On Sat, Dec 09, 2017 at 11:43:38PM +0100, Emmanuel Bourg wrote:
> Le 09/12/2017 à 23:29, Moritz Mühlenhoff a écrit :
>
> > I'd say let's kick it out, then. We have a build dependency (and run time
> > dependencies) on libspring-java, can we axe it out there?
>
> jasperreports is just a build dependency of some unused parts of
> libspring-java. No application in Debian needs it at run time. So these
> vulnerabilities can be safely ignored in the stable releases.
Yeah, but libspring-java is not the issue here, it's jasperreports:
We ship a jasperreports package of an uncooperative upstream which
would need to see full backports across all supported suites since
they don't tell us how to fix this with backports (or actually any
vulnerability information).
Cheers,
Moritz
