Le 09/12/2017 à 23:49, Moritz Mühlenhoff a écrit : > Yeah, but libspring-java is not the issue here, it's jasperreports: > We ship a jasperreports package of an uncooperative upstream which > would need to see full backports across all supported suites since > they don't tell us how to fix this with backports (or actually any > vulnerability information).
Yes but since jasperreports isn't used anyway there is no need to backport the fixes, that's the point I was trying to make. Until jasperreports is actually used in Debian we can educate upstream about the importance of documenting the security fixes.