On Sun, 02 Nov 2014 23:38:30 +0100 Emmanuel Bourg <ebo...@apache.org> wrote: > libhibernate-validator-java is only used as a build dependency of > libhibernate3-java. No package depends on it at runtime, so the risk of > being affected by this vulnerability is rather low, if not zero.
Thank you for this information but it's not really a satisfactory answer. We can't knowingly ship libraries with serious security issues. It's not the first time I see that kind of answers from the java team. Please at least package new upstream versions with the appropriate security fixes. I can understand that backporting security patches might be difficult but packaging new upstream versions is the basis of our work in Debian. We can't stay with outdated versions and known vulnerabilities for ever. Please send a call for help on debian-devel(-announce) if you are not able to do the basic work of keeping your packages up-to-date. Then the publicity team might relay your message further... and maybe you'll find some supplementary volunteers. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
