Hi Emmanuel, On Sat, May 30, 2020 at 02:50:32PM +0200, Emmanuel Bourg wrote: > Control: severity -1 important > > Le 22/05/2020 à 22:51, Salvatore Bonaccorso a écrit : > > > The following vulnerability was published for jodd. I'm filling it as > > RC severity since altough one might dispute the severity for the issue > > itself, it looks that in Debian there was ever only one upload of > > jodd, there are no reverse (build) dependencies neither. > > > > Is the package acutally of some use or planned use? > > Thank you for the report Salvatore. > > jodd is a new dependency of JMeter 3, I haven't finished the packaging yet. > > Note that the fix for CVE-2018-21234 merely adds an optional > whitelisting feature to check the classes being deserialized. But the > default behavior is still the same (no check), so the charge of > addressing the vulnerability is actually shifted to the applications > using jodd.
Back when we lowered the severity this above was the reasoning, but jmeter 3 is not in bullseye. So should we remove src:yodd to at least not be included in bullseye? According to dak this is no problem to do: carnil@coccia:~$ dak rm --suite=testing -n -R jodd Will remove the following packages from testing: jodd | 3.8.6-1.1 | source libjodd-java | 3.8.6-1.1 | all Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> ------------------- Reason ------------------- ---------------------------------------------- Checking reverse dependencies... No dependency problem found. carnil@coccia:~$ Regards, Salvatore