Source: undertow Version: 1.4.25-1 Severity: serious I am filing this bug report to prevent the migration of undertow to testing and subsequently being part of the next stable release Debian 10, "Buster". This was also briefly discussed with the Security Team.
Reasons: - Undertow is regularly affected by security vulnerabilities but upstream often does not provide enough information to fix the issue with a targeted patch. Sometimes additional information are not public or are only disclosed weeks and months later. I have filed a bug report and suggested to improve the communication policy but so far nothing has happened. - Undertow has no reverse-dependencies besides syncany in experimental. Once Buster is released this bug report can be closed again and hopefully the situation has improved by then. Markus