Hi all,

Le 10/07/2024 à 15:52, Santiago Ruano Rincón a écrit :
(Resending to the correct address list; sorry for the noise)

El 10/07/24 a las 10:41, Santiago Ruano Rincón escribió:
Dear Java packaging team,

(Please CC: me when replying, I am not subscribed to the list)

According to the apache advisory of CVE-2023-51441, axis 1.x has been
EOL'ed upstream:

https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd

According to the comment by grid on #debian-security, I understand it is
on life support upstream, and there have been fixes for CVEs the last
years, including at least one not-unimportant. However, from the above
mentioned advisory, upstream recommends to migrate to a "different SOAP
engine, such as Apache Axis 2/Java."

On sid, this is the current list of build dependencies of libaxis-java:

jalview
jets3t
jglobus
starjava-datanode
starjava-dpac
starjava-topcat
starjava-ttools
starjava-vo
starjava-votable
uimaj

So my mail is just to start any discussion to see if it would be
appropriate to file bugs on the reverse dependencies, to ask the
maintainers if they could study how feasible is to migrate to another
SOAP engine.

Any thoughts?

Thanks for raising this issue. My first feeling is filing these bug reports is sensible, unconditionally.

But also I wonder if we have some reasonable alternative to suggest in these bug reports: - axis2 is unpackaged (could be) and its latest release is 2 years (+ 1 day) old; - saaj and jaxws: I can't say if they can provide an alternative to what axis does. Perhaps some people there have an opinion?
- Apache CXF, unpackaged as of now but seems to be actively maintained?
- something else?

Do others in the team have some ideas?


Cheers,

  -- Santiago



Best,

--
Pierre

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply via email to