(Resending to the correct address list; sorry for the noise) El 10/07/24 a las 10:41, Santiago Ruano Rincón escribió: > Dear Java packaging team, > > (Please CC: me when replying, I am not subscribed to the list) > > According to the apache advisory of CVE-2023-51441, axis 1.x has been > EOL'ed upstream: > > https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd > > According to the comment by grid on #debian-security, I understand it is > on life support upstream, and there have been fixes for CVEs the last > years, including at least one not-unimportant. However, from the above > mentioned advisory, upstream recommends to migrate to a "different SOAP > engine, such as Apache Axis 2/Java." > > On sid, this is the current list of build dependencies of libaxis-java: > > jalview > jets3t > jglobus > starjava-datanode > starjava-dpac > starjava-topcat > starjava-ttools > starjava-vo > starjava-votable > uimaj > > So my mail is just to start any discussion to see if it would be > appropriate to file bugs on the reverse dependencies, to ask the > maintainers if they could study how feasible is to migrate to another > SOAP engine. > > Any thoughts? > > Cheers, > > -- Santiago
signature.asc
Description: PGP signature
