Hi all, Le 10/07/2024 à 15:52, Santiago Ruano Rincón a écrit :
(Resending to the correct address list; sorry for the noise)El 10/07/24 a las 10:41, Santiago Ruano Rincón escribió:Dear Java packaging team, (Please CC: me when replying, I am not subscribed to the list) According to the apache advisory of CVE-2023-51441, axis 1.x has been EOL'ed upstream: https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd According to the comment by grid on #debian-security, I understand it is on life support upstream, and there have been fixes for CVEs the last years, including at least one not-unimportant. However, from the above mentioned advisory, upstream recommends to migrate to a "different SOAP engine, such as Apache Axis 2/Java." On sid, this is the current list of build dependencies of libaxis-java: jalview jets3t jglobus starjava-datanode starjava-dpac starjava-topcat starjava-ttools starjava-vo starjava-votable uimaj So my mail is just to start any discussion to see if it would be appropriate to file bugs on the reverse dependencies, to ask the maintainers if they could study how feasible is to migrate to another SOAP engine. Any thoughts?
Thanks for raising this issue. My first feeling is filing these bug reports is sensible, unconditionally.
But also I wonder if we have some reasonable alternative to suggest in these bug reports: - axis2 is unpackaged (could be) and its latest release is 2 years (+ 1 day) old; - saaj and jaxws: I can't say if they can provide an alternative to what axis does. Perhaps some people there have an opinion?
- Apache CXF, unpackaged as of now but seems to be actively maintained? - something else? Do others in the team have some ideas?
Cheers, -- Santiago
Best, -- Pierre
OpenPGP_signature.asc
Description: OpenPGP digital signature