This year I worked on libspring-java twice for LTS&ELTS. In both case
upstream provided limited information for the CVEs, and for 5 of them
we're unable to determine the fixes.
Upstream declined to provide information to identify the fixes (which in
turn would allow us to determine whether stretch and jessie are
affected, and backport the fixes if needed).
They made clear that they wouldn't provide this information even if
paid, confirming they apply a security-by-obscurity strategy similar to
I exchanged with the Debian security team after they witnessed the last
exchanges above, and 2 weeks ago they concluded the latest CVE was minor
and no action was needed right now. I insisted about the other, prior
unfixable CVEs (1/4 impacting buster) but they haven't answered yet.
I think we're not in capacity to offer further security support for
libspring-java for LTS and ELTS, but I'd like to hear from other team
members, especially if they work in the Java team (Markus?) - what do
Debian LTS Team