Bug#653964: CVE-2010-4438 / CVE-2011-5035
drazzib at debian.org
Sun May 13 22:13:50 UTC 2012
Le dimanche 13 mai 2012 18:54:38, Steve McIntyre a écrit :
> >Sadly, no :/ I must admit that Oracle does not publish details of its
> >fixes so it's hard to confirm firmly what's component is exactly
> >I'll try to revive my contact @Oracle to get some feedback on this
> >issue (on future security issues).
> Any news on this?
I'll just start by restating my initial comment on both issues :
We don't build any real "Glassfish Server" but just some parts of API
library used as Java EE specifications. As for any specification, this is just a
collection of interfaces and don't have much more implementations than dumb or
So I don't think that CVE-2010-4438 or CVE-2011-5035 affect Debian binary
But I cannot be 100% sure since :
- Upstream bugtracker  doesn't contains ref to those security issues
- My Oracle contact (GlassFish community manager) only told me that
"CVE-2011-5035 is integrated in GlassFish 3.1.1 Patch 2 (an update to 3.1.1
for paying customers). The fix is in the trunk and will be integrated in the
3.1.2 release scheduled for later this quarter"
I don't think I'll do further investigation on those issues...
At least, there is one instructing thing : we have to think twice before
integrating of a full blown Glassfish JEE server (ie. not just API) into Debian
as from my point of view Glassfish Security is not handled as an open source
Damien - Debian Developper
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: This is a digitally signed message part.
More information about the pkg-java-maintainers