Phasing out libnetty-java (was Re: Bug#796114: CVE-2015-2156)

To: debian-java@lists.debian.org, 796114@bugs.debian.org
Subject: Phasing out libnetty-java (was Re: Bug#796114: CVE-2015-2156)
From: Charles Plessy <plessy@debian.org>
Date: Thu, 20 Aug 2015 20:40:46 +0900
Message-id: <[🔎] 20150820114046.GE26729@falafel.plessy.net>
In-reply-to: <20150819145958.20760.72427.reportbug@pisco.westfalen.local>
References: <20150819145958.20760.72427.reportbug@pisco.westfalen.local>

Le Wed, Aug 19, 2015 at 04:59:58PM +0200, Moritz Muehlenhoff a écrit :
> Source: netty
> Severity: grave
> Tags: security
> 
> This was assigned CVE-2015-2156:
> http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
> 
> Fix:
> https://github.com/slandelle/netty/commit/800555417e77029dcf8a31d7de44f27b5a8f79b8.patch
> 
> In addition to src:netty (3.2.6), there's also src:netty-3.9 (3.9.0)
> and there was also src:netty3.1 at some point (now removed).
> 
> Please phase out src:netty towards the updated src:netty-3.9 so that
> there's only one version around.

Hello everybody,

in my understanding, libnetty-java is a relic of when we attempted to package
Eucalyptus in Debian.  However, there are two new packages, zookeeper and
bookkeeper, created recently, that depend on libnetty-java instead of the more
recent libnetty-3.9-java.

Is that because of incompatibility ?  If libnetty-java is still needed, would
it be possible to transfer it under the umbrella of the Debian Java team ?

Have a nice day,

Charles

-- 
Charles Plessy
Debian Med packaging team,
http://www.debian.org/devel/debian-med
Tsurumi, Kanagawa, Japan

Reply to:

Follow-Ups:
- Re: Phasing out libnetty-java (was Re: Bug#796114: CVE-2015-2156)
  - From: Emmanuel Bourg <ebourg@apache.org>

Prev by Date: Re: RFS: libcommons-jxpath-java 1.3-7 [UPLOADED]
Next by Date: Re: RFS: lucene-solr 3.6.2+dfsg-7
Previous by thread: Re: RFS: lucene-solr 3.6.2+dfsg-7
Next by thread: Re: Phasing out libnetty-java (was Re: Bug#796114: CVE-2015-2156)
Index(es):
- Date
- Thread