Bug#762690: libhibernate-validator-java: affected by CVE-2014-3558
Raphael Hertzog
hertzog at debian.org
Tue Nov 18 10:51:00 UTC 2014
On Sun, 02 Nov 2014 23:38:30 +0100 Emmanuel Bourg <ebourg at apache.org> wrote:
> libhibernate-validator-java is only used as a build dependency of
> libhibernate3-java. No package depends on it at runtime, so the risk of
> being affected by this vulnerability is rather low, if not zero.
Thank you for this information but it's not really a satisfactory answer.
We can't knowingly ship libraries with serious security issues. It's not
the first time I see that kind of answers from the java team. Please
at least package new upstream versions with the appropriate security fixes.
I can understand that backporting security patches might be difficult but
packaging new upstream versions is the basis of our work in Debian. We
can't stay with outdated versions and known vulnerabilities for ever.
Please send a call for help on debian-devel(-announce) if you are not able
to do the basic work of keeping your packages up-to-date. Then the
publicity team might relay your message further... and maybe you'll find
some supplementary volunteers.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
More information about the pkg-java-maintainers
mailing list