On Wed, 18 Oct 2017 13:29:19 +0200 Emmanuel Bourg <ebo...@apache.org> wrote: > Upstream has moved to GitHub [1] and the last update was released in > 2014 but the security issue is still not fixed [2]. > > This was a dependency of Jenkins which is now gone. There is a slim > chance that this package could be useful again in the future since it's > a dependency of some Apache projects (Zeppelin, Atlas, Ranger and Knox). > > Emmanuel Bourg > > [1] https://github.com/kohsuke > [2] https://github.com/kohsuke/libpam4j/issues/18
Apparently Red Hat patched their libpam4j package but they didn't forward the patch upstream. https://bugzilla.redhat.com/show_bug.cgi?id=1503103 Actually I agree with Raphael. The software is unmaintained upstream and unused in Debian. It's rather scary that other projects depend on it, especially when it comes to security sensitive matters like PAM. In the end it can always be reintroduced if someone really intends to maintain it.
signature.asc
Description: OpenPGP digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
