libspring-java support

To: Debian LTS <debian-lts@lists.debian.org>
Cc: Markus Koschany <apo@debian.org>
Subject: libspring-java support
From: Sylvain Beucler <beuc@beuc.net>
Date: Fri, 3 Dec 2021 14:28:52 +0100
Message-id: <[🔎] e00e8e48-b76e-4982-897e-a4a317974b82@beuc.net>

Hi,

This year I worked on libspring-java twice for LTS&ELTS. In both caseupstream provided limited information for the CVEs, and for 5 of themwe're unable to determine the fixes.

https://deb.freexian.com/extended-lts/tracker/source-package/libspring-java

Upstream declined to provide information to identify the fixes (which inturn would allow us to determine whether stretch and jessie areaffected, and backport the fixes if needed).

https://github.com/spring-projects/spring-framework/issues/26821
https://github.com/spring-projects/spring-framework/issues/27647

They made clear that they wouldn't provide this information even ifpaid, confirming they apply a security-by-obscurity strategy similar toOracle's.

I exchanged with the Debian security team after they witnessed the lastexchanges above, and 2 weeks ago they concluded the latest CVE was minorand no action was needed right now. I insisted about the other, priorunfixable CVEs (1/4 impacting buster) but they haven't answered yet.

I think we're not in capacity to offer further security support forlibspring-java for LTS and ELTS, but I'd like to hear from other teammembers, especially if they work in the Java team (Markus?) - what doyou think?


Cheers!
Sylvain Beucler
Debian LTS Team

Reply to:

Follow-Ups:
- Re: libspring-java support
  - From: Markus Koschany <apo@debian.org>

Prev by Date: (E)LTS report for November
Next by Date: Re: libspring-java support
Previous by thread: (E)LTS report for November
Next by thread: Re: libspring-java support
Index(es):
- Date
- Thread