[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

libspring-java support


This year I worked on libspring-java twice for LTS&ELTS. In both case upstream provided limited information for the CVEs, and for 5 of them we're unable to determine the fixes.

Upstream declined to provide information to identify the fixes (which in turn would allow us to determine whether stretch and jessie are affected, and backport the fixes if needed).

They made clear that they wouldn't provide this information even if paid, confirming they apply a security-by-obscurity strategy similar to Oracle's.

I exchanged with the Debian security team after they witnessed the last exchanges above, and 2 weeks ago they concluded the latest CVE was minor and no action was needed right now. I insisted about the other, prior unfixable CVEs (1/4 impacting buster) but they haven't answered yet.

I think we're not in capacity to offer further security support for libspring-java for LTS and ELTS, but I'd like to hear from other team members, especially if they work in the Java team (Markus?) - what do you think?

Sylvain Beucler
Debian LTS Team

Reply to: