Bug#760733: libspring-java: CVE-2014-0225

Stephen Nelson stephen at eccostudio.com
Mon Sep 8 09:10:04 UTC 2014 

On Sun, Sep 7, 2014 at 12:34 PM, Yves-Alexis Perez <corsac at debian.org>
wrote:

> On sam., 2014-09-06 at 21:38 -0700, tony mancill wrote:
> > On 09/06/2014 11:36 AM, Salvatore Bonaccorso wrote:
> > > Hi Tony,
> > >
> > > On Sat, Sep 06, 2014 at 08:50:24AM -0700, tony mancill wrote:
> > >> On Wed, 02 Jul 2014 10:36:55 +0200 Moritz Muehlenhoff <jmm at inutil.org
> >
> > >> wrote:
> > >>> Package: libspring-java
> > >>> Severity: grave
> > >>> Tags: security
> > >>> Justification: user security hole
> > >>>
> > >>> Hi,
> > >>> please see http://www.gopivotal.com/security/cve-2014-0225
> > >>
> > >> Hello,
> > >>
> > >> I have uploaded a a patched version (thanks Stephen!) to unstable and
> > >> prepared an upload 3.0.6.RELEASE-6+deb7u4 for wheezy-security, for
> which
> > >> the debdiff for the .dsc and .changes is attached.  (It is essentially
> > >> identical to the debdiff for unstable.)  I also placed the source and
> > >> binary packages for the wheezy update here:
> > >>
> > >>   https://people.debian.org/~tmancill/libspring-java_wheezy/
> > >>
> > >> for Security Team review.
> > >
>

Thanks for packaging the fix Tony.


> > > AFAICS at the time (at least), this CVE was marked no-dsa. Do you
> > > concur on this classification or is there something we missed? If so,
> > > could you contact the stable release managers to have an update trough
> > > stable proposed updates?
> >
> > Hi Salvatore,
> >
> > No, I'm not aware of anything that has been missed.  I was just trying
> > to be proactive about creating a package.  If any user needs to build
> > for wheezy, the patch is available in the BTS.
> >
> > Thank you for the information,
> > tony
>
> For what it's worth, CVE-2014-3578 was assigned to a directory traversal
> vulnerability in libspring-java
> ( http://www.pivotal.io/security/cve-2014-3578)
>
>
Thanks for letting us know about this one. I've had a quick look and it
might be more difficult to fix given that there hasn't been a specific
commit made in a later version of Spring which could be backported.
However, I will look into this in more detail and report back to the BTS
for this bug.

I think it's no-dsa too, but both can be fixed in a point release.
>
> Regards,
> --
> Yves-Alexis Perez - Debian Security
>
>
>
Cheers,

Stephen Nelson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20140908/497736b0/attachment-0001.html>

More information about the pkg-java-maintainers mailing list