Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.maint.java > #12369
| Path | csiph.com!newsfeed.xs4all.nl!newsfeed9.news.xs4all.nl!bofh.it!news.nic.it!robomod |
|---|---|
| From | Sylvain Beucler <beuc@beuc.net> |
| Newsgroups | linux.debian.maint.java |
| Subject | Re: libspring-java support |
| Date | Fri, 01 Apr 2022 12:10:01 +0200 |
| Message-ID | <E7mo9-5EMD-3@gated-at.bofh.it> (permalink) |
| References | <DqpH4-1cX-5@gated-at.bofh.it> <DqpH3-1cX-3@gated-at.bofh.it> <E7mo9-5EMD-5@gated-at.bofh.it> |
| X-Mailbox-Line | From debian-java-request@lists.debian.org Fri Apr 1 10:06:58 2022 |
| Old-Return-Path | <beuc@beuc.net> |
| X-Amavis-Spam-Status | No, score=-6.911 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DIGITS_LETTERS=1, FOURLA=0.1, LDO_WHITELIST=-5, MD5_SHA1_SUM=-1, NICE_REPLY_A=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no |
| X-Policyd-Weight | using cached result; rate: -4.6 |
| MIME-Version | 1.0 |
| User-Agent | Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 |
| Content-Language | en-US |
| Content-Type | text/plain; charset=UTF-8; format=flowed |
| Content-Transfer-Encoding | 7bit |
| X-Mailing-List | <debian-java@lists.debian.org> archive/latest/23008 |
| List-ID | <debian-java.lists.debian.org> |
| List-URL | <https://lists.debian.org/debian-java/> |
| List-Archive | https://lists.debian.org/msgid-search/19507af3-3089-8d88-6c35-fb691fc26a3f@beuc.net |
| Approved | robomod@news.nic.it |
| Lines | 75 |
| Organization | linux.* mail to news gateway |
| Sender | robomod@news.nic.it |
| X-Original-Cc | debian-java <debian-java@lists.debian.org> |
| X-Original-Date | Fri, 1 Apr 2022 12:06:40 +0200 |
| X-Original-Message-ID | <19507af3-3089-8d88-6c35-fb691fc26a3f@beuc.net> |
| X-Original-References | <e00e8e48-b76e-4982-897e-a4a317974b82@beuc.net> <f588e081494c592ece8912dc5e62420fe5d9f941.camel@debian.org> <1d23c657-bf6d-ae8c-9f21-c0cd9343d52e@debian.org> |
| Xref | csiph.com linux.debian.maint.java:12369 |
Show key headers only | View raw
Hi, On 01/04/2022 11:50, Emilio Pozuelo Monfort wrote: > On 03/12/2021 23:50, Markus Koschany wrote: >> Am Freitag, dem 03.12.2021 um 14:28 +0100 schrieb Sylvain Beucler: >>> This year I worked on libspring-java twice for LTS&ELTS. In both case >>> upstream provided limited information for the CVEs, and for 5 of them >>> we're unable to determine the fixes. >>> https://deb.freexian.com/extended-lts/tracker/source-package/libspring-java >>> >>> >>> Upstream declined to provide information to identify the fixes (which in >>> turn would allow us to determine whether stretch and jessie are >>> affected, and backport the fixes if needed). >>> https://github.com/spring-projects/spring-framework/issues/26821 >>> https://github.com/spring-projects/spring-framework/issues/27647 >>> >>> They made clear that they wouldn't provide this information even if >>> paid, confirming they apply a security-by-obscurity strategy similar to >>> Oracle's. >>> >>> I exchanged with the Debian security team after they witnessed the last >>> exchanges above, and 2 weeks ago they concluded the latest CVE was minor >>> and no action was needed right now. I insisted about the other, prior >>> unfixable CVEs (1/4 impacting buster) but they haven't answered yet. >>> >>> I think we're not in capacity to offer further security support for >>> libspring-java for LTS and ELTS, but I'd like to hear from other team >>> members, especially if they work in the Java team (Markus?) - what do >>> you think? >> >> I have made similar experiences like you when I contacted upstream and >> asked >> for more information about previous CVE. I agree with you that their >> policy >> makes future security support for us nearly impossible. Currently the >> main >> purpose of libspring-java is to build other software from source. We >> don't ship >> any application or web project that depends on Spring and exposes >> users to the >> currently unfixed CVE which means the current status of all CVE in >> Stretch/Buster/Bullseye (no-dsa/minor) is correct. It is also very >> unlikely >> that Java developers who use Spring/Spring Boot for their web >> applications >> depend on one of our Debian packages. >> >> In my opinion it is OK to ignore the currently known CVE. I would support >> adding libspring-java to the list of unsupported packages because of >> the lack >> of upstream support. We, as the Java team, should make this clear by >> mentioning >> libspring-java in the next release notes for Debian 12. > > Looks like Spring was marked as EOL in the security-tracker and > debian-security-support git, but never uploaded to stretch or announced > on debian-lts-announce (unless I missed it). I think this (as well as > other packages recently EOL'ed) should be announced there, so users are > aware. Should we add this to dla-needed so that someone can take care of > it? Sure, go ahead. Holger, can you clarify if you want the LTS team to handle debian-security-support backports to stretch, or if you intend to do it yourself? (cf. https://salsa.debian.org/debian/debian-security-support/-/merge_requests/13 https://salsa.debian.org/debian/debian-security-support/-/commit/911636f7c0a153e288b74d2c47a3b287840cdbca which AFAIU was only uploaded to unstable) Cheers! Sylvain
Back to linux.debian.maint.java | Previous | Next — Previous in thread | Next in thread | Find similar
Re: libspring-java support Markus Koschany <apo@debian.org> - 2021-12-04 00:00 +0100
Re: libspring-java support Sylvain Beucler <beuc@beuc.net> - 2022-04-01 12:10 +0200
Re: libspring-java support Holger Levsen <holger@layer-acht.org> - 2022-04-02 14:40 +0200
Re: libspring-java support Emilio Pozuelo Monfort <pochu@debian.org> - 2022-04-01 12:10 +0200
csiph-web