Le 10/12/2017 à 00:07, Markus Koschany a écrit : > However we should always be able to assess security vulnerabilities. > Just hoping that nobody will ever use the Debian library in some other > context is negligent. I would be really disappointed when I built an > Java app with Debian's system libraries and then I have to find out that > it is basically unsupported and contains security holes because it is > "just" a build-dependency for some other project.
I tend to disagree with this reasoning. We can't support any usage of the libraries we ship, we don't have the resources for that. Our responsibility should be limited to the code that we actually use in Debian. Java developers don't use the system libraries anyway, they typically pull the jars from Maven Central and bundle them with their applications. Patching unused features would really be a waste of time. > To be fair: CVE-2017-5533 and CVE-2017-5528 probably do not affect us > because we ship the Jasperreports Library and not the server. Please > correct me if I am wrong. I don't know, I'm not familiar enough with jasperreports. I can just observe that the Spring modules depending on it are nowhere used in Debian yet. > Thus said maybe you are able to find the relevant changes or you get a > more helpful reply from the support guys. Otherwise I would try to > disable jasperreports in libspring-java which appears to be optional. (I > know probably requires another patch...) libspring-java is already quite complicated. An additional patch to maintain would be a hindrance, especially for disabling the usage of a library we don't really care about. On the other hand maintaining such a patch is maybe less complicated than regularly upgrading jasperreports, that's probably worth investigating. If we go that route I'd rather see libspring-java upgraded to the version 5.0 before patching it. > For reference here is the link to my support request: > > https://community.jaspersoft.com/questions/1072461/security-update-cve-2017-14941-cve-2017-5528-cve-2017-5529 I'm not convinced they understood the context and our point of view. Upgrading the library was just the obvious solution to the issue raised, that doesn't make the answer hostile or uncooperative. I'd suggest asking the developers directly instead of going through a sales or customer support representative. Emmanuel Bourg
