombok version. Now I'm stuck because ecj can't be found. Markus signature.asc Description: OpenPGP digital signature __ This is the maintainer

Bug#895920: ecj: only a virtual package and not installable

Source: ecj Version: 3.13.2-2 Severity: serious while I was having some fun with lombok, I discovered that ecj is just a virtual package and not installable. I don't think that's intended. Markus __ This is the maintainer address of Debian's Java team

Bug#895778: jruby: Several security vulnerabilities

Package: jruby X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for jruby. Apparently rubygems is embedded into jruby which makes it vulnerable to. CVE-2018-179[0]: | RubyGems version Ruby 2.2 series: 2.2.9 and earlier,

<    1   2   3   4