Path: csiph.com!newsfeed.xs4all.nl!newsfeed9.news.xs4all.nl!bofh.it!news.nic.it!robomod
From: Markus Koschany <apo@debian.org>
Newsgroups: linux.debian.maint.java
Subject: Re: libspring-java support
Date: Sat, 04 Dec 2021 00:00:02 +0100
Message-ID: <DqpH3-1cX-3@gated-at.bofh.it>
References: <DqpH4-1cX-5@gated-at.bofh.it>
X-Original-To: Sylvain Beucler <beuc@beuc.net>, Debian LTS <debian-lts@lists.debian.org>
X-Mailbox-Line: From debian-java-request@lists.debian.org  Fri Dec  3 22:50:50 2021
Old-Return-Path: <apo@debian.org>
X-Amavis-Spam-Status: No, score=-11.263 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, FOURLA=0.1, LDO_WHITELIST=-5, PGPSIGNATURE=-5, SARE_MSGID_LONG40=0.637] autolearn=unavailable autolearn_force=no
X-Policyd-Weight: using cached result; rate: -4.6
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-Sw7QzVv422EkrncAyaHA"
MIME-Version: 1.0
Authentication-Results: ORIGINATING; auth=pass smtp.auth=apo@gambaru.de smtp.mailfrom=apo@debian.org
X-Mailing-List: <debian-java@lists.debian.org> archive/latest/22953
List-ID: <debian-java.lists.debian.org>
List-URL: <https://lists.debian.org/debian-java/>
List-Archive: https://lists.debian.org/msgid-search/f588e081494c592ece8912dc5e62420fe5d9f941.camel@debian.org
Approved: robomod@news.nic.it
Lines: 94
Organization: linux.* mail to news gateway
Sender: robomod@news.nic.it
X-Original-Cc: debian-java <debian-java@lists.debian.org>
X-Original-Date: Fri, 03 Dec 2021 23:50:32 +0100
X-Original-Message-ID: <f588e081494c592ece8912dc5e62420fe5d9f941.camel@debian.org>
X-Original-References: <e00e8e48-b76e-4982-897e-a4a317974b82@beuc.net>
Xref: csiph.com linux.debian.maint.java:12322


--=-Sw7QzVv422EkrncAyaHA
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Sylvain,

Am Freitag, dem 03.12.2021 um 14:28 +0100 schrieb Sylvain Beucler:
> Hi,
>=20
> This year I worked on libspring-java twice for LTS&ELTS. In both case=20
> upstream provided limited information for the CVEs, and for 5 of them=20
> we're unable to determine the fixes.
> https://deb.freexian.com/extended-lts/tracker/source-package/libspring-ja=
va
>=20
> Upstream declined to provide information to identify the fixes (which in=
=20
> turn would allow us to determine whether stretch and jessie are=20
> affected, and backport the fixes if needed).
> https://github.com/spring-projects/spring-framework/issues/26821
> https://github.com/spring-projects/spring-framework/issues/27647
>=20
> They made clear that they wouldn't provide this information even if=20
> paid, confirming they apply a security-by-obscurity strategy similar to=
=20
> Oracle's.
>=20
> I exchanged with the Debian security team after they witnessed the last=
=20
> exchanges above, and 2 weeks ago they concluded the latest CVE was minor=
=20
> and no action was needed right now. I insisted about the other, prior=20
> unfixable CVEs (1/4 impacting buster) but they haven't answered yet.
>=20
> I think we're not in capacity to offer further security support for=20
> libspring-java for LTS and ELTS, but I'd like to hear from other team=20
> members, especially if they work in the Java team (Markus?) - what do=20
> you think?
>=20
> Cheers!
> Sylvain Beucler
> Debian LTS Team
>=20

I have made similar experiences like you when I contacted upstream and aske=
d
for more information about previous CVE. I agree with you that their policy
makes future security support for us nearly impossible. Currently the main
purpose of libspring-java is to build other software from source. We don't =
ship
any application or web project that depends on Spring and exposes users to =
the
currently unfixed CVE which means the current status of all CVE in
Stretch/Buster/Bullseye (no-dsa/minor) is correct. It is also very unlikely
that Java developers who use Spring/Spring Boot for their web applications
depend on one of our Debian packages.=20

In my opinion it is OK to ignore the currently known CVE. I would support
adding libspring-java to the list of unsupported packages because of the la=
ck
of upstream support. We, as the Java team, should make this clear by mentio=
ning
libspring-java in the next release notes for Debian 12.

Regards,

Markus

--=-Sw7QzVv422EkrncAyaHA
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmGqnzhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeReNw/+L8Hrd27knLTGpV+THZIJZClB13X/p9dyGyg0+7l+Ax5qg17Mo/fAKHwk
F9WsM+SRyTaWcCA8oRnllev55gv5yhdTaWtQbC+LdzWKC0DtISydXWModDgjgYF7
s/THLDsMUdWybFOY4iEB8JGZNKV8kojutCfbQvttmhU3AEN0SZqRsyqXR0lacT9F
5MDaB/uQFmhU2SckFAd3xQacpzdOMVSSxLncnxy2Jdl/wSkg07gGdDuVA12XaSRv
OZyo2Xfgg+dXqwB1BuO0eOLQV1Eqhro8JEmUxwNn/o/j2/LG7x1RmEPdH0/yf48N
+cXEwqMjKcRKBo4hanWltMTugSRqJ/1JgW0wF2Pc+ueYUG4ppXrhQuJH2craI6C5
fEmD682K48XsElyBJkc+ws2VvkyrafIEPFjU9wONrGsmxxLRb8ihmJ+EycUAn1pO
hGvnmHYbNGHDP8faiEhQLT6SzAeYMEPwaE181ogCSLDhWwNEQL551Vra0LTkK6ME
dMkn7FXfu7soy5CG9KAGSyhg/TnKYS1FpMbJ1DLqd/SDKKXGrnxwHE8MNhApgwId
sZc51siHrOo51pfupxZ1an2bLc31mymYdz1fjqX71V5pqM0GvIrc85+Tg4eTPajg
7iPIBBNn4zZs14HbSmpL/dYwLpcBMamzjaHfPaO1/wyr3R1hl4s=
=fWpF
-----END PGP SIGNATURE-----

--=-Sw7QzVv422EkrncAyaHA--