Hi Sylvain,

Am Freitag, dem 03.12.2021 um 14:28 +0100 schrieb Sylvain Beucler:

Hi,

This year I worked on libspring-java twice for LTS&ELTS. In both case upstream provided limited information for the CVEs, and for 5 of them
we're unable to determine the fixes. https://deb.freexian.com/extended-lts/tracker/source-package/libspring-java

Upstream declined to provide information to identify the fixes (which in turn would allow us to determine whether stretch and jessie are
affected, and backport the fixes if needed). https://github.com/spring-projects/spring-framework/issues/26821 https://github.com/spring-projects/spring-framework/issues/27647

They made clear that they wouldn't provide this information even if
paid, confirming they apply a security-by-obscurity strategy similar to Oracle's.

I exchanged with the Debian security team after they witnessed the last exchanges above, and 2 weeks ago they concluded the latest CVE was minor
and no action was needed right now. I insisted about the other, prior unfixable CVEs (1/4 impacting buster) but they haven't answered yet.

I think we're not in capacity to offer further security support for libspring-java for LTS and ELTS, but I'd like to hear from other team members, especially if they work in the Java team (Markus?) - what do
you think?

Cheers!
Sylvain Beucler
Debian LTS Team

I have made similar experiences like you when I contacted upstream and asked for more information about previous CVE. I agree with you that their policy makes future security support for us nearly impossible. Currently the main purpose of libspring-java is to build other software from source. We don't ship any application or web project that depends on Spring and exposes users to the currently unfixed CVE which means the current status of all CVE in Stretch/Buster/Bullseye (no-dsa/minor) is correct. It is also very unlikely that Java developers who use Spring/Spring Boot for their web applications depend on one of our Debian packages.

In my opinion it is OK to ignore the currently known CVE. I would support adding libspring-java to the list of unsupported packages because of the lack of upstream support. We, as the Java team, should make this clear by mentioning libspring-java in the next release notes for Debian 12.

Regards,

Markus

-----BEGIN PGP SIGNATURE-----

iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmGqnzhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeReNw/+L8Hrd27knLTGpV+THZIJZClB13X/p9dyGyg0+7l+Ax5qg17Mo/fAKHwk F9WsM+SRyTaWcCA8oRnllev55gv5yhdTaWtQbC+LdzWKC0DtISydXWModDgjgYF7 s/THLDsMUdWybFOY4iEB8JGZNKV8kojutCfbQvttmhU3AEN0SZqRsyqXR0lacT9F 5MDaB/uQFmhU2SckFAd3xQacpzdOMVSSxLncnxy2Jdl/wSkg07gGdDuVA12XaSRv OZyo2Xfgg+dXqwB1BuO0eOLQV1Eqhro8JEmUxwNn/o/j2/LG7x1RmEPdH0/yf48N +cXEwqMjKcRKBo4hanWltMTugSRqJ/1JgW0wF2Pc+ueYUG4ppXrhQuJH2craI6C5 fEmD682K48XsElyBJkc+ws2VvkyrafIEPFjU9wONrGsmxxLRb8ihmJ+EycUAn1pO hGvnmHYbNGHDP8faiEhQLT6SzAeYMEPwaE181ogCSLDhWwNEQL551Vra0LTkK6ME dMkn7FXfu7soy5CG9KAGSyhg/TnKYS1FpMbJ1DLqd/SDKKXGrnxwHE8MNhApgwId sZc51siHrOo51pfupxZ1an2bLc31mymYdz1fjqX71V5pqM0GvIrc85+Tg4eTPajg 7iPIBBNn4zZs14HbSmpL/dYwLpcBMamzjaHfPaO1/wyr3R1hl4s=
=fWpF
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On 01/04/2022 11:50, Emilio Pozuelo Monfort wrote:

On 03/12/2021 23:50, Markus Koschany wrote:

Am Freitag, dem 03.12.2021 um 14:28 +0100 schrieb Sylvain Beucler:

This year I worked on libspring-java twice for LTS&ELTS. In both case
upstream provided limited information for the CVEs, and for 5 of them
we're unable to determine the fixes.
https://deb.freexian.com/extended-lts/tracker/source-package/libspring-java >>>

Upstream declined to provide information to identify the fixes (which in >>> turn would allow us to determine whether stretch and jessie are
affected, and backport the fixes if needed).
https://github.com/spring-projects/spring-framework/issues/26821
https://github.com/spring-projects/spring-framework/issues/27647

They made clear that they wouldn't provide this information even if
paid, confirming they apply a security-by-obscurity strategy similar to
Oracle's.

I exchanged with the Debian security team after they witnessed the last
exchanges above, and 2 weeks ago they concluded the latest CVE was minor >>> and no action was needed right now. I insisted about the other, prior
unfixable CVEs (1/4 impacting buster) but they haven't answered yet.

I think we're not in capacity to offer further security support for
libspring-java for LTS and ELTS, but I'd like to hear from other team
members, especially if they work in the Java team (Markus?) - what do
you think?

I have made similar experiences like you when I contacted upstream and
asked
for more information about previous CVE. I agree with you that their
policy
makes future security support for us nearly impossible. Currently the
main
purpose of libspring-java is to build other software from source. We
don't ship
any application or web project that depends on Spring and exposes
users to the
currently unfixed CVE which means the current status of all CVE in
Stretch/Buster/Bullseye (no-dsa/minor) is correct. It is also very
unlikely
that Java developers who use Spring/Spring Boot for their web
applications
depend on one of our Debian packages.

In my opinion it is OK to ignore the currently known CVE. I would support
adding libspring-java to the list of unsupported packages because of
the lack
of upstream support. We, as the Java team, should make this clear by
mentioning
libspring-java in the next release notes for Debian 12.

Looks like Spring was marked as EOL in the security-tracker and debian-security-support git, but never uploaded to stretch or announced
on debian-lts-announce (unless I missed it). I think this (as well as
other packages recently EOL'ed) should be announced there, so users are aware. Should we add this to dla-needed so that someone can take care of
it?

Sure, go ahead.

Holger, can you clarify if you want the LTS team to handle debian-security-support backports to stretch, or if you intend to do it yourself?

(cf. https://salsa.debian.org/debian/debian-security-support/-/merge_requests/13 https://salsa.debian.org/debian/debian-security-support/-/commit/911636f7c0a153e288b74d2c47a3b287840cdbca
which AFAIU was only uploaded to unstable)

Cheers!
Sylvain

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On 03/12/2021 23:50, Markus Koschany wrote:

Hi Sylvain,

Am Freitag, dem 03.12.2021 um 14:28 +0100 schrieb Sylvain Beucler:

Hi,

This year I worked on libspring-java twice for LTS&ELTS. In both case
upstream provided limited information for the CVEs, and for 5 of them
we're unable to determine the fixes.
https://deb.freexian.com/extended-lts/tracker/source-package/libspring-java >>
Upstream declined to provide information to identify the fixes (which in
turn would allow us to determine whether stretch and jessie are
affected, and backport the fixes if needed).
https://github.com/spring-projects/spring-framework/issues/26821
https://github.com/spring-projects/spring-framework/issues/27647

They made clear that they wouldn't provide this information even if
paid, confirming they apply a security-by-obscurity strategy similar to
Oracle's.

I exchanged with the Debian security team after they witnessed the last
exchanges above, and 2 weeks ago they concluded the latest CVE was minor
and no action was needed right now. I insisted about the other, prior
unfixable CVEs (1/4 impacting buster) but they haven't answered yet.

I think we're not in capacity to offer further security support for
libspring-java for LTS and ELTS, but I'd like to hear from other team
members, especially if they work in the Java team (Markus?) - what do
you think?

Cheers!
Sylvain Beucler
Debian LTS Team

I have made similar experiences like you when I contacted upstream and asked for more information about previous CVE. I agree with you that their policy makes future security support for us nearly impossible. Currently the main purpose of libspring-java is to build other software from source. We don't ship
any application or web project that depends on Spring and exposes users to the
currently unfixed CVE which means the current status of all CVE in Stretch/Buster/Bullseye (no-dsa/minor) is correct. It is also very unlikely that Java developers who use Spring/Spring Boot for their web applications depend on one of our Debian packages.

In my opinion it is OK to ignore the currently known CVE. I would support adding libspring-java to the list of unsupported packages because of the lack of upstream support. We, as the Java team, should make this clear by mentioning
libspring-java in the next release notes for Debian 12.

Looks like Spring was marked as EOL in the security-tracker and debian-security-support git, but never uploaded to stretch or announced on debian-lts-announce (unless I missed it). I think this (as well as other packages recently EOL'ed) should be announced there, so users are aware. Should we add this to dla-needed so that someone can take care of it?

Cheers,
Emilio

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Sylvain,

On Fri, Apr 01, 2022 at 12:06:40PM +0200, Sylvain Beucler wrote:

Holger, can you clarify if you want the LTS team to handle debian-security-support backports to stretch, or if you intend to do it yourself?

thanks for asking, I'd be glad for more people maintaining debian-security-support
including backports, whether it's BTS maintenance, GIT commits or uploads.

All changes should be introduced in unstable first, and then migrate to testing.
To support stable and older releases there are GIT branches.

Usually only support status updates are applied to stable and older branches.

If in doubt whether something should be committed for unstable,
please open a MR on salsa.debian.org so the change can be discussed there.


I've also just copied the above words in debian/README.source in the
master branch of the package. Further improvements very welcome. :)


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

https://showyourstripes.info

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmJIQdMACgkQCRq4Vgaa qhxg6hAAkaLbvLB8O5vE5E1HRJzQq8TF5ewsXDgSFwzCREx+UOQ7YPGXsYt9wIah /sK0CU17dDqByW6JLzxSDl2JpP/1hCPapn6cMpyc9A/hWSOUk/VioWf9p4JM0Jp6 JC/PgFPESvJCbk7ORhMLtEta6uBrraU6RgWwGvTnW3YqkE5VPT1nUjZOdy4F8SBf tY2VnD0A+Ce4+tDgKDALqaF4IWkns2V7vsMPD/Y/WEvMC84RNMtOO7DKhmw9moFk yJBjg87lyXxGm6ikbanG83SLZTsKvmgRAZXJyup9LSzplKbxv24/OMRS88YIm3yq SaRWzt6BoxTvMai8c9Ge1U39gn93+r8z0IBDomJHhl8XpTrYBsNDeps3rjieGepl LUESMwJYGGGV7YrKDPfiXKBMTOz5BzXVnmOzB+xW+z8vYBYXtuW+c7wtZCxgS8Xa ZT9f3yavfGDuEt3+kIHCbbV61NO82fgc25oG8RXFaB5jCYBjtURKO9PiFzT5mVs3 JTANaxzFOIgT26VGvoXeyKc/NFCidkLIqK3sMq0JzNm/1apd4TkBF+AXg0rHUM/M g+HtJhd2MaI1+7n1LkOmPyIre/ENDiDtRvfEOTXBCYFgfyXDid8lXr+5NOfVQAqR v/RR2WMxRINHKx8Qx4