Bug#852029: netbeans: CVE-2016-5537: Import directory traversal
Markus Koschany
apo at debian.org
Tue Jan 24 00:10:00 UTC 2017
On 23.01.2017 07:23, Salvatore Bonaccorso wrote:
> Hi Markus,
>
> Thanks for looking into the issue.
[...]
> I agree, upstream has not really provided any usefull information, and
> we have somehow to trust Oracle here, that 8.2 contains the fix. I'm
> confident, since the 8.2 version gives now a warning, if you try to
> import a project from a zip file containing members with "../". But I
> was unable to determine the exact code change.
>
> I'm not sure about the options.
>
> 1/ try to determine the required changes and backport them to 8.1
> ideally, but seems a bit hard.
> 2/ live with the issue, and once stretch is a stable release mark it
> as no-dsa as well there.
> 3/ Ask release team if having 8.2+dfsg1-1 in stretch, but I guess that
> unblock is not feasible anymore now.
> 4/ something missing?
>
> Regards, and sorry for not beeing more helpfull here,
> Salvatore
Hi Salvatore,
definitely not your fault and thanks for reporting, much appreciated as
always.
At the moment I think I will mark it as no-dsa in Stretch, 8.2 isn't
ready for prime time yet but in the future it will eventually close this
bug report. Of course if someone else can point me to the
commit/fix/patch I will try to get this into Stretch.
Regards,
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20170124/8b069e6d/attachment.sig>
More information about the pkg-java-maintainers
mailing list