On Mon, May 14, 2012 at 12:13:50AM +0200, Damien Raude-Morvan wrote: >Hi all, > >Le dimanche 13 mai 2012 18:54:38, Steve McIntyre a écrit : >> >Sadly, no :/ I must admit that Oracle does not publish details of its >> >fixes so it's hard to confirm firmly what's component is exactly >> >impacted. >> > >> >I'll try to revive my contact @Oracle to get some feedback on this >> >issue (on future security issues). >> >> Hi, >> >> Any news on this? > >I'll just start by restating my initial comment on both issues : >----- >We don't build any real "Glassfish Server" but just some parts of API >library used as Java EE specifications. As for any specification, this is just >a >collection of interfaces and don't have much more implementations than dumb or >stub code. >----- > >So I don't think that CVE-2010-4438 or CVE-2011-5035 affect Debian binary >packages.
OK, fair enough. >But I cannot be 100% sure since : >- Upstream bugtracker [1] doesn't contains ref to those security issues >- My Oracle contact (GlassFish community manager) only told me that >"CVE-2011-5035 is integrated in GlassFish 3.1.1 Patch 2 (an update to 3.1.1 >for paying customers). The fix is in the trunk and will be integrated in the >3.1.2 release scheduled for later this quarter" > >I don't think I'll do further investigation on those issues... >At least, there is one instructing thing : we have to think twice before >integrating of a full blown Glassfish JEE server (ie. not just API) into >Debian >as from my point of view Glassfish Security is not handled as an open source >should. Yes, I'd have to agree with that. :-( If you're *reasonably* confident that we're not affected by those CVE issues, is it worth maybe dropping the severity of the Debian bugs from serious? -- Steve McIntyre, Cambridge, UK. st...@einval.com There's no sensation to compare with this Suspended animation, A state of bliss -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org