Bug#653964: CVE-2010-4438 / CVE-2011-5035

[Steve McIntyre]

On Mon, May 14, 2012 at 12:13:50AM +0200, Damien Raude-Morvan wrote:
>Hi all,
>
>Le dimanche 13 mai 2012 18:54:38, Steve McIntyre a écrit :
>> >Sadly, no :/ I must admit that Oracle does not publish details of its
>> >fixes so it's hard to confirm firmly what's component is exactly
>> >impacted.
>> >
>> >I'll try to revive my contact @Oracle to get some feedback on this
>> >issue (on future security issues).
>> 
>> Hi,
>> 
>> Any news on this?
>
>I'll just start by restating my initial comment on both issues :
>-----
>We don't build any real "Glassfish Server" but just some parts of API 
>library used as Java EE specifications. As for any specification, this is just a 
>collection of interfaces and don't have much more implementations than dumb or 
>stub code.
>-----
>
>So I don't think that CVE-2010-4438 or CVE-2011-5035 affect Debian binary 
>packages. 

OK, fair enough.

>But I cannot be 100% sure since :
>- Upstream bugtracker [1] doesn't contains ref to those security issues
>- My Oracle contact (GlassFish community manager) only told me that 
>"CVE-2011-5035 is integrated in GlassFish 3.1.1 Patch 2 (an update to 3.1.1 
>for paying customers). The fix is in the trunk and will be integrated in the 
>3.1.2 release scheduled for later this quarter"
>
>I don't think I'll do further investigation on those issues...
>At least, there is one instructing thing : we have to think twice before 
>integrating of a full blown Glassfish JEE server (ie. not just API) into Debian 
>as from my point of view Glassfish Security is not handled as an open source 
>should.

Yes, I'd have to agree with that. :-(

If you're *reasonably* confident that we're not affected by those
CVE issues, is it worth maybe dropping the severity of the Debian bugs
from serious?

-- 
Steve McIntyre, Cambridge, UK.                                steve at einval.com
There's no sensation to compare with this
Suspended animation, A state of bliss