RFC: remaining CVEs on libspring-java
I would like some input from the group on how to handle the remaining
CVEs (all of which have been tagged no-dsa) on libspring-java:
Are are the CVEs which remain open in the jessie version:
I have integrated patches for CVE-2014-3578, CVE-2014-3625,
CVE-2015-3192, CVE-2015-5211, and CVE-2016-9878 (all of which are fixed
in stretch). CVE-2015-5211 was especially complex because of the very
large changes between the 3.0 and 3.2 releases of Spring. I elected to
not attempt to backport the patch for CVE-2016-5007 because the "fix"
for that CVE was the introduction of a new API. That seemed not worth
the effort, given that there are documented mitigations.
That leaves CVE-2018-11039, CVE-2018-11040, CVE-2018-1199, and
CVE-2018-1257. Of those, CVE-2018-11039, CVE-2018-11040, and
CVE-2018-1199 are also tagged no-dsa on stretch. CVE-2018-1257 is still
vulnerable in stretch. It does not seem to provide a clear benefit to
implement fixes for these CVEs if they are to remain unfixed in stretch.
To fix those last few could potentially place users in a position where
a jessie systems has these issues fixed, then an upgrade to stretch
subsequently exposes them. For that reason, I am hesitant to proceed
with fixing them.
Does that seem like a sensible position? If not, what might be some
reasons to go ahead with the additional fixes?
Roberto C. Sánchez