Bug#653964: glassfish predictable hash collisions

Torsten Werner twerner at debian.org
Mon Jan 2 08:56:20 UTC 2012


Hi,

On Sun, Jan 1, 2012 at 11:53 PM, Thijs Kinkhorst <thijs at debian.org> wrote:
> It was reported that Glassfish is affected by the predictable hash collisions
> attack that made its rounds around the net this week. This is tracked at
> http://security-tracker.debian.org/tracker/CVE-2011-5035

I do not think that we are vulnerable because Debian does not ship a
full glassfish stack. We build some core libs only.

> Can you ensure that fixed packages are uploaded to sid as soon as possible,
> and assert whether a fix for lenny and squeeze would be necessary?

I do not even understand how to reproduce the issue. May you elaborate
on that, please?

Thanks,
Torsten





More information about the pkg-java-maintainers mailing list