Bug#888547: CVE-2017-1000190
Emmanuel Bourg
ebourg at apache.org
Fri Aug 24 00:18:09 BST 2018
On 23/08/2018 17:11, Markus Koschany wrote:
> My concern is that we have an upstream project that does not even
> consider such a trivial fix. Then we have another example of a
> fire-and-forget one time upload (simple-xml) and now the package is
> carried "by the team". carrotsearch-randomizedtesting is a
> test-dependency for lucence4.10 and spatial4j, same pattern, one time
> upload, now carried by the team. And when I see that we ship at least
> three versions of lucene in Debian, then I suppose we still have some
> room for improvements.
lucene2 is only used by eclipse, I hope we'll be able to remove both of
them before Buster is released. With the new eclipse-* packages heading
to unstable this is now a likely outcome.
> The gist is: Better maintain few packages and do it well, instead of
> maintaining many packages that just exist for collecting RC bugs.
I agree. Not all CVEs are equally important though, here simple-xml is
just a test dependency of another package and has a very low popcon, the
vulnerability has no real impact on the Debian users.
Emmanuel Bourg
More information about the pkg-java-maintainers
mailing list