Bug#692650: Patches for CVE-2012-5783 and CVE-2012-5784
Michael Gilbert
mgilbert at debian.org
Thu Dec 6 01:45:26 UTC 2012
> Hi Andreas
>
> I've uploaded both packages to mentors.
>
> commons-httpclient -> bug #692442 CVE-2012-5783
> axis -> bug #692650 CVE-2012-5784
>
> Since axis uses commons-httpclient, we need fix and upload both
> packages.
>
> Upstream has ignored axis patch, and rejected commons-httpclient patch.
> Basically, they say commons-httpclient is EOL and they don't want to
> spend time on it. They maybe would apply the patch to the SVN, but
> without revision and without releasing.
According to redhat, there is already an upstream patch for
httpclient, and it differs from yours in some ways:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5783
Please coordinate with them on that fix.
> I've tested the patches and they work ok. So I think it's fine to
> upload.
Please coordinate the axis patch with redhat since they don't have a
solution in their bug tracker yet either. They will review your work:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5784
Best wishes,
Mike
More information about the pkg-java-maintainers
mailing list