Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #12369

Re: libspring-java support

Show all headers | View raw

Hi,

On 01/04/2022 11:50, Emilio Pozuelo Monfort wrote:
> On 03/12/2021 23:50, Markus Koschany wrote:
>> Am Freitag, dem 03.12.2021 um 14:28 +0100 schrieb Sylvain Beucler:
>>> This year I worked on libspring-java twice for LTS&ELTS. In both case
>>> upstream provided limited information for the CVEs, and for 5 of them
>>> we're unable to determine the fixes.
>>> https://deb.freexian.com/extended-lts/tracker/source-package/libspring-java 
>>>
>>>
>>> Upstream declined to provide information to identify the fixes (which in
>>> turn would allow us to determine whether stretch and jessie are
>>> affected, and backport the fixes if needed).
>>> https://github.com/spring-projects/spring-framework/issues/26821
>>> https://github.com/spring-projects/spring-framework/issues/27647
>>>
>>> They made clear that they wouldn't provide this information even if
>>> paid, confirming they apply a security-by-obscurity strategy similar to
>>> Oracle's.
>>>
>>> I exchanged with the Debian security team after they witnessed the last
>>> exchanges above, and 2 weeks ago they concluded the latest CVE was minor
>>> and no action was needed right now. I insisted about the other, prior
>>> unfixable CVEs (1/4 impacting buster) but they haven't answered yet.
>>>
>>> I think we're not in capacity to offer further security support for
>>> libspring-java for LTS and ELTS, but I'd like to hear from other team
>>> members, especially if they work in the Java team (Markus?) - what do
>>> you think?
>>
>> I have made similar experiences like you when I contacted upstream and 
>> asked
>> for more information about previous CVE. I agree with you that their 
>> policy
>> makes future security support for us nearly impossible. Currently the 
>> main
>> purpose of libspring-java is to build other software from source. We 
>> don't ship
>> any application or web project that depends on Spring and exposes 
>> users to the
>> currently unfixed CVE which means the current status of all CVE in
>> Stretch/Buster/Bullseye (no-dsa/minor) is correct. It is also very 
>> unlikely
>> that Java developers who use Spring/Spring Boot for their web 
>> applications
>> depend on one of our Debian packages.
>>
>> In my opinion it is OK to ignore the currently known CVE. I would support
>> adding libspring-java to the list of unsupported packages because of 
>> the lack
>> of upstream support. We, as the Java team, should make this clear by 
>> mentioning
>> libspring-java in the next release notes for Debian 12.
> 
> Looks like Spring was marked as EOL in the security-tracker and 
> debian-security-support git, but never uploaded to stretch or announced 
> on debian-lts-announce (unless I missed it). I think this (as well as 
> other packages recently EOL'ed) should be announced there, so users are 
> aware. Should we add this to dla-needed so that someone can take care of 
> it?

Sure, go ahead.

Holger, can you clarify if you want the LTS team to handle 
debian-security-support backports to stretch, or if you intend to do it 
yourself?

(cf.
https://salsa.debian.org/debian/debian-security-support/-/merge_requests/13
https://salsa.debian.org/debian/debian-security-support/-/commit/911636f7c0a153e288b74d2c47a3b287840cdbca
which AFAIU was only uploaded to unstable)

Cheers!
Sylvain

Back to linux.debian.maint.java | Previous | Next — Previous in thread | Next in thread | Find similar

Thread

Re: libspring-java support Markus Koschany <apo@debian.org> - 2021-12-04 00:00 +0100
  Re: libspring-java support Sylvain Beucler <beuc@beuc.net> - 2022-04-01 12:10 +0200
    Re: libspring-java support Holger Levsen <holger@layer-acht.org> - 2022-04-02 14:40 +0200
  Re: libspring-java support Emilio Pozuelo Monfort <pochu@debian.org> - 2022-04-01 12:10 +0200

csiph-web