Hi all, Le dimanche 13 mai 2012 18:54:38, Steve McIntyre a écrit : > >Sadly, no :/ I must admit that Oracle does not publish details of its > >fixes so it's hard to confirm firmly what's component is exactly > >impacted. > > > >I'll try to revive my contact @Oracle to get some feedback on this > >issue (on future security issues). > > Hi, > > Any news on this?
I'll just start by restating my initial comment on both issues : ----- We don't build any real "Glassfish Server" but just some parts of API library used as Java EE specifications. As for any specification, this is just a collection of interfaces and don't have much more implementations than dumb or stub code. ----- So I don't think that CVE-2010-4438 or CVE-2011-5035 affect Debian binary packages. But I cannot be 100% sure since : - Upstream bugtracker [1] doesn't contains ref to those security issues - My Oracle contact (GlassFish community manager) only told me that "CVE-2011-5035 is integrated in GlassFish 3.1.1 Patch 2 (an update to 3.1.1 for paying customers). The fix is in the trunk and will be integrated in the 3.1.2 release scheduled for later this quarter" I don't think I'll do further investigation on those issues... At least, there is one instructing thing : we have to think twice before integrating of a full blown Glassfish JEE server (ie. not just API) into Debian as from my point of view Glassfish Security is not handled as an open source should. [1] http://java.net/jira/browse/GLASSFISH Cheers, -- Damien - Debian Developper http://wiki.debian.org/DamienRaudeMorvan
signature.asc
Description: This is a digitally signed message part.
