libspring-java: CVE-2014-3625 Directory Traversal in Spring Framework

Debian Bug report logs - #769698
libspring-java: CVE-2014-3625 Directory Traversal in Spring Framework

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libspring-java: CVE-2014-3625 Directory Traversal in Spring Framework

Date: Sat, 15 Nov 2014 17:54:19 +0100

Source: libspring-java
Version: 3.0.0
Severity: serious
Tags: security
Justification: must



According to https://github.com/spring-projects/spring-framework/commit/3f68cd versions affected include 3.0.0 to 3.2.11

The feature of '<mvc:resources/> ' seems to be introduced in 3.0.4 ( http://docs.spring.io/spring/d... ).

Bastien

Message #14 received at 769698-close@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: 769698-close@bugs.debian.org

Subject: Bug#769698: fixed in libspring-java 3.2.12-1

Date: Wed, 03 Dec 2014 15:52:51 +0000

Source: libspring-java
Source-Version: 3.2.12-1

We believe that the bug you reported is fixed in the latest version of
libspring-java, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 769698@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated libspring-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 03 Dec 2014 16:22:55 +0100
Source: libspring-java
Binary: libspring-core-java libspring-beans-java libspring-aop-java libspring-context-java libspring-context-support-java libspring-web-java libspring-web-servlet-java libspring-web-portlet-java libspring-test-java libspring-transaction-java libspring-jdbc-java libspring-jms-java libspring-orm-java libspring-expression-java libspring-oxm-java libspring-instrument-java
Architecture: source all
Version: 3.2.12-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
 libspring-aop-java - modular Java/J2EE application framework - AOP
 libspring-beans-java - modular Java/J2EE application framework - Beans
 libspring-context-java - modular Java/J2EE application framework - Context
 libspring-context-support-java - modular Java/J2EE application framework - Context Support
 libspring-core-java - modular Java/J2EE application framework - Core
 libspring-expression-java - modular Java/J2EE application framework - Expression language
 libspring-instrument-java - modular Java/J2EE application framework - Instrumentation
 libspring-jdbc-java - modular Java/J2EE application framework - JDBC tools
 libspring-jms-java - modular Java/J2EE application framework - JMS tools
 libspring-orm-java - modular Java/J2EE application framework - ORM tools
 libspring-oxm-java - modular Java/J2EE application framework - Object/XML Mapping
 libspring-test-java - modular Java/J2EE application framework - Test helpers
 libspring-transaction-java - modular Java/J2EE application framework - transaction
 libspring-web-java - modular Java/J2EE application framework - Web
 libspring-web-portlet-java - modular Java/J2EE application framework - Portlet MVC
 libspring-web-servlet-java - modular Java/J2EE application framework - Web Portlet
Closes: 732215 760733 769698
Changes:
 libspring-java (3.2.12-1) experimental; urgency=medium
 .
   * Team upload.
   * New upstream release (Closes: #732215)
     - Fix CVE-2014-3578: Directory Traversal (Closes: #760733)
     - Fix CVE-2014-3625: Directory Traversal (Closes: #769698)
     - Removed the patches applied upstream
     - New build dependencies on libjoptsimple-java, libderbyclient-java,
       libhsqldb-java, libjetty8-java, libhibernate-validator-java,
       gradle-propdeps-plugin, libjackson2-databind-java, libjstl1.1-java,
       libjakarta-taglibs-standard-java
     - Depend on libgeronimo-j2ee-connector-1.5-spec-java (>= 2.0.0-2)
     - Depend on libgeronimo-commonj-spec-java (>= 1.1.1-3)
     - Depend on libitext-java (>= 2.1.7-9)
     - Depend on libvelocity-tools-java (>= 2.0-3)
   * Use XZ compression for the upstream tarball
   * Remove more jar files from the upstream tarball
   * debian/rules: Changed the get-orig-source target to call uscan
Checksums-Sha1:
 447056bc1457707711b9f6e72304a9bf0a2193d8 4758 libspring-java_3.2.12-1.dsc
 1eae28dafa54de6ed2a83a97bad495f916827e46 6020884 libspring-java_3.2.12.orig.tar.xz
 dde2413aa8700541728c83946de47f7c768abc03 19404 libspring-java_3.2.12-1.debian.tar.xz
 4acc3476a402ff8e8cb5e8d0b013a90df0ccc93a 797934 libspring-core-java_3.2.12-1_all.deb
 f8e06b666e1c37576816cf3ca2d9cb1476d26fae 553276 libspring-beans-java_3.2.12-1_all.deb
 d3a61c7325da2295611b0e2400c1bcd8576c17d0 337932 libspring-aop-java_3.2.12-1_all.deb
 2ce87e785c12eaacb266d20d7d2b7d034bfc243c 755638 libspring-context-java_3.2.12-1_all.deb
 1ef52d4bc441cc3aeb6ca022ae4a5b061e96acab 123970 libspring-context-support-java_3.2.12-1_all.deb
 932eef42c2b8017cadd549889794f16dea891c5d 561958 libspring-web-java_3.2.12-1_all.deb
 85345c3901255b2d91fc96ab3eb59319ef2fc51a 567264 libspring-web-servlet-java_3.2.12-1_all.deb
 28ba887dced67965dc1dc5eb8e5a494583dc8dd0 176484 libspring-web-portlet-java_3.2.12-1_all.deb
 c02a14a0ca61410b39be84c6cdc2f649c6c4d597 239010 libspring-test-java_3.2.12-1_all.deb
 ebbc9c37221d0cfd5dc6726498c420d24a1c898a 207590 libspring-transaction-java_3.2.12-1_all.deb
 ba468231a2857437423c08667d4aa12188c158f5 362714 libspring-jdbc-java_3.2.12-1_all.deb
 874182ba685a83a943d78addbaa50394c566409c 191552 libspring-jms-java_3.2.12-1_all.deb
 79a7f5775e60f4d0c272840985336a5d9705f323 315906 libspring-orm-java_3.2.12-1_all.deb
 08db7e518b560a8f46e96f859b8349c6278fe0ad 185118 libspring-expression-java_3.2.12-1_all.deb
 614c06d577f556e2bbeb0288ce7e57cf8018f346 77390 libspring-oxm-java_3.2.12-1_all.deb
 e21efdb8ce336aef9a317a0ff95f40327ed706c3 19234 libspring-instrument-java_3.2.12-1_all.deb
Checksums-Sha256:
 08fead26d5df8a2139d991599a2e0865474d781421633fa93657e90331f56abd 4758 libspring-java_3.2.12-1.dsc
 7d0d0bcaa49e0462ca9b6947a811e545178f6892c550fd822f94b07f83e7960c 6020884 libspring-java_3.2.12.orig.tar.xz
 c1a716bbbe3ffc71d11304d648d2a8358ed014bdea7c71262549b377460bee28 19404 libspring-java_3.2.12-1.debian.tar.xz
 6ef2056bdafb50f72d456f0935ca74120eccfabd3ee47a95b0831fa4a81b1bb8 797934 libspring-core-java_3.2.12-1_all.deb
 bc0fd95bfddf4512a10a91c477e7e238cf5f26a99de63d287e335c3bc1f8509e 553276 libspring-beans-java_3.2.12-1_all.deb
 01af65aa1ce57dde0cace15f08316b8455e398a5d4fd9c98583ddc06cad4d982 337932 libspring-aop-java_3.2.12-1_all.deb
 6bd1fab340baf9cc9b927ddf0df2a0e4df27755f60e8f32ae710e12c1f11ce27 755638 libspring-context-java_3.2.12-1_all.deb
 8ac14c54b4ccb62099b24d0f38aebb9dea1fb4e6d1ab7707f1a84103d81daf76 123970 libspring-context-support-java_3.2.12-1_all.deb
 cde10ed958079ddb06a07a30298f74ea5f84029a9bc102204f9ddad9fae9e0ba 561958 libspring-web-java_3.2.12-1_all.deb
 ed8e81dc81761c01eb163346d2953b775f76393d373675e4a94b126bb1e76c73 567264 libspring-web-servlet-java_3.2.12-1_all.deb
 c38129b78f198829f8131e3d755e3556aacee362805d0f5d71bd0dcf776db3ba 176484 libspring-web-portlet-java_3.2.12-1_all.deb
 8043227be8375ee2455339684ea31563ab86b3b3d56c40cf202a66977975f4be 239010 libspring-test-java_3.2.12-1_all.deb
 91dcb34b60441ff44ded33542338a196c5a5aa62d3153e65a9bca12be4b26686 207590 libspring-transaction-java_3.2.12-1_all.deb
 2b0e9ace781f21ec6e49f9538f428313caac5217a6e0e9bd9f5f0771205a0977 362714 libspring-jdbc-java_3.2.12-1_all.deb
 bb0e77581067c314f710b4573a2071ae5f9c02036d41c4168e7dbf1b6e461ae1 191552 libspring-jms-java_3.2.12-1_all.deb
 d4f2d58d7eed8a69ad1c2dbfdcf5be7b630727d759e8d428f549c8be4874ba19 315906 libspring-orm-java_3.2.12-1_all.deb
 f06a83c889c2ff2865d4dd02fdeec8ee81c3317278667c3c16a1633d7d74c61e 185118 libspring-expression-java_3.2.12-1_all.deb
 61e5749971c19a0e53660c0b7a97bcd8fd5487be9755210536b7e06db08f48ed 77390 libspring-oxm-java_3.2.12-1_all.deb
 3a1275102fea0828421004112c367c8e64265d882c5af54929de5e2150be5292 19234 libspring-instrument-java_3.2.12-1_all.deb
Files:
 6b2f2c05b1ded3d990412fcd5f9ad52e 4758 java extra libspring-java_3.2.12-1.dsc
 7b4727846e434bd4232c18729d4655a9 6020884 java extra libspring-java_3.2.12.orig.tar.xz
 91b34aa68cdc1666583407fb371980d7 19404 java extra libspring-java_3.2.12-1.debian.tar.xz
 81fc7a36f1f2e5c99a4b1d0a10c5c08f 797934 java extra libspring-core-java_3.2.12-1_all.deb
 6bbf2a22bde966c311d0fc1bb115c73c 553276 java extra libspring-beans-java_3.2.12-1_all.deb
 2656e76e735bda6121277081177dfd33 337932 java extra libspring-aop-java_3.2.12-1_all.deb
 ae3c247277593f26c27b79365c2827d5 755638 java extra libspring-context-java_3.2.12-1_all.deb
 00843338a9329f428de2dacbf3fd75eb 123970 java extra libspring-context-support-java_3.2.12-1_all.deb
 8f67f4d21323b2073739630df226ab68 561958 java extra libspring-web-java_3.2.12-1_all.deb
 85cbc92ffef7ec4f45be8c882cb28729 567264 java extra libspring-web-servlet-java_3.2.12-1_all.deb
 a87a0f3ae1489219e7b8725faf8da353 176484 java extra libspring-web-portlet-java_3.2.12-1_all.deb
 594322ab7646f051fdbcac0a6e602f9f 239010 java extra libspring-test-java_3.2.12-1_all.deb
 453016a1e4661bffa054184c1d010169 207590 java extra libspring-transaction-java_3.2.12-1_all.deb
 b2851a81b2d9385733078af6ec2aa5fe 362714 java extra libspring-jdbc-java_3.2.12-1_all.deb
 e6bcc76210020739994b37e632961871 191552 java extra libspring-jms-java_3.2.12-1_all.deb
 9989ec7e313c29af9b2a1ba0cdecd517 315906 java extra libspring-orm-java_3.2.12-1_all.deb
 c2804c7a30ca41df66dce78f14b6a263 185118 java extra libspring-expression-java_3.2.12-1_all.deb
 ff2dcdc092a96547473a7c1b55dec80e 77390 java extra libspring-oxm-java_3.2.12-1_all.deb
 41da2204d1f92dc28680156748a5bb30 19234 java extra libspring-instrument-java_3.2.12-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUfy7jAAoJEPUTxBnkudCsCggP/0ayhje10f0ednaptSr9YYH5
Guu8IkVJQfkdV4KOTSQfZcW+H8pRrPv7Sosek+XPZ8toccoEHRoymq76ERRE2AuW
DhY27CKt4GM0VGtuhW5TPSfUsxI/IgqThv1yk/iuQkftyYFan2uEluklcIg9VYel
1mSeeRTRNrgzMHmxU1VlY/zyMLHWcDRptoElHEm+4XMLE8PF365MZDohyn7mZOYW
uqrPT7F/H2wioL1I9kpxbXuAAlGzi1rQCHYtEsgN9P1Bb4CM970LO41NdrTg77VN
QCgbAep1SOquRI7KOcFGOR56LCpChaDcyQqm3S14E+zAMlnV6MLKxiKYLeD8Aua0
7RgxubzjGTPRERiMTmXrWRvfQwQ2tjhMBSNpFDopfcaoB0aPOPzUkx2mGorw6GLT
m//4syr/Rp9vN/6UuNeqS7ctPyGMUYIqaMnvZABXNDZHdphm7qj/P4TVNErvFjqO
UdqdydyUu2XRQ3rqTd6TSwRQsLmqbM2egBFjFJqoHDbJpvckrZXW2Zp9OYTajnCu
hHUi/tqsUvca1p5wuyckWgMyD8OxX7j79jPGmXfG0XHwoIFycnjWqFPtrZ2VF7WB
45Pr4u8D58xu3JqAByb+6Qpeos2XxxcU3Nhw/a6XkXLD5sSiqC+yQNr0avsdezho
igxj1m2fktuzLdIj8QIU
=5QTe
-----END PGP SIGNATURE-----

Message #35 received at 769698-close@bugs.debian.org (full text, mbox, reply):

From: "Interfax Service" <incoming@interfax.net>

To: 769698-close@bugs.debian.org

Subject: You have received fax, document 00410904

Date: Wed, 28 Oct 2015 09:12:40 -0300

[Message part 1 (text/plain, inline)]

You have a new fax!

Please check your fax document in the attachment to this e-mail.

Date:            Wed, 28 Oct 2015 08:12:52 +0300
File name:       scanned_00410904.doc
Pages scanned:   6
Processed in:    38 seconds
X-Report-Abuse-To: abuse@iphotel.com.br
From:            Kelly Holman
Quality:         200 DPI
File size:       271 Kb

Thanks for choosing Interfax!

[scanned_00410904.zip (application/zip, attachment)]

Send a report that this bug log contains spam.