Le 09/12/2017 à 23:49, Moritz Mühlenhoff a écrit : > Yeah, but libspring-java is not the issue here, it's jasperreports: > We ship a jasperreports package of an uncooperative upstream which > would need to see full backports across all supported suites since > they don't tell us how to fix this with backports (or actually any > vulnerability information).
Yes but since jasperreports isn't used anyway there is no need to backport the fixes, that's the point I was trying to make. Until jasperreports is actually used in Debian we can educate upstream about the importance of documenting the security fixes. __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.