Glassfish security support (in Squeeze)

Emmanuel Bourg ebourg at apache.org
Tue Sep 23 10:21:08 UTC 2014 

Le 23/09/2014 10:17, Raphael Hertzog a écrit :

> This looks like a possible compromise (although the lack of init script
> doesn't mean that nobody can use it, it's always possible to start it from
> a custom script).

Ok I'll drop the glassfish-appserv package in the next upload. I agree
it may be possible to start it manually, but I don't think someone
really installed an incomplete package of an outdated application server
and tweaked it manually for hours instead of simply downloading a fully
functioning and updated version from the upstream website.


> Can you verify the 3 open CVE and confirm that they only concern
> glassfish-appserv? There's almost no information but it says
> once "Unspecified vulnerability in the CORBA ORB component in Sun
> GlassFish Enterprise Server 2.1.1" and "Unspecified vulnerability in
> the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1".

After running a quick grep I confirm the corba stuff is limited to the
appserv part. As for the other packages:

- glassfish-activation: obsolete API now provided by the JDK, it's being
phased out
- glassfish-mail: gradually replaced by the more recent javamail package
- glassfish-javaee: JavaEE spec APIs, mostly interfaces without code
- glassfish-jmac-api: JSR 196 API, interfaces and beans without code
- glassfish-toplink-essentials: Object to relational DB mapping

Looking at the vulnerabilities:
- CVE-2013-5816 mentions an issue related to Metro which is the
webservices layer of Glassfish. Webservices are only in the appserv part.
- CVE-2013-3827 is related to Java Server Faces, but I couldn't find any
code related to JSF (grep -R 'import javax.faces')


> For Jessie/Sid, it still seems a pretty bad idea to release with such
> an outdated package. Do you have plans to update it?

I can get a look but I suspect this isn't a trivial task and it may
require several new packages. For now we are mainly focused on removing
tomcat6 which is going to be EOLed during the Jessie lifecycle. Since
this is the most popular Java package I think we have to prioritize it
over the other updates.

Emmanuel Bourg


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20140923/13034f63/attachment.sig>

More information about the pkg-java-maintainers mailing list