Re: Packages glassfish-* security concerns

[Benjamin Jaton <benjamin.jaton@gmail.com>]

On Tue, Jul 17, 2012 at 11:24 PM, Yves-Alexis Perez <corsac@debian.org> wrote:

On mar., 2012-07-17 at 14:39 -0700, Benjamin Jaton wrote:
> Hello,
>
> The packages glassfish-* shipped in all the version of Debian are
> version 2.1.1.
> The glassfish v2 open souce code hasn't received any updates since
> 2010, not even critical security updates.
> ( https://svn.java.net/svn/glassfish~svn/trunk/v2/ )
> Only the Oracle Enterprise version is still maintained.
> Even if those are not the full server stack
> ( http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=653964 ), they may
> contains severe security flaws.
> We just don't know, right?

Do you have specific pointers about those “severe security flaws” or is
it just random guesses? The security tracker only tracks known security
issues.

Those are totally random guesses. More than pointing to any specific flaw,

I am saying that Debian is shipping some unmaintained code for now 2 years.

I thought it would be worth signaling.

>
> The v3 version is very stable and actively maintained. I would
> consider shipping it instead of v2.

For Wheezy, that won't happen. For next version, you're free to contact
packagers.

I'll get in touch with them.

 

>
Regards,
--
Yves-Alexis