Packages glassfish-* security concerns
Hello,
The packages glassfish-* shipped in all the version of Debian are version 2.1.1.
The glassfish v2 open souce code hasn't received any updates since 2010, not even critical security updates.
( https://svn.java.net/svn/glassfish~svn/trunk/v2/ )
Only the Oracle Enterprise version is still maintained.
Even if those are not the full server stack ( http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=653964 ), they may contains severe security flaws.
We just don't know, right?
The v3 version is very stable and actively maintained. I would consider shipping it instead of v2.
Thanks,
Benjamin Jaton
Reply to: