On Wed, Jan 26, 2011 at 07:46:32PM +0100, Damien Raude-Morvan wrote:
> Hi,
> 
> Le mardi 25 janvier 2011 23:02:18, Moritz Muehlenhoff a écrit :
> > See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4438
> > 
> > Please get in touch with Oracle to check, what "unspecified
> > vulnerability" they fixed...
> 
> From CVE abstract :
> "
> Sun GlassFish Enterprise Server contains a flaw related to the 'Java Message 
> Service (JMS)' sub-component that may allow a local attacker to have a 
> partial 
> affect on integrity and confidentiality and cause a denial of service. No 
> further details have been provided. 
> "
> 
> As we hardly build any real "Glassfish Server" but just some parts of API 
> library from Java EE specifications.
> FYI, /usr/share/java/glassfish-jms.jar is just a collection of interfaces and 
> don't have any implementations of a JMS server.
> 
> So I don't think Debian package is affected by this issue, but we'll have to 
> wait until Oracle/Glassfish team publish some source code to confirm ths.

Ok, I've updated the Security Tracker to mark it as not-affected. I wasn't
aware that the Debian Glassfish package doesn't provide the full stack.

Cheers,
        Moritz



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to