Bug#650542: pu: package mojarra/2.0.3-1
On Wed, 2011-11-30 at 14:22 -0430, Miguel Landaeta wrote:
> I have prepared an upload to fix #650430 / CVE-2011-4358.
> This bug affects mojarra 2.0.3-1 in stable.
Thanks for working on this.
> I'm attaching the debdiff with the backported patch that fix
> this issue and the updated package meant for squeeze.
It's not exactly a minimal patch - admittedly we've seen worse. :) I'm
guessing that the .properties changes and the pulling in of logging code
are part of the upstream patch, although I'm not really sure how they
contribute to fixing the bug. Maybe I'm just getting cynical in my old
> I plan to do an urgent upload to unstable before the weekend.
It might be obvious and predictable, but for the record - the unstable
upload needs to happen before stable. Preferably unstable wants to be
fixed for a few days at least, in order to verify that no obvious
> A patch and a link to a PoC can be found in the body of #650430 report.
Have the security team confirmed that they don't wish to handle this via
a DSA? I couldn't see any thing in the bug report or the security
tracker which mentions not doing so.