On Wed, Nov 01, 2017 at 08:42:43PM +0100, Markus Koschany wrote:
> Short update:
>
> One staff member told me that my options are to read the advisories,
> which don't contain any detailed information or patches, or, if I have a
> commercial license, to contact support. Great, let's buy a license to
> get more information about security bugs.
WTF
> So far the only viable option would be to upgrade to the latest upstream
> release and backport that to Wheezy, Jessie and Stretch as well but I'm
> not thrilled to maintain another Oracle-like Java package when it comes
> to security bugs.
I'd say let's kick it out, then. We have a build dependency (and run time
dependencies) on libspring-java, can we axe it out there?
Cheers,
Moritz
