Le 22/09/2014 17:44, Raphael Hertzog a écrit : > If there are no objections, I'll file a bug against > debian-security-support to request this. CC to the security team in case > they want to request the same for Wheezy. Hi Raphael, Glasshfish is an important package for the Java ecosystem as it provides JavaEE specification APIs used to build many other packages. The CVEs reported are most likely related to the complete application server which is almost unused in Debian (the glassfish-appserv package has a low popcon and no reverse dependencies). Removing this package should address the security concerns (yet, the package contains no init script to run it as a daemon, so the risk is already zero since nobody can use it). Emmanuel Bourg
Attachment:
signature.asc
Description: OpenPGP digital signature