On 08/23/2014 04:28 AM, Henri Salo wrote:
Package: mojarra
Version: 2.0.3-3
Severity: critical
Tags: security
Please remove mojarra source package from Debian as it has been unmaintained
and
contains several unfixed security vulnerabilities with no replies from
maintainer.
https://packages.debian.org/source/sid/mojarra
http://packages.qa.debian.org/m/mojarra.html
https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=mojarra
CVE-2012-2672: https://bugs.debian.org/677194 Jun 2012
CVE-2013-5855: https://bugs.debian.org/740586 Mar 2014
Moritz commented to this in private email:
Unmaintained packages should be removed, but spring build-depends on
one of the libs from mojarra:
jmm@pisco:~$ build-rdeps libjsf-api-java
Reverse Build-depends in main:
--
libspring-java
So it needs to be checked whether that can be dropped from Spring.
If maintainer shows some activity I could help to get these issues fixed.
---
Henri Salo
Hi Henri,
I'm not claiming that we shouldn't consider removing this, but we should
be aware that there will be a considerable cascade effect from this.
Without mojarra in the archive, src:libspring-java will not build, and
taking a look at just one of the libspring-java binary packages, we see:
$ reverse-depends -b libspring-web-java
Reverse-Build-Depends-Indep
===
* acegi-security
* activemq
* jenkins
* libshib-common-java
* libxbean-java
* mule
* red5
* tiles
Reverse-Build-Depends
=
* jasypt
* libspring-security-2.0-java
* libspring-webflow-2.0-java
Now, let's see what happens with libxbean-java:
$ reverse-depends -b libxbean-java
Reverse-Build-Depends-Indep
===
* activemq
* maven-plugin-tools
* plexus-containers
* plexus-containers1.5
As you continue to pull the thread (try plexus-containers), the cascade
widens. All of those would become FTBFS and thus should also be
removed. (And maybe that's the right thing to do - we need to talk
about how much can be reasonably supported by the Java Team.)
My request would be that we give this revisit this bug in a week's time
(after DebConf). DC14 will be the first time for some members of the
Java Team to meet face-to-face and get to discuss the state of team
maintenance.
Zooming back down to the specific issue at hand, we may be able to
resolve the current CVEs quickly with an upload of mojarra 2.2.8.
Packaging help is always welcome.
Thank you,
tony
signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers.
Please use
debian-j...@lists.debian.org for discussions and questions.