Re: libspring-java support

To: Markus Koschany <apo@debian.org>, Sylvain Beucler <beuc@beuc.net>, Debian LTS <debian-lts@lists.debian.org>
Cc: debian-java <debian-java@lists.debian.org>
Subject: Re: libspring-java support
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Fri, 1 Apr 2022 11:50:23 +0200
Message-id: <[🔎] 1d23c657-bf6d-ae8c-9f21-c0cd9343d52e@debian.org>
In-reply-to: <f588e081494c592ece8912dc5e62420fe5d9f941.camel@debian.org>
References: <e00e8e48-b76e-4982-897e-a4a317974b82@beuc.net> <f588e081494c592ece8912dc5e62420fe5d9f941.camel@debian.org>

Hi,

On 03/12/2021 23:50, Markus Koschany wrote:

Hi Sylvain,

Am Freitag, dem 03.12.2021 um 14:28 +0100 schrieb Sylvain Beucler:

Hi,

This year I worked on libspring-java twice for LTS&ELTS. In both case
upstream provided limited information for the CVEs, and for 5 of them
we're unable to determine the fixes.
https://deb.freexian.com/extended-lts/tracker/source-package/libspring-java

Upstream declined to provide information to identify the fixes (which in
turn would allow us to determine whether stretch and jessie are
affected, and backport the fixes if needed).
https://github.com/spring-projects/spring-framework/issues/26821
https://github.com/spring-projects/spring-framework/issues/27647

They made clear that they wouldn't provide this information even if
paid, confirming they apply a security-by-obscurity strategy similar to
Oracle's.

I exchanged with the Debian security team after they witnessed the last
exchanges above, and 2 weeks ago they concluded the latest CVE was minor
and no action was needed right now. I insisted about the other, prior
unfixable CVEs (1/4 impacting buster) but they haven't answered yet.

I think we're not in capacity to offer further security support for
libspring-java for LTS and ELTS, but I'd like to hear from other team
members, especially if they work in the Java team (Markus?) - what do
you think?

Cheers!
Sylvain Beucler
Debian LTS Team


I have made similar experiences like you when I contacted upstream and asked
for more information about previous CVE. I agree with you that their policy
makes future security support for us nearly impossible. Currently the main
purpose of libspring-java is to build other software from source. We don't ship
any application or web project that depends on Spring and exposes users to the
currently unfixed CVE which means the current status of all CVE in
Stretch/Buster/Bullseye (no-dsa/minor) is correct. It is also very unlikely
that Java developers who use Spring/Spring Boot for their web applications
depend on one of our Debian packages.

In my opinion it is OK to ignore the currently known CVE. I would support
adding libspring-java to the list of unsupported packages because of the lack
of upstream support. We, as the Java team, should make this clear by mentioning
libspring-java in the next release notes for Debian 12.

Looks like Spring was marked as EOL in the security-tracker anddebian-security-support git, but never uploaded to stretch or announced ondebian-lts-announce (unless I missed it). I think this (as well as otherpackages recently EOL'ed) should be announced there, so users are aware. Shouldwe add this to dla-needed so that someone can take care of it?


Cheers,
Emilio

Reply to:

Follow-Ups:
- Re: libspring-java support
  - From: Sylvain Beucler <beuc@beuc.net>

Next by Date: Re: libspring-java support
Next by thread: Re: libspring-java support
Index(es):
- Date
- Thread