Bug#880467: jasperreports: CVE-2017-14941, CVE-2017-5528, CVE-2017-5529
Emmanuel Bourg
ebourg at apache.org
Sat Dec 9 23:49:08 UTC 2017
Le 10/12/2017 à 00:07, Markus Koschany a écrit :
> However we should always be able to assess security vulnerabilities.
> Just hoping that nobody will ever use the Debian library in some other
> context is negligent. I would be really disappointed when I built an
> Java app with Debian's system libraries and then I have to find out that
> it is basically unsupported and contains security holes because it is
> "just" a build-dependency for some other project.
I tend to disagree with this reasoning. We can't support any usage of
the libraries we ship, we don't have the resources for that. Our
responsibility should be limited to the code that we actually use in
Debian. Java developers don't use the system libraries anyway, they
typically pull the jars from Maven Central and bundle them with their
applications. Patching unused features would really be a waste of time.
> To be fair: CVE-2017-5533 and CVE-2017-5528 probably do not affect us
> because we ship the Jasperreports Library and not the server. Please
> correct me if I am wrong.
I don't know, I'm not familiar enough with jasperreports. I can just
observe that the Spring modules depending on it are nowhere used in
Debian yet.
> Thus said maybe you are able to find the relevant changes or you get a
> more helpful reply from the support guys. Otherwise I would try to
> disable jasperreports in libspring-java which appears to be optional. (I
> know probably requires another patch...)
libspring-java is already quite complicated. An additional patch to
maintain would be a hindrance, especially for disabling the usage of a
library we don't really care about. On the other hand maintaining such a
patch is maybe less complicated than regularly upgrading jasperreports,
that's probably worth investigating. If we go that route I'd rather see
libspring-java upgraded to the version 5.0 before patching it.
> For reference here is the link to my support request:
>
> https://community.jaspersoft.com/questions/1072461/security-update-cve-2017-14941-cve-2017-5528-cve-2017-5529
I'm not convinced they understood the context and our point of view.
Upgrading the library was just the obvious solution to the issue raised,
that doesn't make the answer hostile or uncooperative. I'd suggest
asking the developers directly instead of going through a sales or
customer support representative.
Emmanuel Bourg
More information about the pkg-java-maintainers
mailing list