Re: Propose to ignore libxstream-java CVEs

To: Markus Koschany <apo@debian.org>, debian-lts@lists.debian.org
Cc: Anton Gladky <gladk@debian.org>
Subject: Re: Propose to ignore libxstream-java CVEs
From: Sylvain Beucler <beuc@beuc.net>
Date: Wed, 22 Sep 2021 16:29:39 +0200
Message-id: <[🔎] 3561e6a0-a809-8e22-c6a5-cdff7556d5f4@beuc.net>
In-reply-to: <[🔎] 58308646b991646c8b5bf1338b281caec857893c.camel@debian.org>
References: <CABY6=0=B2hUDycVE5P2TNBZXncFvayrmDqGGcMZQmPo3S264eg@mail.gmail.com> <3f2a393b-ef07-0819-540f-09271f062432@beuc.net> <b81f4d153d88d38ee68463c8ff774863f3bd0da3.camel@debian.org> <[🔎] 58308646b991646c8b5bf1338b281caec857893c.camel@debian.org>

Hi,

On 22/09/2021 15:37, Markus Koschany wrote:

so far I have not found any regressions in Debian packages which depend on
libxstream-java. I propose to switch to the whitelist in all suites because
this is the only reasonable way to secure XStream. I have prepared an update
for Stretch. Anton, could you take a look at it because I saw you have claimed
libxstream-java?

https://people.debian.org/~apo/lts/libxstream-java/libxstream-java.debdiff

I am pretty surprised because I had concluded that allreverse-dependencies would break, due to not white-listing anyapp-specific class:

https://lists.debian.org/debian-lts/2021/06/msg00040.html

I'll test your package shortly to see if my angle is relevant with thispatch.


Cheers!
Sylvain Beucler
Debian LTS Team

Reply to:

Follow-Ups:
- Re: Propose to ignore libxstream-java CVEs
  - From: Sylvain Beucler <beuc@beuc.net>

References:
- Re: Propose to ignore libxstream-java CVEs
  - From: Markus Koschany <apo@debian.org>

Prev by Date: Re: Propose to ignore libxstream-java CVEs
Next by Date: Re: Propose to ignore libxstream-java CVEs
Previous by thread: Re: Propose to ignore libxstream-java CVEs
Next by thread: Re: Propose to ignore libxstream-java CVEs
Index(es):
- Date
- Thread