Bug#692650: Patches for CVE-2012-5783 and CVE-2012-5784
Andreas Tille
tille at debian.org
Wed Dec 5 20:51:34 UTC 2012
Hi Alberto,
On Wed, Dec 05, 2012 at 06:01:51PM +0100, Alberto Fernández wrote:
> I've uploaded the two packages to mentors.debian.net.
>
> We must solve the two bugs at the same time because axis uses
> commons-httpclient.
I guess you mean bug #692442, right?
> Upstream seems End-of-life and rejected the patches.
Did upstream actively *rejected* the patch because of technical flaws or
did they just ignored it because of the end-of-life status. There is no
real need to have a patch accepted upstream if we as Debian maintainers
agree that the patch is technically solving the reported problem. We
actually do *not* want new upstream versions.
So as far as I see we currently have the following situation: A package
for axis that solves #692650 is waiting on mentors for sponsering. I'd
volunteer to do this. Did you uploaded commons-httpclient fixing
#692442 to mentors as well? If not I could also apply the patch in BTS
and upload both to unstable.
Just tell me if there is any reason to not upload these both packages?
Kind regards and thanks for providing the patches
Andreas.
--
http://fam-tille.de
More information about the pkg-java-maintainers
mailing list