Path: csiph.com!newsfeed.xs4all.nl!newsfeed8.news.xs4all.nl!bofh.it!news.nic.it!robomod From: Emilio Pozuelo Monfort Newsgroups: linux.debian.maint.java Subject: Re: libspring-java support Date: Fri, 01 Apr 2022 12:10:01 +0200 Message-ID: References: X-Original-To: Markus Koschany , Sylvain Beucler , Debian LTS X-Mailbox-Line: From debian-java-request@lists.debian.org Fri Apr 1 10:06:15 2022 Old-Return-Path: X-Amavis-Spam-Status: No, score=-6.262 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FOURLA=0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, LDO_WHITELIST=-5, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no X-Policyd-Weight: using cached result; rate: -5.5 X-Gm-Message-State: AOAM532QAu7DgJDz840/7/PlEgq20fy8npZYHzF8Kj0+ybA7TGwbNrac 3UzJOGKsbUTBBXkdVbNOtt0= X-Google-SMTP-Source: ABdhPJwLJd5WKwtbvBl29PSyI/936LdRUyAfOPVPR/eTVflF7u32VUZIzzZ/OMNQ4gdZmaiw+2Xhhg== X-Received: by 2002:a05:6000:1047:b0:204:101:7c79 with SMTP id c7-20020a056000104700b0020401017c79mr7221647wrx.277.1648806625928; Fri, 01 Apr 2022 02:50:25 -0700 (PDT) Sender: robomod@news.nic.it MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Mailing-List: archive/latest/23007 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/1d23c657-bf6d-ae8c-9f21-c0cd9343d52e@debian.org Approved: robomod@news.nic.it Lines: 61 Organization: linux.* mail to news gateway X-Original-Cc: debian-java X-Original-Date: Fri, 1 Apr 2022 11:50:23 +0200 X-Original-Message-ID: <1d23c657-bf6d-ae8c-9f21-c0cd9343d52e@debian.org> X-Original-References: X-Original-Sender: Emilio Pozuelo Monfort Xref: csiph.com linux.debian.maint.java:12370 Hi, On 03/12/2021 23:50, Markus Koschany wrote: > Hi Sylvain, > > Am Freitag, dem 03.12.2021 um 14:28 +0100 schrieb Sylvain Beucler: >> Hi, >> >> This year I worked on libspring-java twice for LTS&ELTS. In both case >> upstream provided limited information for the CVEs, and for 5 of them >> we're unable to determine the fixes. >> https://deb.freexian.com/extended-lts/tracker/source-package/libspring-java >> >> Upstream declined to provide information to identify the fixes (which in >> turn would allow us to determine whether stretch and jessie are >> affected, and backport the fixes if needed). >> https://github.com/spring-projects/spring-framework/issues/26821 >> https://github.com/spring-projects/spring-framework/issues/27647 >> >> They made clear that they wouldn't provide this information even if >> paid, confirming they apply a security-by-obscurity strategy similar to >> Oracle's. >> >> I exchanged with the Debian security team after they witnessed the last >> exchanges above, and 2 weeks ago they concluded the latest CVE was minor >> and no action was needed right now. I insisted about the other, prior >> unfixable CVEs (1/4 impacting buster) but they haven't answered yet. >> >> I think we're not in capacity to offer further security support for >> libspring-java for LTS and ELTS, but I'd like to hear from other team >> members, especially if they work in the Java team (Markus?) - what do >> you think? >> >> Cheers! >> Sylvain Beucler >> Debian LTS Team >> > > I have made similar experiences like you when I contacted upstream and asked > for more information about previous CVE. I agree with you that their policy > makes future security support for us nearly impossible. Currently the main > purpose of libspring-java is to build other software from source. We don't ship > any application or web project that depends on Spring and exposes users to the > currently unfixed CVE which means the current status of all CVE in > Stretch/Buster/Bullseye (no-dsa/minor) is correct. It is also very unlikely > that Java developers who use Spring/Spring Boot for their web applications > depend on one of our Debian packages. > > In my opinion it is OK to ignore the currently known CVE. I would support > adding libspring-java to the list of unsupported packages because of the lack > of upstream support. We, as the Java team, should make this clear by mentioning > libspring-java in the next release notes for Debian 12. Looks like Spring was marked as EOL in the security-tracker and debian-security-support git, but never uploaded to stretch or announced on debian-lts-announce (unless I missed it). I think this (as well as other packages recently EOL'ed) should be announced there, so users are aware. Should we add this to dla-needed so that someone can take care of it? Cheers, Emilio