Bug#653964: CVE-2010-4438 / CVE-2011-5035

[Damien Raude-Morvan]

Hi all,

Le dimanche 13 mai 2012 18:54:38, Steve McIntyre a écrit :
> >Sadly, no :/ I must admit that Oracle does not publish details of its
> >fixes so it's hard to confirm firmly what's component is exactly
> >impacted.
> >
> >I'll try to revive my contact @Oracle to get some feedback on this
> >issue (on future security issues).
> 
> Hi,
> 
> Any news on this?

I'll just start by restating my initial comment on both issues :
-----
We don't build any real "Glassfish Server" but just some parts of API 
library used as Java EE specifications. As for any specification, this is just a 
collection of interfaces and don't have much more implementations than dumb or 
stub code.
-----

So I don't think that CVE-2010-4438 or CVE-2011-5035 affect Debian binary 
packages. 

But I cannot be 100% sure since :
- Upstream bugtracker [1] doesn't contains ref to those security issues
- My Oracle contact (GlassFish community manager) only told me that 
"CVE-2011-5035 is integrated in GlassFish 3.1.1 Patch 2 (an update to 3.1.1 
for paying customers). The fix is in the trunk and will be integrated in the 
3.1.2 release scheduled for later this quarter"

I don't think I'll do further investigation on those issues...
At least, there is one instructing thing : we have to think twice before 
integrating of a full blown Glassfish JEE server (ie. not just API) into Debian 
as from my point of view Glassfish Security is not handled as an open source 
should.

[1] http://java.net/jira/browse/GLASSFISH

Cheers,
-- 
Damien - Debian Developper
http://wiki.debian.org/DamienRaudeMorvan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20120514/12cd83fa/attachment-0001.pgp>