Bug#760733: libspring-java: CVE-2014-0225
Stephen Nelson
stephen at eccostudio.com
Wed Nov 26 11:22:28 UTC 2014
On 26 Nov 2014 10:45, "Raphael Hertzog" <hertzog at debian.org> wrote:
>
> Hello Stephen,
>
> On Mon, 08 Sep 2014, Stephen Nelson wrote:
> > > For what it's worth, CVE-2014-3578 was assigned to a directory
traversal
> > > vulnerability in libspring-java
> > > ( http://www.pivotal.io/security/cve-2014-3578)
> >
> > Thanks for letting us know about this one. I've had a quick look and it
> > might be more difficult to fix given that there hasn't been a specific
> > commit made in a later version of Spring which could be backported.
> > However, I will look into this in more detail and report back to the BTS
> > for this bug.
>
> I haven't seen any followup yet. Do you still plan to do the required
> investigation?
>
> This bug is one of Jessie's remaining release critical bugs so it would
> be nice if there could be some progress. (Of course, packaging a new
> upstream version can also be considered by release team members
> if backporting is too much work)
>
I couldn't find any specifics on this vulnerability other than the upstream
saying it's not present in their currently supported versions.
Therefore it looks like upgrading to 3.2.x would solve the security issue
but is quite a lot of work and involves dependencies not yet packaged in
Debian.
I'm happy to help but ask more experienced Java team members on what's the
best course of action here.
Cheers
Stephen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20141126/79872398/attachment.html>
More information about the pkg-java-maintainers
mailing list