Bug#880467: jasperreports: CVE-2017-14941, CVE-2017-5528, CVE-2017-5529
Emmanuel Bourg
ebourg at apache.org
Sat Dec 9 23:06:51 UTC 2017
Le 09/12/2017 à 23:49, Moritz Mühlenhoff a écrit :
> Yeah, but libspring-java is not the issue here, it's jasperreports:
> We ship a jasperreports package of an uncooperative upstream which
> would need to see full backports across all supported suites since
> they don't tell us how to fix this with backports (or actually any
> vulnerability information).
Yes but since jasperreports isn't used anyway there is no need to
backport the fixes, that's the point I was trying to make. Until
jasperreports is actually used in Debian we can educate upstream about
the importance of documenting the security fixes.
More information about the pkg-java-maintainers
mailing list