[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: libspring-2.5-java and requesting membership for secure-testing

On 30.03.2015 14:46, Raphael Hertzog wrote:
> No it's correct, the last CVE issue was mis-assigned to that package. That
> said there are other java packages in need of some love.
> For example commons-httpclient has been waiting for months:
> https://security-tracker.debian.org/tracker/source-package/commons-httpclient

Yes, I saw that. I think the severity should have been serious right
from the start. Last week I prepared a patch for commons-httpclient [1]
and I am confident it fixes CVE-2012-6153 and CVE-2014-3577. However I
struggle with finding a test case which verifies the patch really
addresses the issue. I will try to contact upstream and ask them for



[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758086#50

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: