<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Sun, Sep 7, 2014 at 12:34 PM, Yves-Alexis Perez <span dir="ltr"><<a href="mailto:corsac@debian.org" target="_blank">corsac@debian.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class=""><div class="h5">On sam., 2014-09-06 at 21:38 -0700, tony mancill wrote:<br>
> On 09/06/2014 11:36 AM, Salvatore Bonaccorso wrote:<br>
> > Hi Tony,<br>
> ><br>
> > On Sat, Sep 06, 2014 at 08:50:24AM -0700, tony mancill wrote:<br>
> >> On Wed, 02 Jul 2014 10:36:55 +0200 Moritz Muehlenhoff <<a href="mailto:jmm@inutil.org">jmm@inutil.org</a>><br>
> >> wrote:<br>
> >>> Package: libspring-java<br>
> >>> Severity: grave<br>
> >>> Tags: security<br>
> >>> Justification: user security hole<br>
> >>><br>
> >>> Hi,<br>
> >>> please see <a href="http://www.gopivotal.com/security/cve-2014-0225" target="_blank">http://www.gopivotal.com/security/cve-2014-0225</a><br>
> >><br>
> >> Hello,<br>
> >><br>
> >> I have uploaded a a patched version (thanks Stephen!) to unstable and<br>
> >> prepared an upload 3.0.6.RELEASE-6+deb7u4 for wheezy-security, for which<br>
> >> the debdiff for the .dsc and .changes is attached. (It is essentially<br>
> >> identical to the debdiff for unstable.) I also placed the source and<br>
> >> binary packages for the wheezy update here:<br>
> >><br>
> >> <a href="https://people.debian.org/~tmancill/libspring-java_wheezy/" target="_blank">https://people.debian.org/~tmancill/libspring-java_wheezy/</a><br>
> >><br>
> >> for Security Team review.<br>
> ><br></div></div></blockquote><div><br></div><div>Thanks for packaging the fix Tony.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class=""><div class="h5">
> > AFAICS at the time (at least), this CVE was marked no-dsa. Do you<br>
> > concur on this classification or is there something we missed? If so,<br>
> > could you contact the stable release managers to have an update trough<br>
> > stable proposed updates?<br>
><br>
> Hi Salvatore,<br>
><br>
> No, I'm not aware of anything that has been missed. I was just trying<br>
> to be proactive about creating a package. If any user needs to build<br>
> for wheezy, the patch is available in the BTS.<br>
><br>
> Thank you for the information,<br>
> tony<br>
<br>
</div></div>For what it's worth, CVE-2014-3578 was assigned to a directory traversal<br>
vulnerability in libspring-java<br>
( <a href="http://www.pivotal.io/security/cve-2014-3578" target="_blank">http://www.pivotal.io/security/cve-2014-3578</a>)<br>
<br></blockquote><div><br></div><div>Thanks for letting us know about this one. I've had a quick look and it might be more difficult to fix given that there hasn't been a specific commit made in a later version of Spring which could be backported. However, I will look into this in more detail and report back to the BTS for this bug.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
I think it's no-dsa too, but both can be fixed in a point release.<br>
<br>
Regards,<br>
<span class=""><font color="#888888">--<br>
Yves-Alexis Perez - Debian Security<br>
<br>
<br>
</font></span></blockquote></div><div class="gmail_extra"><br></div>Cheers,</div><div class="gmail_extra"><br><div>Stephen Nelson</div>
</div></div>