Package: openjdk-11-jre-headless Version: 11.0.15+10-1~deb11u1 Severity: normal
Dear Maintainer, we use debian-slim to create docker images for java based services. In the context of the current CVEs[1] we found that the openjdk-11-jre-headless depends to libfreetype6 in contrast to some other distributions. Beside that we found other dependencies where we are surprised that these packages are needed e.g. libasound2 for a headless java setup. Is there a reason for libfreetype or it is possible to remove this dependency to get rid of the linked CVEs[1]? $ apt-cache depends openjdk-11-jre-headless openjdk-11-jre-headless Hängt ab von: ca-certificates-java Hängt ab von: java-common Hängt ab von: libcups2 Hängt ab von: liblcms2-2 Hängt ab von: libjpeg62-turbo Hängt ab von: libfontconfig1 Hängt ab von: libnss3 Hängt ab von: util-linux Hängt ab von: libasound2 Hängt ab von: libc6 Hängt ab von: libfreetype6 Hängt ab von: libgcc-s1 Hängt ab von: libharfbuzz0b Hängt ab von: libpcsclite1 Hängt ab von: libstdc++6 Hängt ab von: zlib1g Cheers Sascha [1] https://security-tracker.debian.org/tracker/CVE-2022-27406 -- System Information: Debian Release: 11.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (300, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-10-amd64 (SMP w/8 CPU threads) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openjdk-11-jre-headless depends on: ii ca-certificates-java 20190909 ii java-common 0.72 ii libasound2 1.2.4-1.1 ii libc6 2.31-13+deb11u2 ii libcups2 2.3.3op2-3+deb11u1 ii libfontconfig1 2.13.1-4.2 ii libfreetype6 2.10.4+dfsg-1 ii libgcc-s1 10.2.1-6 ii libharfbuzz0b 2.7.4-1 ii libjpeg62-turbo 1:2.0.6-4 ii liblcms2-2 2.12~rc1-2 ii libnss3 2:3.61-1+deb11u1 ii libpcsclite1 1.9.1-1 ii libstdc++6 10.2.1-6 ii util-linux 2.36.1-8 ii zlib1g 1:1.2.11.dfsg-2 openjdk-11-jre-headless recommends no packages. Versions of packages openjdk-11-jre-headless suggests: ii fonts-dejavu-extra 2.37-2 pn fonts-indic <none> pn fonts-ipafont-gothic <none> pn fonts-ipafont-mincho <none> pn fonts-wqy-microhei | fonts-wqy-zenhei <none> ii libnss-mdns 0.14.1-2 -- no debconf information