Bug#611130: CVE-2010-2087
On Sun, May 13, 2012 at 09:23:45PM +0200, Moritz Mühlenhoff wrote: On Sun, May 13, 2012 at 05:52:05PM +0100, Steve McIntyre wrote: On Sun, Oct 02, 2011 at 05:53:48PM -0430, Miguel Landaeta wrote: #tag 611130 + idontgiveadamn tag 611130 + moreinfo kthxbye Upstream doesn't answer any request about this bug. I sent emails, I posted in their discussion forum and even joined their irc channel to ask a couple of question about this bug. I didn't receive any answer, I can say I was completely ignored. There is no info at Mitre website and AFAIK this issue is not fixed in any other free software distribution. I don't have time neither interest on this, good luck to anybody interested in fixing this bug. Be aware of uncooperative upstream. Given this, this package looks like a prime candidate for removal from the archive to be honest. Thoughts? I concur, but libspring build-depends on it, something which needs to be addressed somehow. Ick. :-( -- Steve McIntyre, Cambridge, UK.st...@einval.com Support the Campaign for Audiovisual Free Expression: http://www.eff.org/cafe/ __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#611130: CVE-2010-2087
On Sun, Oct 02, 2011 at 05:53:48PM -0430, Miguel Landaeta wrote: #tag 611130 + idontgiveadamn tag 611130 + moreinfo kthxbye Upstream doesn't answer any request about this bug. I sent emails, I posted in their discussion forum and even joined their irc channel to ask a couple of question about this bug. I didn't receive any answer, I can say I was completely ignored. There is no info at Mitre website and AFAIK this issue is not fixed in any other free software distribution. I don't have time neither interest on this, good luck to anybody interested in fixing this bug. Be aware of uncooperative upstream. Given this, this package looks like a prime candidate for removal from the archive to be honest. Thoughts? -- Steve McIntyre, Cambridge, UK.st...@einval.com Who needs computer imagery when you've got Brian Blessed? __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#611130: CVE-2010-2087
On Sun, May 13, 2012 at 05:52:05PM +0100, Steve McIntyre wrote: On Sun, Oct 02, 2011 at 05:53:48PM -0430, Miguel Landaeta wrote: #tag 611130 + idontgiveadamn tag 611130 + moreinfo kthxbye Upstream doesn't answer any request about this bug. I sent emails, I posted in their discussion forum and even joined their irc channel to ask a couple of question about this bug. I didn't receive any answer, I can say I was completely ignored. There is no info at Mitre website and AFAIK this issue is not fixed in any other free software distribution. I don't have time neither interest on this, good luck to anybody interested in fixing this bug. Be aware of uncooperative upstream. Given this, this package looks like a prime candidate for removal from the archive to be honest. Thoughts? I concur, but libspring build-depends on it, something which needs to be addressed somehow. Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#611130: CVE-2010-2087
#tag 611130 + idontgiveadamn tag 611130 + moreinfo kthxbye Upstream doesn't answer any request about this bug. I sent emails, I posted in their discussion forum and even joined their irc channel to ask a couple of question about this bug. I didn't receive any answer, I can say I was completely ignored. There is no info at Mitre website and AFAIK this issue is not fixed in any other free software distribution. I don't have time neither interest on this, good luck to anybody interested in fixing this bug. Be aware of uncooperative upstream. -- Miguel Landaeta, miguel at miguel.cc secure email with PGP 0x7D8967E9 available at http://keyserver.pgp.com/ Faith means not wanting to know what is true. -- Nietzsche signature.asc Description: Digital signature __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#611130: CVE-2010-2087
On Tue, Aug 23, 2011 at 08:12:51PM -0430, Miguel Landaeta wrote: On Mon, Jul 25, 2011 at 02:05:01PM +0200, Moritz Mühlenhoff wrote: What's the result? Upstream is totally unresponsive about this issue. I have reviewed changelog of subsequent releases and this doesn't seem to be fixed. I have lost almost all motivation to try to fix this, but I'll give another try to check again with upstream to see what they have to say. This reminded me of http://pwnies.com/archive/2010/winners/: -- Pwnie for Best Server-Side Bug (..) Credit: Meder Kydyraliev (..) Meder gets bonus points for having to track down developers on IRC to get the vulnerability fixed after receiving no response from secur...@struts.apache.org. -- Maybe you should try IRC as well... Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#611130: CVE-2010-2087
On Mon, Jul 25, 2011 at 02:05:01PM +0200, Moritz Mühlenhoff wrote: What's the result? Upstream is totally unresponsive about this issue. I have reviewed changelog of subsequent releases and this doesn't seem to be fixed. I have lost almost all motivation to try to fix this, but I'll give another try to check again with upstream to see what they have to say. -- Miguel Landaeta, miguel at miguel.cc secure email with PGP 0x7D8967E9 available at http://keyserver.pgp.com/ Faith means not wanting to know what is true. -- Nietzsche signature.asc Description: Digital signature __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#611130: CVE-2010-2087
On Thu, Jan 27, 2011 at 09:53:10AM -0430, Miguel Landaeta wrote: On Tue, Jan 25, 2011 at 09:43:36PM +0100, Moritz Muehlenhoff wrote: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2087 Please get in touch with upstream, whether this has been addressed. I just notified upstream to take a look at this and I'm waiting for their reply. What's the result? Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#611130: CVE-2010-2087
On Tue, Jan 25, 2011 at 09:43:36PM +0100, Moritz Muehlenhoff wrote: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2087 Please get in touch with upstream, whether this has been addressed. I just notified upstream to take a look at this and I'm waiting for their reply. Cheers, -- Miguel Landaeta, miguel at miguel.cc secure email with PGP 0x7D8967E9 available at http://keyserver.pgp.com/ Faith means not wanting to know what is true. -- Nietzsche __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#611130: CVE-2010-2087
Package: mojarra Severity: grave Tags: security http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2087 Please get in touch with upstream, whether this has been addressed. Cheers, Moritz -- System Information: Debian Release: 6.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#611130: CVE-2010-2087
user release.debian@packages.debian.org usertag 611130 squeeze-can-defer tag 611130 squeeze-ignore kthxbye On Tue, Jan 25, 2011 at 21:43:36 +0100, Moritz Muehlenhoff wrote: Package: mojarra Severity: grave Tags: security http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2087 Please get in touch with upstream, whether this has been addressed. Not a blocker, can be fixed post release. Cheers, Julien signature.asc Description: Digital signature __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.