On Wed, Jan 26, 2011 at 07:46:32PM +0100, Damien Raude-Morvan wrote:
> Hi,
>
> Le mardi 25 janvier 2011 23:02:18, Moritz Muehlenhoff a écrit :
> > See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4438
> >
> > Please get in touch with Oracle to check, what "unspecified
> > vulnerability" they fixed...
>
> From CVE abstract :
> "
> Sun GlassFish Enterprise Server contains a flaw related to the 'Java Message
> Service (JMS)' sub-component that may allow a local attacker to have a
> partial
> affect on integrity and confidentiality and cause a denial of service. No
> further details have been provided.
> "
>
> As we hardly build any real "Glassfish Server" but just some parts of API
> library from Java EE specifications.
> FYI, /usr/share/java/glassfish-jms.jar is just a collection of interfaces and
> don't have any implementations of a JMS server.
>
> So I don't think Debian package is affected by this issue, but we'll have to
> wait until Oracle/Glassfish team publish some source code to confirm ths.
Ok, I've updated the Security Tracker to mark it as not-affected. I wasn't
aware that the Debian Glassfish package doesn't provide the full stack.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
