Santiago Ruano Rincón
2024-07-10 14:00:01 UTC
(Resending to the correct address list; sorry for the noise)
Dear Java packaging team,
(Please CC: me when replying, I am not subscribed to the list)
According to the apache advisory of CVE-2023-51441, axis 1.x has been
https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd
According to the comment by grid on #debian-security, I understand it is
on life support upstream, and there have been fixes for CVEs the last
years, including at least one not-unimportant. However, from the above
mentioned advisory, upstream recommends to migrate to a "different SOAP
engine, such as Apache Axis 2/Java."
jalview
jets3t
jglobus
starjava-datanode
starjava-dpac
starjava-topcat
starjava-ttools
starjava-vo
starjava-votable
uimaj
So my mail is just to start any discussion to see if it would be
appropriate to file bugs on the reverse dependencies, to ask the
maintainers if they could study how feasible is to migrate to another
SOAP engine.
Any thoughts?
Cheers,
-- Santiago
(Please CC: me when replying, I am not subscribed to the list)
According to the apache advisory of CVE-2023-51441, axis 1.x has been
https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd
According to the comment by grid on #debian-security, I understand it is
on life support upstream, and there have been fixes for CVEs the last
years, including at least one not-unimportant. However, from the above
mentioned advisory, upstream recommends to migrate to a "different SOAP
engine, such as Apache Axis 2/Java."
jalview
jets3t
jglobus
starjava-datanode
starjava-dpac
starjava-topcat
starjava-ttools
starjava-vo
starjava-votable
uimaj
So my mail is just to start any discussion to see if it would be
appropriate to file bugs on the reverse dependencies, to ask the
maintainers if they could study how feasible is to migrate to another
SOAP engine.
Any thoughts?
Cheers,
-- Santiago