Bug#653964: CVE-2010-4438 / CVE-2011-5035
steve at einval.com
Mon May 14 14:50:30 UTC 2012
On Mon, May 14, 2012 at 12:13:50AM +0200, Damien Raude-Morvan wrote:
>Le dimanche 13 mai 2012 18:54:38, Steve McIntyre a Ã©crit :
>> >Sadly, no :/ I must admit that Oracle does not publish details of its
>> >fixes so it's hard to confirm firmly what's component is exactly
>> >I'll try to revive my contact @Oracle to get some feedback on this
>> >issue (on future security issues).
>> Any news on this?
>I'll just start by restating my initial comment on both issues :
>We don't build any real "Glassfish Server" but just some parts of API
>library used as Java EE specifications. As for any specification, this is just a
>collection of interfaces and don't have much more implementations than dumb or
>So I don't think that CVE-2010-4438 or CVE-2011-5035 affect Debian binary
OK, fair enough.
>But I cannot be 100% sure since :
>- Upstream bugtracker  doesn't contains ref to those security issues
>- My Oracle contact (GlassFish community manager) only told me that
>"CVE-2011-5035 is integrated in GlassFish 3.1.1 Patch 2 (an update to 3.1.1
>for paying customers). The fix is in the trunk and will be integrated in the
>3.1.2 release scheduled for later this quarter"
>I don't think I'll do further investigation on those issues...
>At least, there is one instructing thing : we have to think twice before
>integrating of a full blown Glassfish JEE server (ie. not just API) into Debian
>as from my point of view Glassfish Security is not handled as an open source
Yes, I'd have to agree with that. :-(
If you're *reasonably* confident that we're not affected by those
CVE issues, is it worth maybe dropping the severity of the Debian bugs
Steve McIntyre, Cambridge, UK. steve at einval.com
There's no sensation to compare with this
Suspended animation, A state of bliss
More information about the pkg-java-maintainers