Bug#1010840: openjdk-11-jre-headless: Reduce dependency tree - are libfreetype6 (and other) really needed?

Wed, 11 May 2022 03:09:18 -0700 

Package: openjdk-11-jre-headless
Version: 11.0.15+10-1~deb11u1
Severity: normal

Dear Maintainer,

we use debian-slim to create docker images for java based services. In
the context of the current CVEs[1] we found that the
openjdk-11-jre-headless depends to libfreetype6 in contrast to some other
distributions. Beside that we found other dependencies where we
are surprised that these packages are needed e.g. libasound2 for a
headless java setup. Is there a reason for libfreetype or it is possible
to remove this dependency to get rid of the linked CVEs[1]?

$ apt-cache depends openjdk-11-jre-headless
openjdk-11-jre-headless
  Hängt ab von: ca-certificates-java
  Hängt ab von: java-common
  Hängt ab von: libcups2
  Hängt ab von: liblcms2-2
  Hängt ab von: libjpeg62-turbo
  Hängt ab von: libfontconfig1
  Hängt ab von: libnss3
  Hängt ab von: util-linux
  Hängt ab von: libasound2
  Hängt ab von: libc6
  Hängt ab von: libfreetype6
  Hängt ab von: libgcc-s1
  Hängt ab von: libharfbuzz0b
  Hängt ab von: libpcsclite1
  Hängt ab von: libstdc++6
  Hängt ab von: zlib1g

Cheers
Sascha

[1] https://security-tracker.debian.org/tracker/CVE-2022-27406

-- System Information:
Debian Release: 11.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (300, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-10-amd64 (SMP w/8 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openjdk-11-jre-headless depends on:
ii  ca-certificates-java  20190909
ii  java-common           0.72
ii  libasound2            1.2.4-1.1
ii  libc6                 2.31-13+deb11u2
ii  libcups2              2.3.3op2-3+deb11u1
ii  libfontconfig1        2.13.1-4.2
ii  libfreetype6          2.10.4+dfsg-1 
ii  libgcc-s1             10.2.1-6
ii  libharfbuzz0b         2.7.4-1
ii  libjpeg62-turbo       1:2.0.6-4
ii  liblcms2-2            2.12~rc1-2
ii  libnss3               2:3.61-1+deb11u1
ii  libpcsclite1          1.9.1-1
ii  libstdc++6            10.2.1-6
ii  util-linux            2.36.1-8
ii  zlib1g                1:1.2.11.dfsg-2

openjdk-11-jre-headless recommends no packages.

Versions of packages openjdk-11-jre-headless suggests:
ii  fonts-dejavu-extra                     2.37-2
pn  fonts-indic                            <none>
pn  fonts-ipafont-gothic                   <none>
pn  fonts-ipafont-mincho                   <none>
pn  fonts-wqy-microhei | fonts-wqy-zenhei  <none>
ii  libnss-mdns                            0.14.1-2

-- no debconf information

Reply via email to