Bug#961298: Dropping jodd from bullseye
Moritz Mühlenhoff
jmm at inutil.org
Tue May 18 19:39:36 BST 2021
Am Mon, Mar 01, 2021 at 10:54:31AM +0100 schrieb Salvatore Bonaccorso:
> Hi Emmanuel,
>
> On Sat, May 30, 2020 at 02:50:32PM +0200, Emmanuel Bourg wrote:
> > Control: severity -1 important
> >
> > Le 22/05/2020 à 22:51, Salvatore Bonaccorso a écrit :
> >
> > > The following vulnerability was published for jodd. I'm filling it as
> > > RC severity since altough one might dispute the severity for the issue
> > > itself, it looks that in Debian there was ever only one upload of
> > > jodd, there are no reverse (build) dependencies neither.
> > >
> > > Is the package acutally of some use or planned use?
> >
> > Thank you for the report Salvatore.
> >
> > jodd is a new dependency of JMeter 3, I haven't finished the packaging yet.
> >
> > Note that the fix for CVE-2018-21234 merely adds an optional
> > whitelisting feature to check the classes being deserialized. But the
> > default behavior is still the same (no check), so the charge of
> > addressing the vulnerability is actually shifted to the applications
> > using jodd.
>
> Back when we lowered the severity this above was the reasoning, but
> jmeter 3 is not in bullseye.
>
> So should we remove src:yodd to at least not be included in bullseye?
> According to dak this is no problem to do:
>
> carnil at coccia:~$ dak rm --suite=testing -n -R jodd
> Will remove the following packages from testing:
>
> jodd | 3.8.6-1.1 | source
> libjodd-java | 3.8.6-1.1 | all
>
> Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
>
> ------------------- Reason -------------------
>
> ----------------------------------------------
>
> Checking reverse dependencies...
> No dependency problem found.
>
> carnil at coccia:~$
Hi Emmanuel,
let's remove jodd from bullseye until it gets actually used, ok? I can file
an RM bug with the release team.
Cheers,
Moritz
More information about the pkg-java-maintainers
mailing list