Hi Sylvain, Am Freitag, dem 03.12.2021 um 14:28 +0100 schrieb Sylvain Beucler: > Hi, > > This year I worked on libspring-java twice for LTS&ELTS. In both case > upstream provided limited information for the CVEs, and for 5 of them > we're unable to determine the fixes. > https://deb.freexian.com/extended-lts/tracker/source-package/libspring-java > > Upstream declined to provide information to identify the fixes (which in > turn would allow us to determine whether stretch and jessie are > affected, and backport the fixes if needed). > https://github.com/spring-projects/spring-framework/issues/26821 > https://github.com/spring-projects/spring-framework/issues/27647 > > They made clear that they wouldn't provide this information even if > paid, confirming they apply a security-by-obscurity strategy similar to > Oracle's. > > I exchanged with the Debian security team after they witnessed the last > exchanges above, and 2 weeks ago they concluded the latest CVE was minor > and no action was needed right now. I insisted about the other, prior > unfixable CVEs (1/4 impacting buster) but they haven't answered yet. > > I think we're not in capacity to offer further security support for > libspring-java for LTS and ELTS, but I'd like to hear from other team > members, especially if they work in the Java team (Markus?) - what do > you think? > > Cheers! > Sylvain Beucler > Debian LTS Team >
I have made similar experiences like you when I contacted upstream and asked for more information about previous CVE. I agree with you that their policy makes future security support for us nearly impossible. Currently the main purpose of libspring-java is to build other software from source. We don't ship any application or web project that depends on Spring and exposes users to the currently unfixed CVE which means the current status of all CVE in Stretch/Buster/Bullseye (no-dsa/minor) is correct. It is also very unlikely that Java developers who use Spring/Spring Boot for their web applications depend on one of our Debian packages. In my opinion it is OK to ignore the currently known CVE. I would support adding libspring-java to the list of unsupported packages because of the lack of upstream support. We, as the Java team, should make this clear by mentioning libspring-java in the next release notes for Debian 12. Regards, Markus
signature.asc
Description: This is a digitally signed message part
