Bug#758972: Please remove mojarra

2014-08-23 Thread Henri Salo 
Package: mojarra
Version: 2.0.3-3
Severity: critical
Tags: security

Please remove mojarra source package from Debian as it has been unmaintained and
contains several unfixed security vulnerabilities with no replies from
maintainer.

https://packages.debian.org/source/sid/mojarra
http://packages.qa.debian.org/m/mojarra.html
https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=mojarra

CVE-2012-2672: https://bugs.debian.org/677194 Jun 2012
CVE-2013-5855: https://bugs.debian.org/740586 Mar 2014

Moritz commented to this in private email:


Unmaintained packages should be removed, but spring build-depends on
one of the libs from mojarra:

jmm@pisco:~$ build-rdeps libjsf-api-java
Reverse Build-depends in main:
--

libspring-java

So it needs to be checked whether that can be dropped from Spring.


If maintainer shows some activity I could help to get these issues fixed.

---
Henri Salo


signature.asc
Description: Digital signature
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#758972: Please remove mojarra

2014-08-23 Thread tony mancill 
On 08/23/2014 04:28 AM, Henri Salo wrote:
 Package: mojarra
 Version: 2.0.3-3
 Severity: critical
 Tags: security
 
 Please remove mojarra source package from Debian as it has been unmaintained 
 and
 contains several unfixed security vulnerabilities with no replies from
 maintainer.
 
 https://packages.debian.org/source/sid/mojarra
 http://packages.qa.debian.org/m/mojarra.html
 https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=mojarra
 
 CVE-2012-2672: https://bugs.debian.org/677194 Jun 2012
 CVE-2013-5855: https://bugs.debian.org/740586 Mar 2014
 
 Moritz commented to this in private email:
 
 
 Unmaintained packages should be removed, but spring build-depends on
 one of the libs from mojarra:
 
 jmm@pisco:~$ build-rdeps libjsf-api-java
 Reverse Build-depends in main:
 --
 
 libspring-java
 
 So it needs to be checked whether that can be dropped from Spring.
 
 
 If maintainer shows some activity I could help to get these issues fixed.
 
 ---
 Henri Salo

Hi Henri,

I'm not claiming that we shouldn't consider removing this, but we should
be aware that there will be a considerable cascade effect from this.
Without mojarra in the archive, src:libspring-java will not build, and
taking a look at just one of the libspring-java binary packages, we see:

$ reverse-depends -b libspring-web-java
Reverse-Build-Depends-Indep
===
* acegi-security
* activemq
* jenkins
* libshib-common-java
* libxbean-java
* mule
* red5
* tiles

Reverse-Build-Depends
=
* jasypt
* libspring-security-2.0-java
* libspring-webflow-2.0-java

Now, let's see what happens with libxbean-java:

$ reverse-depends -b libxbean-java
Reverse-Build-Depends-Indep
===
* activemq
* maven-plugin-tools
* plexus-containers
* plexus-containers1.5

As you continue to pull the thread (try plexus-containers), the cascade
widens.  All of those would become FTBFS and thus should also be
removed.  (And maybe that's the right thing to do - we need to talk
about how much can be reasonably supported by the Java Team.)

My request would be that we give this revisit this bug in a week's time
(after DebConf).  DC14 will be the first time for some members of the
Java Team to meet face-to-face and get to discuss the state of team
maintenance.

Zooming back down to the specific issue at hand, we may be able to
resolve the current CVEs quickly with an upload of mojarra 2.2.8.

Packaging help is always welcome.

Thank you,
tony



signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.