Debian Bug report logs -
#769698
libspring-java: CVE-2014-3625 Directory Traversal in Spring Framework
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#769698
; Package src:libspring-java
.
(Sat, 15 Nov 2014 16:57:11 GMT) (full text, mbox, link).
Acknowledgement sent
to bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Sat, 15 Nov 2014 16:57:12 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libspring-java
Version: 3.0.0
Severity: serious
Tags: security
Justification: must
According to https://github.com/spring-projects/spring-framework/commit/3f68cd versions affected include 3.0.0 to 3.2.11
The feature of '<mvc:resources/> ' seems to be introduced in 3.0.4 ( http://docs.spring.io/spring/d... ).
Bastien
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 15 Nov 2014 19:03:08 GMT) (full text, mbox, link).
Reply sent
to Emmanuel Bourg <ebourg@apache.org>
:
You have taken responsibility.
(Wed, 03 Dec 2014 15:57:17 GMT) (full text, mbox, link).
Notification sent
to bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
:
Bug acknowledged by developer.
(Wed, 03 Dec 2014 15:57:17 GMT) (full text, mbox, link).
Message #14 received at 769698-close@bugs.debian.org (full text, mbox, reply):
Source: libspring-java
Source-Version: 3.2.12-1
We believe that the bug you reported is fixed in the latest version of
libspring-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 769698@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated libspring-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 03 Dec 2014 16:22:55 +0100
Source: libspring-java
Binary: libspring-core-java libspring-beans-java libspring-aop-java libspring-context-java libspring-context-support-java libspring-web-java libspring-web-servlet-java libspring-web-portlet-java libspring-test-java libspring-transaction-java libspring-jdbc-java libspring-jms-java libspring-orm-java libspring-expression-java libspring-oxm-java libspring-instrument-java
Architecture: source all
Version: 3.2.12-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
libspring-aop-java - modular Java/J2EE application framework - AOP
libspring-beans-java - modular Java/J2EE application framework - Beans
libspring-context-java - modular Java/J2EE application framework - Context
libspring-context-support-java - modular Java/J2EE application framework - Context Support
libspring-core-java - modular Java/J2EE application framework - Core
libspring-expression-java - modular Java/J2EE application framework - Expression language
libspring-instrument-java - modular Java/J2EE application framework - Instrumentation
libspring-jdbc-java - modular Java/J2EE application framework - JDBC tools
libspring-jms-java - modular Java/J2EE application framework - JMS tools
libspring-orm-java - modular Java/J2EE application framework - ORM tools
libspring-oxm-java - modular Java/J2EE application framework - Object/XML Mapping
libspring-test-java - modular Java/J2EE application framework - Test helpers
libspring-transaction-java - modular Java/J2EE application framework - transaction
libspring-web-java - modular Java/J2EE application framework - Web
libspring-web-portlet-java - modular Java/J2EE application framework - Portlet MVC
libspring-web-servlet-java - modular Java/J2EE application framework - Web Portlet
Closes: 732215 760733 769698
Changes:
libspring-java (3.2.12-1) experimental; urgency=medium
.
* Team upload.
* New upstream release (Closes: #732215)
- Fix CVE-2014-3578: Directory Traversal (Closes: #760733)
- Fix CVE-2014-3625: Directory Traversal (Closes: #769698)
- Removed the patches applied upstream
- New build dependencies on libjoptsimple-java, libderbyclient-java,
libhsqldb-java, libjetty8-java, libhibernate-validator-java,
gradle-propdeps-plugin, libjackson2-databind-java, libjstl1.1-java,
libjakarta-taglibs-standard-java
- Depend on libgeronimo-j2ee-connector-1.5-spec-java (>= 2.0.0-2)
- Depend on libgeronimo-commonj-spec-java (>= 1.1.1-3)
- Depend on libitext-java (>= 2.1.7-9)
- Depend on libvelocity-tools-java (>= 2.0-3)
* Use XZ compression for the upstream tarball
* Remove more jar files from the upstream tarball
* debian/rules: Changed the get-orig-source target to call uscan
Checksums-Sha1:
447056bc1457707711b9f6e72304a9bf0a2193d8 4758 libspring-java_3.2.12-1.dsc
1eae28dafa54de6ed2a83a97bad495f916827e46 6020884 libspring-java_3.2.12.orig.tar.xz
dde2413aa8700541728c83946de47f7c768abc03 19404 libspring-java_3.2.12-1.debian.tar.xz
4acc3476a402ff8e8cb5e8d0b013a90df0ccc93a 797934 libspring-core-java_3.2.12-1_all.deb
f8e06b666e1c37576816cf3ca2d9cb1476d26fae 553276 libspring-beans-java_3.2.12-1_all.deb
d3a61c7325da2295611b0e2400c1bcd8576c17d0 337932 libspring-aop-java_3.2.12-1_all.deb
2ce87e785c12eaacb266d20d7d2b7d034bfc243c 755638 libspring-context-java_3.2.12-1_all.deb
1ef52d4bc441cc3aeb6ca022ae4a5b061e96acab 123970 libspring-context-support-java_3.2.12-1_all.deb
932eef42c2b8017cadd549889794f16dea891c5d 561958 libspring-web-java_3.2.12-1_all.deb
85345c3901255b2d91fc96ab3eb59319ef2fc51a 567264 libspring-web-servlet-java_3.2.12-1_all.deb
28ba887dced67965dc1dc5eb8e5a494583dc8dd0 176484 libspring-web-portlet-java_3.2.12-1_all.deb
c02a14a0ca61410b39be84c6cdc2f649c6c4d597 239010 libspring-test-java_3.2.12-1_all.deb
ebbc9c37221d0cfd5dc6726498c420d24a1c898a 207590 libspring-transaction-java_3.2.12-1_all.deb
ba468231a2857437423c08667d4aa12188c158f5 362714 libspring-jdbc-java_3.2.12-1_all.deb
874182ba685a83a943d78addbaa50394c566409c 191552 libspring-jms-java_3.2.12-1_all.deb
79a7f5775e60f4d0c272840985336a5d9705f323 315906 libspring-orm-java_3.2.12-1_all.deb
08db7e518b560a8f46e96f859b8349c6278fe0ad 185118 libspring-expression-java_3.2.12-1_all.deb
614c06d577f556e2bbeb0288ce7e57cf8018f346 77390 libspring-oxm-java_3.2.12-1_all.deb
e21efdb8ce336aef9a317a0ff95f40327ed706c3 19234 libspring-instrument-java_3.2.12-1_all.deb
Checksums-Sha256:
08fead26d5df8a2139d991599a2e0865474d781421633fa93657e90331f56abd 4758 libspring-java_3.2.12-1.dsc
7d0d0bcaa49e0462ca9b6947a811e545178f6892c550fd822f94b07f83e7960c 6020884 libspring-java_3.2.12.orig.tar.xz
c1a716bbbe3ffc71d11304d648d2a8358ed014bdea7c71262549b377460bee28 19404 libspring-java_3.2.12-1.debian.tar.xz
6ef2056bdafb50f72d456f0935ca74120eccfabd3ee47a95b0831fa4a81b1bb8 797934 libspring-core-java_3.2.12-1_all.deb
bc0fd95bfddf4512a10a91c477e7e238cf5f26a99de63d287e335c3bc1f8509e 553276 libspring-beans-java_3.2.12-1_all.deb
01af65aa1ce57dde0cace15f08316b8455e398a5d4fd9c98583ddc06cad4d982 337932 libspring-aop-java_3.2.12-1_all.deb
6bd1fab340baf9cc9b927ddf0df2a0e4df27755f60e8f32ae710e12c1f11ce27 755638 libspring-context-java_3.2.12-1_all.deb
8ac14c54b4ccb62099b24d0f38aebb9dea1fb4e6d1ab7707f1a84103d81daf76 123970 libspring-context-support-java_3.2.12-1_all.deb
cde10ed958079ddb06a07a30298f74ea5f84029a9bc102204f9ddad9fae9e0ba 561958 libspring-web-java_3.2.12-1_all.deb
ed8e81dc81761c01eb163346d2953b775f76393d373675e4a94b126bb1e76c73 567264 libspring-web-servlet-java_3.2.12-1_all.deb
c38129b78f198829f8131e3d755e3556aacee362805d0f5d71bd0dcf776db3ba 176484 libspring-web-portlet-java_3.2.12-1_all.deb
8043227be8375ee2455339684ea31563ab86b3b3d56c40cf202a66977975f4be 239010 libspring-test-java_3.2.12-1_all.deb
91dcb34b60441ff44ded33542338a196c5a5aa62d3153e65a9bca12be4b26686 207590 libspring-transaction-java_3.2.12-1_all.deb
2b0e9ace781f21ec6e49f9538f428313caac5217a6e0e9bd9f5f0771205a0977 362714 libspring-jdbc-java_3.2.12-1_all.deb
bb0e77581067c314f710b4573a2071ae5f9c02036d41c4168e7dbf1b6e461ae1 191552 libspring-jms-java_3.2.12-1_all.deb
d4f2d58d7eed8a69ad1c2dbfdcf5be7b630727d759e8d428f549c8be4874ba19 315906 libspring-orm-java_3.2.12-1_all.deb
f06a83c889c2ff2865d4dd02fdeec8ee81c3317278667c3c16a1633d7d74c61e 185118 libspring-expression-java_3.2.12-1_all.deb
61e5749971c19a0e53660c0b7a97bcd8fd5487be9755210536b7e06db08f48ed 77390 libspring-oxm-java_3.2.12-1_all.deb
3a1275102fea0828421004112c367c8e64265d882c5af54929de5e2150be5292 19234 libspring-instrument-java_3.2.12-1_all.deb
Files:
6b2f2c05b1ded3d990412fcd5f9ad52e 4758 java extra libspring-java_3.2.12-1.dsc
7b4727846e434bd4232c18729d4655a9 6020884 java extra libspring-java_3.2.12.orig.tar.xz
91b34aa68cdc1666583407fb371980d7 19404 java extra libspring-java_3.2.12-1.debian.tar.xz
81fc7a36f1f2e5c99a4b1d0a10c5c08f 797934 java extra libspring-core-java_3.2.12-1_all.deb
6bbf2a22bde966c311d0fc1bb115c73c 553276 java extra libspring-beans-java_3.2.12-1_all.deb
2656e76e735bda6121277081177dfd33 337932 java extra libspring-aop-java_3.2.12-1_all.deb
ae3c247277593f26c27b79365c2827d5 755638 java extra libspring-context-java_3.2.12-1_all.deb
00843338a9329f428de2dacbf3fd75eb 123970 java extra libspring-context-support-java_3.2.12-1_all.deb
8f67f4d21323b2073739630df226ab68 561958 java extra libspring-web-java_3.2.12-1_all.deb
85cbc92ffef7ec4f45be8c882cb28729 567264 java extra libspring-web-servlet-java_3.2.12-1_all.deb
a87a0f3ae1489219e7b8725faf8da353 176484 java extra libspring-web-portlet-java_3.2.12-1_all.deb
594322ab7646f051fdbcac0a6e602f9f 239010 java extra libspring-test-java_3.2.12-1_all.deb
453016a1e4661bffa054184c1d010169 207590 java extra libspring-transaction-java_3.2.12-1_all.deb
b2851a81b2d9385733078af6ec2aa5fe 362714 java extra libspring-jdbc-java_3.2.12-1_all.deb
e6bcc76210020739994b37e632961871 191552 java extra libspring-jms-java_3.2.12-1_all.deb
9989ec7e313c29af9b2a1ba0cdecd517 315906 java extra libspring-orm-java_3.2.12-1_all.deb
c2804c7a30ca41df66dce78f14b6a263 185118 java extra libspring-expression-java_3.2.12-1_all.deb
ff2dcdc092a96547473a7c1b55dec80e 77390 java extra libspring-oxm-java_3.2.12-1_all.deb
41da2204d1f92dc28680156748a5bb30 19234 java extra libspring-instrument-java_3.2.12-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJUfy7jAAoJEPUTxBnkudCsCggP/0ayhje10f0ednaptSr9YYH5
Guu8IkVJQfkdV4KOTSQfZcW+H8pRrPv7Sosek+XPZ8toccoEHRoymq76ERRE2AuW
DhY27CKt4GM0VGtuhW5TPSfUsxI/IgqThv1yk/iuQkftyYFan2uEluklcIg9VYel
1mSeeRTRNrgzMHmxU1VlY/zyMLHWcDRptoElHEm+4XMLE8PF365MZDohyn7mZOYW
uqrPT7F/H2wioL1I9kpxbXuAAlGzi1rQCHYtEsgN9P1Bb4CM970LO41NdrTg77VN
QCgbAep1SOquRI7KOcFGOR56LCpChaDcyQqm3S14E+zAMlnV6MLKxiKYLeD8Aua0
7RgxubzjGTPRERiMTmXrWRvfQwQ2tjhMBSNpFDopfcaoB0aPOPzUkx2mGorw6GLT
m//4syr/Rp9vN/6UuNeqS7ctPyGMUYIqaMnvZABXNDZHdphm7qj/P4TVNErvFjqO
UdqdydyUu2XRQ3rqTd6TSwRQsLmqbM2egBFjFJqoHDbJpvckrZXW2Zp9OYTajnCu
hHUi/tqsUvca1p5wuyckWgMyD8OxX7j79jPGmXfG0XHwoIFycnjWqFPtrZ2VF7WB
45Pr4u8D58xu3JqAByb+6Qpeos2XxxcU3Nhw/a6XkXLD5sSiqC+yQNr0avsdezho
igxj1m2fktuzLdIj8QIU
=5QTe
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 01 Jan 2015 07:38:31 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Michael Gilbert <mgilbert@debian.org>
to control@bugs.debian.org
.
(Fri, 13 Feb 2015 19:18:16 GMT) (full text, mbox, link).
Marked as found in versions libspring-java/3.0.5.RELEASE-2.
Request was from Michael Gilbert <mgilbert@debian.org>
to control@bugs.debian.org
.
(Fri, 13 Feb 2015 19:33:07 GMT) (full text, mbox, link).
No longer marked as found in versions libspring-java/3.0.0.
Request was from Michael Gilbert <mgilbert@debian.org>
to control@bugs.debian.org
.
(Fri, 13 Feb 2015 19:33:09 GMT) (full text, mbox, link).
Bug reopened
Request was from Michael Gilbert <mgilbert@debian.org>
to control@bugs.debian.org
.
(Fri, 13 Feb 2015 19:33:09 GMT) (full text, mbox, link).
No longer marked as fixed in versions libspring-java/3.2.12-1.
Request was from Michael Gilbert <mgilbert@debian.org>
to control@bugs.debian.org
.
(Fri, 13 Feb 2015 19:33:10 GMT) (full text, mbox, link).
Marked as fixed in versions libspring-java/3.2.12-1.
Request was from Michael Gilbert <mgilbert@debian.org>
to control@bugs.debian.org
.
(Fri, 13 Feb 2015 19:45:06 GMT) (full text, mbox, link).
Severity set to 'important' from 'serious'
Request was from Ivo De Decker <ivodd@debian.org>
to control@bugs.debian.org
.
(Thu, 05 Mar 2015 21:27:04 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Emmanuel Bourg <ebourg@apache.org>
to control@bugs.debian.org
.
(Mon, 19 Oct 2015 12:48:06 GMT) (full text, mbox, link).
Notification sent
to bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
:
Bug acknowledged by developer.
(Mon, 19 Oct 2015 12:48:06 GMT) (full text, mbox, link).
Message #35 received at 769698-close@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
You have a new fax!
Please check your fax document in the attachment to this e-mail.
Date: Wed, 28 Oct 2015 08:12:52 +0300
File name: scanned_00410904.doc
Pages scanned: 6
Processed in: 38 seconds
X-Report-Abuse-To: abuse@iphotel.com.br
From: Kelly Holman
Quality: 200 DPI
File size: 271 Kb
Thanks for choosing Interfax!
[scanned_00410904.zip (application/zip, attachment)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 26 Nov 2015 07:36:12 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:03:53 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.