Related Vulnerabilities: CVE-2014-0225 cve-2014-0225 CVE-2014-3578 cve-2014-3578

Source

Debian Bug report logs - #753470
libspring-java: CVE-2014-0225

Package: libspring-java; Maintainer for libspring-java is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Wed, 2 Jul 2014 08:54:02 UTC

Severity: grave

Tags: patch, security

Fixed in version libspring-java/3.0.6.RELEASE-14

Done: tony mancill <tmancill@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#753470; Package libspring-java. (Wed, 02 Jul 2014 08:54:06 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Wed, 02 Jul 2014 08:54:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: libspring-java
Severity: grave
Tags: security
Justification: user security hole

Hi,
please see http://www.gopivotal.com/security/cve-2014-0225

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#753470; Package libspring-java. (Fri, 05 Sep 2014 17:24:04 GMT) (full text, mbox, link).

Acknowledgement sent to Stephen Nelson <stephen@eccostudio.com>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Fri, 05 Sep 2014 17:24:04 GMT) (full text, mbox, link).

Message #10 received at 753470@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Please find attached a patch which backports the security fix to the
version of Spring present in Debian Wheezy.

[Message part 2 (text/html, inline)]

[libspring-java-CVE-2014-0225.patch (text/x-diff, attachment)]

Added tag(s) patch. Request was from Stephen Nelson <stephen@eccostudio.com> to control@bugs.debian.org. (Fri, 05 Sep 2014 17:27:13 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#753470; Package libspring-java. (Sat, 06 Sep 2014 15:51:05 GMT) (full text, mbox, link).

Acknowledgement sent to tony mancill <tmancill@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sat, 06 Sep 2014 15:51:05 GMT) (full text, mbox, link).

Message #17 received at 753470@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Wed, 02 Jul 2014 10:36:55 +0200 Moritz Muehlenhoff <jmm@inutil.org>
wrote:
> Package: libspring-java
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Hi,
> please see http://www.gopivotal.com/security/cve-2014-0225

Hello,

I have uploaded a a patched version (thanks Stephen!) to unstable and
prepared an upload 3.0.6.RELEASE-6+deb7u4 for wheezy-security, for which
the debdiff for the .dsc and .changes is attached.  (It is essentially
identical to the debdiff for unstable.)  I also placed the source and
binary packages for the wheezy update here:

  https://people.debian.org/~tmancill/libspring-java_wheezy/

for Security Team review.

Thank you,
tony

[libspring-java_wheezy.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Reply sent to tony mancill <tmancill@debian.org>:
You have taken responsibility. (Sat, 06 Sep 2014 16:09:12 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Sat, 06 Sep 2014 16:09:13 GMT) (full text, mbox, link).

Message #22 received at 753470-close@bugs.debian.org (full text, mbox, reply):

Source: libspring-java
Source-Version: 3.0.6.RELEASE-14

We believe that the bug you reported is fixed in the latest version of
libspring-java, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 753470@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated libspring-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 06 Sep 2014 08:27:26 -0700
Source: libspring-java
Binary: libspring-core-java libspring-beans-java libspring-aop-java libspring-context-java libspring-context-support-java libspring-web-java libspring-web-servlet-java libspring-web-struts-java libspring-web-portlet-java libspring-test-java libspring-transaction-java libspring-jdbc-java libspring-jms-java libspring-orm-java libspring-expression-java libspring-oxm-java libspring-instrument-java
Architecture: source all
Version: 3.0.6.RELEASE-14
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Description:
 libspring-aop-java - modular Java/J2EE application framework - AOP
 libspring-beans-java - modular Java/J2EE application framework - Beans
 libspring-context-java - modular Java/J2EE application framework - Context
 libspring-context-support-java - modular Java/J2EE application framework - Context Support
 libspring-core-java - modular Java/J2EE application framework - Core
 libspring-expression-java - modular Java/J2EE application framework - Expression language
 libspring-instrument-java - modular Java/J2EE application framework - Instrumentation
 libspring-jdbc-java - modular Java/J2EE application framework - JDBC tools
 libspring-jms-java - modular Java/J2EE application framework - JMS tools
 libspring-orm-java - modular Java/J2EE application framework - ORM tools
 libspring-oxm-java - modular Java/J2EE application framework - Object/XML Mapping
 libspring-test-java - modular Java/J2EE application framework - Test helpers
 libspring-transaction-java - modular Java/J2EE application framework - transaction
 libspring-web-java - modular Java/J2EE application framework - Web
 libspring-web-portlet-java - modular Java/J2EE application framework - Portlet MVC
 libspring-web-servlet-java - modular Java/J2EE application framework - Web Portlet
 libspring-web-struts-java - modular Java/J2EE application framework - Struts MVC
Closes: 753470
Changes:
 libspring-java (3.0.6.RELEASE-14) unstable; urgency=high
 .
   * Team upload.
   * Add patch to fix CVE-2014-0225. (Closes: #753470)
     - Thanks for Stephen Nelson.
Checksums-Sha1:
 09b4c7b5b5c34f3939e7a61090ca3d8eb951be3f 4621 libspring-java_3.0.6.RELEASE-14.dsc
 7c88fe06d8edd25807859739c8b4f32b4c716b53 27636 libspring-java_3.0.6.RELEASE-14.debian.tar.xz
 4ff699c8922930a11971016ab3ecba2e9c852d71 363044 libspring-core-java_3.0.6.RELEASE-14_all.deb
 2239ab83468d5edf18b7c7da67ce04b873e02908 516818 libspring-beans-java_3.0.6.RELEASE-14_all.deb
 b913dba351c37690facc15dfedd45b0e546add95 327272 libspring-aop-java_3.0.6.RELEASE-14_all.deb
 eb21cb24daf264b15859a889a5788074cf6523bc 590458 libspring-context-java_3.0.6.RELEASE-14_all.deb
 0c7dd4ccc5766aae4b27dd232f8b8b1ab7244086 113476 libspring-context-support-java_3.0.6.RELEASE-14_all.deb
 66d99dc498eacd39271531289dd81da9b5785429 373454 libspring-web-java_3.0.6.RELEASE-14_all.deb
 7d376f4fb4b6fb1c9be73197987a60cb22ad1d95 396848 libspring-web-servlet-java_3.0.6.RELEASE-14_all.deb
 a149747f213df511e8f1bff6b7481f3b46967926 52222 libspring-web-struts-java_3.0.6.RELEASE-14_all.deb
 cfe2b9c71f52f5ac952aab0536d6c38777b0809b 179790 libspring-web-portlet-java_3.0.6.RELEASE-14_all.deb
 c1f965408a26ec7955becee5c24b906897276a15 204130 libspring-test-java_3.0.6.RELEASE-14_all.deb
 c56837e70bcd6974d17f58e44980cc7aeb8a6db1 211546 libspring-transaction-java_3.0.6.RELEASE-14_all.deb
 83b3cbe4b2da7b6af6def68d9e0c6d1bcd303dc2 356706 libspring-jdbc-java_3.0.6.RELEASE-14_all.deb
 123b8b3c48d21da6f3891894f04fe63159e6e85b 186226 libspring-jms-java_3.0.6.RELEASE-14_all.deb
 684782803100a986c45c858cd275ee6024d623af 315160 libspring-orm-java_3.0.6.RELEASE-14_all.deb
 7efe489167e52c887eea0883788c38f0762d2e9c 176470 libspring-expression-java_3.0.6.RELEASE-14_all.deb
 68435622b69e68dc4a9c4545cf8bd71859ac86d8 80398 libspring-oxm-java_3.0.6.RELEASE-14_all.deb
 2b93990683c036dd08bf3e6a9b3f9cf54c64b1dd 30514 libspring-instrument-java_3.0.6.RELEASE-14_all.deb
Checksums-Sha256:
 44f0f87829a47047481340c1d609e3c5acbaab305b200c43ac3e429d867745e9 4621 libspring-java_3.0.6.RELEASE-14.dsc
 3a3c54eda8f0aa558e123af64ab808c1652dd1fbff2b3b1e8e1e4c1ff2b7b864 27636 libspring-java_3.0.6.RELEASE-14.debian.tar.xz
 d47cdb2669740ff16f56c90e4f217e844c0ca7f34eee0f23c6aaaac6e509e762 363044 libspring-core-java_3.0.6.RELEASE-14_all.deb
 1a33988caf41528f017cf4f49efff1afcfbda9ea1e0c0ca0a4be21c9469fc5cc 516818 libspring-beans-java_3.0.6.RELEASE-14_all.deb
 fc93687cee09acac4d0f90588e9064561f822b089e8964896fa6322e3d9c2d52 327272 libspring-aop-java_3.0.6.RELEASE-14_all.deb
 454a05003e01f8b32eb6cecec405e3268978a130b78713ad3dd547ea572ec77d 590458 libspring-context-java_3.0.6.RELEASE-14_all.deb
 2a1e36223b32778912f716b5f63ce5a9b010b2a999cd2a1b380e4601d78de5b0 113476 libspring-context-support-java_3.0.6.RELEASE-14_all.deb
 a1f5ba611c7365f975a2693e9503651ba06200937a43185218349c38018f19db 373454 libspring-web-java_3.0.6.RELEASE-14_all.deb
 0800c682bd75c8d3823e8ecdd69939918876370966be5c3795058bc88cf1d388 396848 libspring-web-servlet-java_3.0.6.RELEASE-14_all.deb
 8c93d82fd2c50aabda0c07f906224b711b5eba084f24639b9962890848290738 52222 libspring-web-struts-java_3.0.6.RELEASE-14_all.deb
 c2a513846ddbb94b4c4b181adc94b5b36d5c6cc2db07ff21527168644965f618 179790 libspring-web-portlet-java_3.0.6.RELEASE-14_all.deb
 b42e73b173603d2b10dc2ea148b59686d9d61b77f6c1f7c5448b7d7461ab0af2 204130 libspring-test-java_3.0.6.RELEASE-14_all.deb
 249fb9a6cfd488757f04c7565b4305d84c4a808ed0f186628c380157e8940d23 211546 libspring-transaction-java_3.0.6.RELEASE-14_all.deb
 4cc5cafbc0c108a77e3fdc16001c125fe4513609e14627bddd3330cb11f6850b 356706 libspring-jdbc-java_3.0.6.RELEASE-14_all.deb
 a86d02da809db3a88f3ecd834e4b7d4e54e2d33cc8a641657f71a6a3b48a9b49 186226 libspring-jms-java_3.0.6.RELEASE-14_all.deb
 9cc0c5cea115a323173a980f9753c58ee16c859902ba88c3f9574b7a373d86e7 315160 libspring-orm-java_3.0.6.RELEASE-14_all.deb
 a39d51e7095f3068e52ad79daa8ebe741207e9e12966abd04a803132b8d89a80 176470 libspring-expression-java_3.0.6.RELEASE-14_all.deb
 6b4b6218003a15ae7111161147dd36e9a9f0589411150dcefd3e46414afa25e9 80398 libspring-oxm-java_3.0.6.RELEASE-14_all.deb
 f8ee0696b322a6102c7da5f4c1f782b30834e19d72d1d5bf4f25eddda93e0602 30514 libspring-instrument-java_3.0.6.RELEASE-14_all.deb
Files:
 de3b173990e61aa172ee51b722395e80 363044 java extra libspring-core-java_3.0.6.RELEASE-14_all.deb
 6db70f2fea4440f55d4277cd0ca8b2cf 516818 java extra libspring-beans-java_3.0.6.RELEASE-14_all.deb
 6449012f93418df438dc93538f89f9af 327272 java extra libspring-aop-java_3.0.6.RELEASE-14_all.deb
 11730be4820b3af9d4279515f2d93613 590458 java extra libspring-context-java_3.0.6.RELEASE-14_all.deb
 16623aac6af2a6a6ee5eadca48746282 113476 java extra libspring-context-support-java_3.0.6.RELEASE-14_all.deb
 6b376f41cdab3cd0b1068e008c707258 373454 java extra libspring-web-java_3.0.6.RELEASE-14_all.deb
 42436e67c3c97d38b6da6233ba5dd9df 396848 java extra libspring-web-servlet-java_3.0.6.RELEASE-14_all.deb
 e463fcf9e759b0b62926d45dc94dccc4 52222 java extra libspring-web-struts-java_3.0.6.RELEASE-14_all.deb
 0d0541379485f033c03ac903ce814758 179790 java extra libspring-web-portlet-java_3.0.6.RELEASE-14_all.deb
 e23b9a8fb7165ad60be69e8a7504383e 204130 java extra libspring-test-java_3.0.6.RELEASE-14_all.deb
 116f149b878e2e31ba87fc3d86f66cdf 211546 java extra libspring-transaction-java_3.0.6.RELEASE-14_all.deb
 699868c179e73c37d84522a52d3c1ad8 356706 java extra libspring-jdbc-java_3.0.6.RELEASE-14_all.deb
 b8e5bceebd407ca8edbeb70955909d4e 186226 java extra libspring-jms-java_3.0.6.RELEASE-14_all.deb
 cfdf3821187748deecd16f858462a777 315160 java extra libspring-orm-java_3.0.6.RELEASE-14_all.deb
 5f728a25240e12f535d06e171771754c 176470 java extra libspring-expression-java_3.0.6.RELEASE-14_all.deb
 bb267d44b99a430b8d255c14c1508cdd 80398 java extra libspring-oxm-java_3.0.6.RELEASE-14_all.deb
 842cd5c71577696cf4dd3e20da7a2ffe 30514 java extra libspring-instrument-java_3.0.6.RELEASE-14_all.deb
 a91036e9ac2055e54ebb2b7eee8891c7 4621 java extra libspring-java_3.0.6.RELEASE-14.dsc
 5eb0eea5b20901df9c3c21040f67f4e7 27636 java extra libspring-java_3.0.6.RELEASE-14.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUCyluAAoJECHSBYmXSz6WHxEP/i5lZMIwvEpRwAkUAKH5g3bY
g4PT7OMNSgjZjD42/42/cU0m1UiWASkEmP51Pe089J5ipd3Hw7ez2lX3a0zY2FQx
3o4BVciva1BxPPyXZ6M7b2hi2vTYHPaEd+9aLjfLchdCCrI9OPj6EHaa891AAJ4O
78hnup7BGy2hx3s/iApnshqa2+YLPuOa5/3nvOpzb8BgHqzTu5RVj06ELhP7WZVM
wb82jf4uxCQYvKK/eBgS9PJr1i7zuEsB6LI9/jfLIP4Hc14kGydIJHYOTsPAlqa+
/T+Df3rHMe2ORtmUDIfTVcNI9WqI7BxbSu26xie0DtXOXGde3nQwYHiGNzXtzuSX
8dy9ALI3MDQ22jA63ygSh8XJj9l4IXRrB6mIytACnN80NsczcZxumZZJ/ngyelQZ
jT9Us+Q8aKnEHe9la7SEEfymiq0YlFtPFMFrsp2/OrjiIsOTxosH6qFizrRMch0w
gtgyIeF7OfviKCuqcOdRZUnVKBvTkVfxZm58Xu+yTuOCNYJmVlPJZG0FDPZxKa9/
WK7d8vxpBJzecZYZjSuWVTaEk5kPJvW/ArLu0rlhhuTrYdqWz4+g+WXCGSIEN+Cs
a9vXSGkAH4AKUEkoif+dfKvh4W9SA4/sbinXtpNhvsW55705nqun6KMXsewuglYS
Kd3W2P3N5DbFVChuxMpM
=5GZ1
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#753470; Package libspring-java. (Sat, 06 Sep 2014 18:39:07 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sat, 06 Sep 2014 18:39:07 GMT) (full text, mbox, link).

Message #27 received at 753470@bugs.debian.org (full text, mbox, reply):

Hi Tony,

On Sat, Sep 06, 2014 at 08:50:24AM -0700, tony mancill wrote:
> On Wed, 02 Jul 2014 10:36:55 +0200 Moritz Muehlenhoff <jmm@inutil.org>
> wrote:
> > Package: libspring-java
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> > 
> > Hi,
> > please see http://www.gopivotal.com/security/cve-2014-0225
> 
> Hello,
> 
> I have uploaded a a patched version (thanks Stephen!) to unstable and
> prepared an upload 3.0.6.RELEASE-6+deb7u4 for wheezy-security, for which
> the debdiff for the .dsc and .changes is attached.  (It is essentially
> identical to the debdiff for unstable.)  I also placed the source and
> binary packages for the wheezy update here:
> 
>   https://people.debian.org/~tmancill/libspring-java_wheezy/
> 
> for Security Team review.

AFAICS at the time (at least), this CVE was marked no-dsa. Do you
concur on this classification or is there something we missed? If so,
could you contact the stable release managers to have an update trough
stable proposed updates?

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#753470; Package libspring-java. (Sun, 07 Sep 2014 04:42:09 GMT) (full text, mbox, link).

Acknowledgement sent to tony mancill <tmancill@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sun, 07 Sep 2014 04:42:09 GMT) (full text, mbox, link).

Message #32 received at 753470@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On 09/06/2014 11:36 AM, Salvatore Bonaccorso wrote:
> Hi Tony,
> 
> On Sat, Sep 06, 2014 at 08:50:24AM -0700, tony mancill wrote:
>> On Wed, 02 Jul 2014 10:36:55 +0200 Moritz Muehlenhoff <jmm@inutil.org>
>> wrote:
>>> Package: libspring-java
>>> Severity: grave
>>> Tags: security
>>> Justification: user security hole
>>>
>>> Hi,
>>> please see http://www.gopivotal.com/security/cve-2014-0225
>>
>> Hello,
>>
>> I have uploaded a a patched version (thanks Stephen!) to unstable and
>> prepared an upload 3.0.6.RELEASE-6+deb7u4 for wheezy-security, for which
>> the debdiff for the .dsc and .changes is attached.  (It is essentially
>> identical to the debdiff for unstable.)  I also placed the source and
>> binary packages for the wheezy update here:
>>
>>   https://people.debian.org/~tmancill/libspring-java_wheezy/
>>
>> for Security Team review.
> 
> AFAICS at the time (at least), this CVE was marked no-dsa. Do you
> concur on this classification or is there something we missed? If so,
> could you contact the stable release managers to have an update trough
> stable proposed updates?

Hi Salvatore,

No, I'm not aware of anything that has been missed.  I was just trying
to be proactive about creating a package.  If any user needs to build
for wheezy, the patch is available in the BTS.

Thank you for the information,
tony

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#753470; Package libspring-java. (Sun, 07 Sep 2014 11:36:05 GMT) (full text, mbox, link).

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sun, 07 Sep 2014 11:36:05 GMT) (full text, mbox, link).

Message #37 received at 753470@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On sam., 2014-09-06 at 21:38 -0700, tony mancill wrote:
> On 09/06/2014 11:36 AM, Salvatore Bonaccorso wrote:
> > Hi Tony,
> > 
> > On Sat, Sep 06, 2014 at 08:50:24AM -0700, tony mancill wrote:
> >> On Wed, 02 Jul 2014 10:36:55 +0200 Moritz Muehlenhoff <jmm@inutil.org>
> >> wrote:
> >>> Package: libspring-java
> >>> Severity: grave
> >>> Tags: security
> >>> Justification: user security hole
> >>>
> >>> Hi,
> >>> please see http://www.gopivotal.com/security/cve-2014-0225
> >>
> >> Hello,
> >>
> >> I have uploaded a a patched version (thanks Stephen!) to unstable and
> >> prepared an upload 3.0.6.RELEASE-6+deb7u4 for wheezy-security, for which
> >> the debdiff for the .dsc and .changes is attached.  (It is essentially
> >> identical to the debdiff for unstable.)  I also placed the source and
> >> binary packages for the wheezy update here:
> >>
> >>   https://people.debian.org/~tmancill/libspring-java_wheezy/
> >>
> >> for Security Team review.
> > 
> > AFAICS at the time (at least), this CVE was marked no-dsa. Do you
> > concur on this classification or is there something we missed? If so,
> > could you contact the stable release managers to have an update trough
> > stable proposed updates?
> 
> Hi Salvatore,
> 
> No, I'm not aware of anything that has been missed.  I was just trying
> to be proactive about creating a package.  If any user needs to build
> for wheezy, the patch is available in the BTS.
> 
> Thank you for the information,
> tony

For what it's worth, CVE-2014-3578 was assigned to a directory traversal
vulnerability in libspring-java
( http://www.pivotal.io/security/cve-2014-3578)

I think it's no-dsa too, but both can be fixed in a point release.

Regards,
-- 
Yves-Alexis Perez - Debian Security

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#753470; Package libspring-java. (Mon, 08 Sep 2014 09:15:08 GMT) (full text, mbox, link).

Acknowledgement sent to Stephen Nelson <stephen@eccostudio.com>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Mon, 08 Sep 2014 09:15:08 GMT) (full text, mbox, link).

Message #42 received at 753470@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Sun, Sep 7, 2014 at 12:34 PM, Yves-Alexis Perez <corsac@debian.org>
wrote:

> On sam., 2014-09-06 at 21:38 -0700, tony mancill wrote:
> > On 09/06/2014 11:36 AM, Salvatore Bonaccorso wrote:
> > > Hi Tony,
> > >
> > > On Sat, Sep 06, 2014 at 08:50:24AM -0700, tony mancill wrote:
> > >> On Wed, 02 Jul 2014 10:36:55 +0200 Moritz Muehlenhoff <jmm@inutil.org
> >
> > >> wrote:
> > >>> Package: libspring-java
> > >>> Severity: grave
> > >>> Tags: security
> > >>> Justification: user security hole
> > >>>
> > >>> Hi,
> > >>> please see http://www.gopivotal.com/security/cve-2014-0225
> > >>
> > >> Hello,
> > >>
> > >> I have uploaded a a patched version (thanks Stephen!) to unstable and
> > >> prepared an upload 3.0.6.RELEASE-6+deb7u4 for wheezy-security, for
> which
> > >> the debdiff for the .dsc and .changes is attached.  (It is essentially
> > >> identical to the debdiff for unstable.)  I also placed the source and
> > >> binary packages for the wheezy update here:
> > >>
> > >>   https://people.debian.org/~tmancill/libspring-java_wheezy/
> > >>
> > >> for Security Team review.
> > >
>

Thanks for packaging the fix Tony.


> > > AFAICS at the time (at least), this CVE was marked no-dsa. Do you
> > > concur on this classification or is there something we missed? If so,
> > > could you contact the stable release managers to have an update trough
> > > stable proposed updates?
> >
> > Hi Salvatore,
> >
> > No, I'm not aware of anything that has been missed.  I was just trying
> > to be proactive about creating a package.  If any user needs to build
> > for wheezy, the patch is available in the BTS.
> >
> > Thank you for the information,
> > tony
>
> For what it's worth, CVE-2014-3578 was assigned to a directory traversal
> vulnerability in libspring-java
> ( http://www.pivotal.io/security/cve-2014-3578)
>
>
Thanks for letting us know about this one. I've had a quick look and it
might be more difficult to fix given that there hasn't been a specific
commit made in a later version of Spring which could be backported.
However, I will look into this in more detail and report back to the BTS
for this bug.

I think it's no-dsa too, but both can be fixed in a point release.
>
> Regards,
> --
> Yves-Alexis Perez - Debian Security
>
>
>
Cheers,

Stephen Nelson

[Message part 2 (text/html, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 07 Oct 2014 07:32:28 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:48:18 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

libspring-java: CVE-2014-0225

Debian Bug report logs - #753470
libspring-java: CVE-2014-0225

Vulmon Search

About

Products

Connect

libspring-java: CVE-2014-0225

Debian Bug report logs - #753470 libspring-java: CVE-2014-0225

Vulmon Search

About

Products

Connect

Debian Bug report logs - #753470
libspring-java: CVE-2014-0225