Bug#903916: undertow: Keep it out of Buster
Markus Koschany
apo at debian.org
Mon Jul 16 17:06:06 BST 2018
Source: undertow
Version: 1.4.25-1
Severity: serious
I am filing this bug report to prevent the migration of undertow to
testing and subsequently being part of the next stable release Debian
10, "Buster". This was also briefly discussed with the Security Team.
Reasons:
- Undertow is regularly affected by security vulnerabilities but
upstream often does not provide enough information to fix the issue
with a targeted patch. Sometimes additional information are not
public or are only disclosed weeks and months later. I have filed a bug
report and suggested to improve the communication policy but so far
nothing has happened.
- Undertow has no reverse-dependencies besides syncany in
experimental.
Once Buster is released this bug report can be closed again and
hopefully the situation has improved by then.
Markus
More information about the pkg-java-maintainers
mailing list