Bug#692650: Patches for CVE-2012-5783 and CVE-2012-5784
Alberto Fernández
infjaf at gmail.com
Wed Dec 5 21:28:52 UTC 2012
Hi Andreas
I've uploaded both packages to mentors.
commons-httpclient -> bug #692442 CVE-2012-5783
axis -> bug #692650 CVE-2012-5784
Since axis uses commons-httpclient, we need fix and upload both
packages.
Upstream has ignored axis patch, and rejected commons-httpclient patch.
Basically, they say commons-httpclient is EOL and they don't want to
spend time on it. They maybe would apply the patch to the SVN, but
without revision and without releasing.
I've tested the patches and they work ok. So I think it's fine to
upload.
Kind regards
Alberto
El mié, 05-12-2012 a las 21:51 +0100, Andreas Tille escribió:
> Hi Alberto,
>
> On Wed, Dec 05, 2012 at 06:01:51PM +0100, Alberto Fernández wrote:
> > I've uploaded the two packages to mentors.debian.net.
> >
> > We must solve the two bugs at the same time because axis uses
> > commons-httpclient.
>
> I guess you mean bug #692442, right?
>
> > Upstream seems End-of-life and rejected the patches.
>
> Did upstream actively *rejected* the patch because of technical flaws or
> did they just ignored it because of the end-of-life status. There is no
> real need to have a patch accepted upstream if we as Debian maintainers
> agree that the patch is technically solving the reported problem. We
> actually do *not* want new upstream versions.
>
> So as far as I see we currently have the following situation: A package
> for axis that solves #692650 is waiting on mentors for sponsering. I'd
> volunteer to do this. Did you uploaded commons-httpclient fixing
> #692442 to mentors as well? If not I could also apply the patch in BTS
> and upload both to unstable.
>
> Just tell me if there is any reason to not upload these both packages?
>
> Kind regards and thanks for providing the patches
>
> Andreas.
>
More information about the pkg-java-maintainers
mailing list