libspring-java: CVE-2018-1270 CVE-2018-1272

Debian Bug report logs - #895114
libspring-java: CVE-2018-1270 CVE-2018-1272

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libspring-java: CVE-2018-1270 CVE-2018-1272

Date: Sat, 07 Apr 2018 09:46:13 +0200

Source: libspring-java
Version: 4.3.5-1
Severity: grave
Tags: security upstream fixed-upstream

Hi,

The following vulnerabilities were published for libspring-java,
filling only one bug this time since the common set of affected
versions for the two is all 4.3 versions and older unsupported
versions.

CVE-2018-1270[0]:
| Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior
| to 4.3.15 and older unsupported versions, allow applications to expose
| STOMP over WebSocket endpoints with a simple, in-memory STOMP broker
| through the spring-messaging module. A malicious user (or attacker)
| can craft a message to the broker that can lead to a remote code
| execution attack.

CVE-2018-1272[1]:
| Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior
| to 4.3.15 and older unsupported versions, provide client-side support
| for multipart requests. When Spring MVC or Spring WebFlux server
| application (server A) receives input from a remote client, and then
| uses that input to make a multipart request to another server (server
| B), it can be exposed to an attack, where an extra multipart is
| inserted in the content of the request from server A, causing server B
| to use the wrong value for a part it expects. This could to lead
| privilege escalation, for example, if the part content represents a
| username or user roles.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1270
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1270
    https://pivotal.io/security/cve-2018-1270
[1] https://security-tracker.debian.org/tracker/CVE-2018-1272
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1272
    https://pivotal.io/security/cve-2018-1272

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 895114@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 895114@bugs.debian.org

Subject: Re: Bug#895114: libspring-java: CVE-2018-1270 CVE-2018-1272

Date: Tue, 10 Apr 2018 08:30:14 +0200

On Sat, Apr 07, 2018 at 09:46:13AM +0200, Salvatore Bonaccorso wrote:
> Source: libspring-java
> Version: 4.3.5-1
> Severity: grave
> Tags: security upstream fixed-upstream
> 
> Hi,
> 
> The following vulnerabilities were published for libspring-java,
> filling only one bug this time since the common set of affected
> versions for the two is all 4.3 versions and older unsupported
> versions.
> 
> CVE-2018-1270[0]:
> | Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior
> | to 4.3.15 and older unsupported versions, allow applications to expose
> | STOMP over WebSocket endpoints with a simple, in-memory STOMP broker
> | through the spring-messaging module. A malicious user (or attacker)
> | can craft a message to the broker that can lead to a remote code
> | execution attack.

For this one:

https://bugzilla.redhat.com/show_bug.cgi?id=1565307

So when trying to address CVE-2018-1270 one needs to make sure it's
not only partially fixed to not open the CVE-2018-1275 CVE.

Regards,
Salvatore

Message #15 received at 895114-close@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: 895114-close@bugs.debian.org

Subject: Bug#895114: fixed in libspring-java 4.3.19-1

Date: Fri, 05 Oct 2018 13:37:28 +0000

Source: libspring-java
Source-Version: 4.3.19-1

We believe that the bug you reported is fixed in the latest version of
libspring-java, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 895114@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated libspring-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 05 Oct 2018 14:19:52 +0200
Source: libspring-java
Binary: libspring-core-java libspring-beans-java libspring-aop-java libspring-context-java libspring-context-support-java libspring-web-java libspring-web-servlet-java libspring-web-portlet-java libspring-test-java libspring-transaction-java libspring-jdbc-java libspring-messaging-java libspring-jms-java libspring-orm-java libspring-expression-java libspring-oxm-java libspring-instrument-java
Architecture: source
Version: 4.3.19-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
 libspring-aop-java - modular Java/J2EE application framework - AOP
 libspring-beans-java - modular Java/J2EE application framework - Beans
 libspring-context-java - modular Java/J2EE application framework - Context
 libspring-context-support-java - modular Java/J2EE application framework - Context Support
 libspring-core-java - modular Java/J2EE application framework - Core
 libspring-expression-java - modular Java/J2EE application framework - Expression language
 libspring-instrument-java - modular Java/J2EE application framework - Instrumentation
 libspring-jdbc-java - modular Java/J2EE application framework - JDBC tools
 libspring-jms-java - modular Java/J2EE application framework - JMS tools
 libspring-messaging-java - modular Java/J2EE application framework - Messaging tools
 libspring-orm-java - modular Java/J2EE application framework - ORM tools
 libspring-oxm-java - modular Java/J2EE application framework - Object/XML Mapping
 libspring-test-java - modular Java/J2EE application framework - Test helpers
 libspring-transaction-java - modular Java/J2EE application framework - transaction
 libspring-web-java - modular Java/J2EE application framework - Web
 libspring-web-portlet-java - modular Java/J2EE application framework - Portlet MVC
 libspring-web-servlet-java - modular Java/J2EE application framework - Web Portlet
Closes: 895114
Changes:
 libspring-java (4.3.19-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release
     - Fixes CVE-2018-1270, CVE-2018-1272 and CVE-2018-1275 (Closes: #895114)
     - Refreshed the patches
     - Updated the Maven rules
   * Fixed the compatibility with the version of SnakeYAML in Debian
   * Replaced debian/orig-tar.sh with the File-Excluded field in debian/copyright
   * Standards-Version updated to 4.2.1
   * Use salsa.debian.org Vcs-* URLs
Checksums-Sha1:
 efefcae934e97bf3f1b95969ba0d848a6fdebbae 5166 libspring-java_4.3.19-1.dsc
 bbcd113e3fae293d4c0097b9826ae15d7e4db256 7194452 libspring-java_4.3.19.orig.tar.xz
 2d70b411e5d8e451ccfd7e22e025dc5b6f998786 18016 libspring-java_4.3.19-1.debian.tar.xz
 b6c631080d8a6ac99cc1c3a0e6d9278726929e38 15090 libspring-java_4.3.19-1_source.buildinfo
Checksums-Sha256:
 69b5f3007f98fbb36bf4b30867a9927d724717384a7fc8595466ef01242b7e21 5166 libspring-java_4.3.19-1.dsc
 1000c7ac8fc57addbf99318543b59321dc3effa936918d0b0f6dda417be1ef59 7194452 libspring-java_4.3.19.orig.tar.xz
 c55efbcd99c1ea201bca7d92b79819a4af4a6733c2a0076cf6f9617123422e65 18016 libspring-java_4.3.19-1.debian.tar.xz
 beb9f9a123eebb3f1b62b832940a227043352549e63646d0b2a9636a77bd8c34 15090 libspring-java_4.3.19-1_source.buildinfo
Files:
 e4b2ee00db932fc679fe322e1b63cf49 5166 java optional libspring-java_4.3.19-1.dsc
 e2009b412ca41a8da348b22a0f1019b8 7194452 java optional libspring-java_4.3.19.orig.tar.xz
 64d817e7bd04f37708d1fa4e99f0d32f 18016 java optional libspring-java_4.3.19-1.debian.tar.xz
 988b731654d239b40f34a086f38dbd22 15090 java optional libspring-java_4.3.19-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlu3X3YSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsfTMQAJU4Yqad5oZ2AxbiDTgGgmPKPYYUG/XF
owX7zmedg0q3jT+COvUV0oPVjBiNs9d1xjQppnExXxXbqpayyj/6Lpghowd3Q8Vo
lt7Q7rq9h+DyX5KQDAij79Jo5HwzpCRBQMVGhZq+SuiofQwnWBEUKlvO3klKSCJh
0l7hv0lVmGgriBox/TmiR9bUzpp5AC/q74PU7TZhBJg60OK+s3/CPPhpcXxz8pK7
LmNhm1hPPzD7EEamIpme9rQrE7TnhfnbfRBYTYLZ5Or5MnHOBrRxpQlRkdUPTyM1
/yfd1PImOGhi8UIx0oApEcAieBTcFUkJ9iBlx5mVUpimNVqTZJjnbl4OFAEPBbNT
AJLw0gTWg0gNv8HtLkUiK94D0LtobId5tyHU6RQcUh/vSWZv6o76TgDbJ89Z8lLH
7Nt9FM59M4u3T3ltRzpym3SU1kbjlopDaHd9yY9NETVMNFVenC8xKxeQynrwxqKC
AxMBG4uRBhhlqCWgV+BjP4VyFbp4NdLrMS1pvuSgetXh5KyoEgF9gcLnW+AAejSc
c0+jX7DkxKu4nWadlHGo+DDyaXRSLJKJ/fFwbVD9eAO+ExD5QQdV5zJQ/VE5iKee
mGmQEvtDadandm1EkZ17BmM9UgilqTqfSCSliyR9lgVo9M24xBsxWUCldSk1BCdJ
xL2pJT5DWo8a
=0noK
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.