Le 03/02/2015 19:06, Christopher Currie a écrit :
> Thanks; the issue is that I would like to see that CVE fixed for
> precise. It looks like precise doesn't have libwagon2-java, only
> libwagon-java. Has anyone worked with the Ubuntu security team, and can
> say whether they'd allow a *new* package to be added, to fix a security
> issue?
If precise doesn't have libwagon2-java you are probably safe. The
description of CVE-2013-0253 states that wagon was vulnerable starting
with the version 2.1. And looking at the patch for wagon 2 [1], none of
the code modified exists in wagon 1.
Emmanuel Bourg
[1]
https://sources.debian.net/src/wagon2/2.2-3%2Bnmu1/debian/patches/cve-2013-0253.patch/