Bug#852029: netbeans: CVE-2016-5537: Import directory traversal
Salvatore Bonaccorso
carnil at debian.org
Mon Jan 30 19:34:25 UTC 2017
Hi Markus,
On Tue, Jan 24, 2017 at 01:10:00AM +0100, Markus Koschany wrote:
> On 23.01.2017 07:23, Salvatore Bonaccorso wrote:
> > Hi Markus,
> >
> > Thanks for looking into the issue.
> [...]
> > I agree, upstream has not really provided any usefull information, and
> > we have somehow to trust Oracle here, that 8.2 contains the fix. I'm
> > confident, since the 8.2 version gives now a warning, if you try to
> > import a project from a zip file containing members with "../". But I
> > was unable to determine the exact code change.
> >
> > I'm not sure about the options.
> >
> > 1/ try to determine the required changes and backport them to 8.1
> > ideally, but seems a bit hard.
> > 2/ live with the issue, and once stretch is a stable release mark it
> > as no-dsa as well there.
> > 3/ Ask release team if having 8.2+dfsg1-1 in stretch, but I guess that
> > unblock is not feasible anymore now.
> > 4/ something missing?
> >
> > Regards, and sorry for not beeing more helpfull here,
> > Salvatore
>
> Hi Salvatore,
>
> definitely not your fault and thanks for reporting, much appreciated as
> always.
>
> At the moment I think I will mark it as no-dsa in Stretch, 8.2 isn't
> ready for prime time yet but in the future it will eventually close this
> bug report. Of course if someone else can point me to the
> commit/fix/patch I will try to get this into Stretch.
Alright. let's wait until stretch is released and if until then still
no further information is available, we can tag it <no-dsa> for
stretch.
Thanks for your investigation and comments.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list