CVE-2014-3578: directory traversal

Debian Bug report logs - #760733
CVE-2014-3578: directory traversal

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2014-3578: directory traversal

Date: Sun, 07 Sep 2014 13:30:02 +0200

Package: src:libspring-java
Severity: grave
Tags: security
Justification: user security hole

Hi,

CVE-2014-3578 was assigned to a directory traversal in the spring
framework, affecting all versions in Debian (fixed in 3.2.0).

More information can be found on:

- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3578
- http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html

Please include the CVE number in the changelog entry fixing the
vulnerability.

Regards,
-- 
Yves-Alexis Perez

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (450, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Message #10 received at 760733@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: tony mancill <tmancill@debian.org>

Cc: Salvatore Bonaccorso <carnil@debian.org>, 753470@bugs.debian.org, team@security.debian.org, Stephen Nelson <stephen@eccostudio.com>, 760733@bugs.debian.org

Subject: Re: libspring-java: CVE-2014-0225

Date: Sun, 07 Sep 2014 13:34:08 +0200

[Message part 1 (text/plain, inline)]

On sam., 2014-09-06 at 21:38 -0700, tony mancill wrote:
> On 09/06/2014 11:36 AM, Salvatore Bonaccorso wrote:
> > Hi Tony,
> > 
> > On Sat, Sep 06, 2014 at 08:50:24AM -0700, tony mancill wrote:
> >> On Wed, 02 Jul 2014 10:36:55 +0200 Moritz Muehlenhoff <jmm@inutil.org>
> >> wrote:
> >>> Package: libspring-java
> >>> Severity: grave
> >>> Tags: security
> >>> Justification: user security hole
> >>>
> >>> Hi,
> >>> please see http://www.gopivotal.com/security/cve-2014-0225
> >>
> >> Hello,
> >>
> >> I have uploaded a a patched version (thanks Stephen!) to unstable and
> >> prepared an upload 3.0.6.RELEASE-6+deb7u4 for wheezy-security, for which
> >> the debdiff for the .dsc and .changes is attached.  (It is essentially
> >> identical to the debdiff for unstable.)  I also placed the source and
> >> binary packages for the wheezy update here:
> >>
> >>   https://people.debian.org/~tmancill/libspring-java_wheezy/
> >>
> >> for Security Team review.
> > 
> > AFAICS at the time (at least), this CVE was marked no-dsa. Do you
> > concur on this classification or is there something we missed? If so,
> > could you contact the stable release managers to have an update trough
> > stable proposed updates?
> 
> Hi Salvatore,
> 
> No, I'm not aware of anything that has been missed.  I was just trying
> to be proactive about creating a package.  If any user needs to build
> for wheezy, the patch is available in the BTS.
> 
> Thank you for the information,
> tony

For what it's worth, CVE-2014-3578 was assigned to a directory traversal
vulnerability in libspring-java
( http://www.pivotal.io/security/cve-2014-3578)

I think it's no-dsa too, but both can be fixed in a point release.

Regards,
-- 
Yves-Alexis Perez - Debian Security

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 760733@bugs.debian.org (full text, mbox, reply):

From: Stephen Nelson <stephen@eccostudio.com>

To: Yves-Alexis Perez <corsac@debian.org>

Cc: tony mancill <tmancill@debian.org>, Salvatore Bonaccorso <carnil@debian.org>, 753470@bugs.debian.org, team@security.debian.org, 760733@bugs.debian.org

Subject: Re: libspring-java: CVE-2014-0225

Date: Mon, 8 Sep 2014 10:10:04 +0100

[Message part 1 (text/plain, inline)]

On Sun, Sep 7, 2014 at 12:34 PM, Yves-Alexis Perez <corsac@debian.org>
wrote:

> On sam., 2014-09-06 at 21:38 -0700, tony mancill wrote:
> > On 09/06/2014 11:36 AM, Salvatore Bonaccorso wrote:
> > > Hi Tony,
> > >
> > > On Sat, Sep 06, 2014 at 08:50:24AM -0700, tony mancill wrote:
> > >> On Wed, 02 Jul 2014 10:36:55 +0200 Moritz Muehlenhoff <jmm@inutil.org
> >
> > >> wrote:
> > >>> Package: libspring-java
> > >>> Severity: grave
> > >>> Tags: security
> > >>> Justification: user security hole
> > >>>
> > >>> Hi,
> > >>> please see http://www.gopivotal.com/security/cve-2014-0225
> > >>
> > >> Hello,
> > >>
> > >> I have uploaded a a patched version (thanks Stephen!) to unstable and
> > >> prepared an upload 3.0.6.RELEASE-6+deb7u4 for wheezy-security, for
> which
> > >> the debdiff for the .dsc and .changes is attached.  (It is essentially
> > >> identical to the debdiff for unstable.)  I also placed the source and
> > >> binary packages for the wheezy update here:
> > >>
> > >>   https://people.debian.org/~tmancill/libspring-java_wheezy/
> > >>
> > >> for Security Team review.
> > >
>

Thanks for packaging the fix Tony.


> > > AFAICS at the time (at least), this CVE was marked no-dsa. Do you
> > > concur on this classification or is there something we missed? If so,
> > > could you contact the stable release managers to have an update trough
> > > stable proposed updates?
> >
> > Hi Salvatore,
> >
> > No, I'm not aware of anything that has been missed.  I was just trying
> > to be proactive about creating a package.  If any user needs to build
> > for wheezy, the patch is available in the BTS.
> >
> > Thank you for the information,
> > tony
>
> For what it's worth, CVE-2014-3578 was assigned to a directory traversal
> vulnerability in libspring-java
> ( http://www.pivotal.io/security/cve-2014-3578)
>
>
Thanks for letting us know about this one. I've had a quick look and it
might be more difficult to fix given that there hasn't been a specific
commit made in a later version of Spring which could be backported.
However, I will look into this in more detail and report back to the BTS
for this bug.

I think it's no-dsa too, but both can be fixed in a point release.
>
> Regards,
> --
> Yves-Alexis Perez - Debian Security
>
>
>
Cheers,

Stephen Nelson

[Message part 2 (text/html, inline)]

Message #20 received at 760733@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Stephen Nelson <stephen@eccostudio.com>

Cc: tony mancill <tmancill@debian.org>, team@security.debian.org, 760733@bugs.debian.org

Subject: Re: libspring-java: CVE-2014-0225

Date: Wed, 26 Nov 2014 11:45:58 +0100

Hello Stephen,

On Mon, 08 Sep 2014, Stephen Nelson wrote:
> > For what it's worth, CVE-2014-3578 was assigned to a directory traversal
> > vulnerability in libspring-java
> > ( http://www.pivotal.io/security/cve-2014-3578)
>
> Thanks for letting us know about this one. I've had a quick look and it
> might be more difficult to fix given that there hasn't been a specific
> commit made in a later version of Spring which could be backported.
> However, I will look into this in more detail and report back to the BTS
> for this bug.

I haven't seen any followup yet. Do you still plan to do the required
investigation?

This bug is one of Jessie's remaining release critical bugs so it would
be nice if there could be some progress. (Of course, packaging a new
upstream version can also be considered by release team members
if backporting is too much work)

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #25 received at 760733@bugs.debian.org (full text, mbox, reply):

From: Stephen Nelson <stephen@eccostudio.com>

To: Raphael Hertzog <hertzog@debian.org>

Cc: team@security.debian.org, tony mancill <tmancill@debian.org>, 760733@bugs.debian.org, Debian Java <debian-java@lists.debian.org>

Subject: libspring-java: CVE-2014-0225

Date: Wed, 26 Nov 2014 11:22:28 +0000

[Message part 1 (text/plain, inline)]

On 26 Nov 2014 10:45, "Raphael Hertzog" <hertzog@debian.org> wrote:
>
> Hello Stephen,
>
> On Mon, 08 Sep 2014, Stephen Nelson wrote:
> > > For what it's worth, CVE-2014-3578 was assigned to a directory
traversal
> > > vulnerability in libspring-java
> > > ( http://www.pivotal.io/security/cve-2014-3578)
> >
> > Thanks for letting us know about this one. I've had a quick look and it
> > might be more difficult to fix given that there hasn't been a specific
> > commit made in a later version of Spring which could be backported.
> > However, I will look into this in more detail and report back to the BTS
> > for this bug.
>
> I haven't seen any followup yet. Do you still plan to do the required
> investigation?
>
> This bug is one of Jessie's remaining release critical bugs so it would
> be nice if there could be some progress. (Of course, packaging a new
> upstream version can also be considered by release team members
> if backporting is too much work)
>

I couldn't find any specifics on this vulnerability other than the upstream
saying it's not present in their currently supported versions.

Therefore it looks like upgrading to 3.2.x would solve the security issue
but is quite a lot of work and involves dependencies not yet packaged in
Debian.

I'm happy to help but ask more experienced Java team members on what's the
best course of action here.

Cheers

Stephen

[Message part 2 (text/html, inline)]

Message #30 received at 760733@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: Stephen Nelson <stephen@eccostudio.com>, 760733@bugs.debian.org, Raphael Hertzog <hertzog@debian.org>

Cc: Debian Java <debian-java@lists.debian.org>, team@security.debian.org

Subject: Re: Bug#760733: libspring-java: CVE-2014-0225

Date: Wed, 26 Nov 2014 12:40:37 +0100

I've been investigating this issue as well. I contacted an upstream
developer and it seems the actual fix for this issue is unknown. The
version 3.2.0 was just reported as not vulnerable by the security
researched who discovered this issue.

I can prepare an upgrade to the latest 3.2.x version but this will at
least require libhibernate-validator-java to be unblocked as well.

Emmanuel Bourg

Message #35 received at 760733@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Emmanuel Bourg <ebourg@apache.org>

Cc: Stephen Nelson <stephen@eccostudio.com>, 760733@bugs.debian.org, Raphael Hertzog <hertzog@debian.org>, Debian Java <debian-java@lists.debian.org>, team@security.debian.org

Subject: Re: Bug#760733: libspring-java: CVE-2014-0225

Date: Wed, 26 Nov 2014 12:41:30 +0100

On Wed, Nov 26, 2014 at 12:40:37PM +0100, Emmanuel Bourg wrote:
> I've been investigating this issue as well. I contacted an upstream
> developer and it seems the actual fix for this issue is unknown. The
> version 3.2.0 was just reported as not vulnerable by the security
> researched who discovered this issue.
> 
> I can prepare an upgrade to the latest 3.2.x version but this will at
> least require libhibernate-validator-java to be unblocked as well.

I didn't look into the specific issue, but Red Hat Bugzilla has
references to isolated patches?

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0225

Cheers,
        Moritz

Message #40 received at 760733@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: Stephen Nelson <stephen@eccostudio.com>, 760733@bugs.debian.org, Raphael Hertzog <hertzog@debian.org>, Debian Java <debian-java@lists.debian.org>, team@security.debian.org

Subject: Re: Bug#760733: libspring-java: CVE-2014-0225

Date: Wed, 26 Nov 2014 12:52:50 +0100

Le 26/11/2014 12:41, Moritz Muehlenhoff a écrit :

> I didn't look into the specific issue, but Red Hat Bugzilla has
> references to isolated patches?
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0225

I don't know why the title of the mail refers to CVE-2014-0225, but the
bug #760733 is related to CVE-2014-3578.

Message #45 received at 760733-close@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: 760733-close@bugs.debian.org

Subject: Bug#760733: fixed in libspring-java 3.2.12-1

Date: Wed, 03 Dec 2014 15:52:51 +0000

Source: libspring-java
Source-Version: 3.2.12-1

We believe that the bug you reported is fixed in the latest version of
libspring-java, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 760733@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated libspring-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 03 Dec 2014 16:22:55 +0100
Source: libspring-java
Binary: libspring-core-java libspring-beans-java libspring-aop-java libspring-context-java libspring-context-support-java libspring-web-java libspring-web-servlet-java libspring-web-portlet-java libspring-test-java libspring-transaction-java libspring-jdbc-java libspring-jms-java libspring-orm-java libspring-expression-java libspring-oxm-java libspring-instrument-java
Architecture: source all
Version: 3.2.12-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
 libspring-aop-java - modular Java/J2EE application framework - AOP
 libspring-beans-java - modular Java/J2EE application framework - Beans
 libspring-context-java - modular Java/J2EE application framework - Context
 libspring-context-support-java - modular Java/J2EE application framework - Context Support
 libspring-core-java - modular Java/J2EE application framework - Core
 libspring-expression-java - modular Java/J2EE application framework - Expression language
 libspring-instrument-java - modular Java/J2EE application framework - Instrumentation
 libspring-jdbc-java - modular Java/J2EE application framework - JDBC tools
 libspring-jms-java - modular Java/J2EE application framework - JMS tools
 libspring-orm-java - modular Java/J2EE application framework - ORM tools
 libspring-oxm-java - modular Java/J2EE application framework - Object/XML Mapping
 libspring-test-java - modular Java/J2EE application framework - Test helpers
 libspring-transaction-java - modular Java/J2EE application framework - transaction
 libspring-web-java - modular Java/J2EE application framework - Web
 libspring-web-portlet-java - modular Java/J2EE application framework - Portlet MVC
 libspring-web-servlet-java - modular Java/J2EE application framework - Web Portlet
Closes: 732215 760733 769698
Changes:
 libspring-java (3.2.12-1) experimental; urgency=medium
 .
   * Team upload.
   * New upstream release (Closes: #732215)
     - Fix CVE-2014-3578: Directory Traversal (Closes: #760733)
     - Fix CVE-2014-3625: Directory Traversal (Closes: #769698)
     - Removed the patches applied upstream
     - New build dependencies on libjoptsimple-java, libderbyclient-java,
       libhsqldb-java, libjetty8-java, libhibernate-validator-java,
       gradle-propdeps-plugin, libjackson2-databind-java, libjstl1.1-java,
       libjakarta-taglibs-standard-java
     - Depend on libgeronimo-j2ee-connector-1.5-spec-java (>= 2.0.0-2)
     - Depend on libgeronimo-commonj-spec-java (>= 1.1.1-3)
     - Depend on libitext-java (>= 2.1.7-9)
     - Depend on libvelocity-tools-java (>= 2.0-3)
   * Use XZ compression for the upstream tarball
   * Remove more jar files from the upstream tarball
   * debian/rules: Changed the get-orig-source target to call uscan
Checksums-Sha1:
 447056bc1457707711b9f6e72304a9bf0a2193d8 4758 libspring-java_3.2.12-1.dsc
 1eae28dafa54de6ed2a83a97bad495f916827e46 6020884 libspring-java_3.2.12.orig.tar.xz
 dde2413aa8700541728c83946de47f7c768abc03 19404 libspring-java_3.2.12-1.debian.tar.xz
 4acc3476a402ff8e8cb5e8d0b013a90df0ccc93a 797934 libspring-core-java_3.2.12-1_all.deb
 f8e06b666e1c37576816cf3ca2d9cb1476d26fae 553276 libspring-beans-java_3.2.12-1_all.deb
 d3a61c7325da2295611b0e2400c1bcd8576c17d0 337932 libspring-aop-java_3.2.12-1_all.deb
 2ce87e785c12eaacb266d20d7d2b7d034bfc243c 755638 libspring-context-java_3.2.12-1_all.deb
 1ef52d4bc441cc3aeb6ca022ae4a5b061e96acab 123970 libspring-context-support-java_3.2.12-1_all.deb
 932eef42c2b8017cadd549889794f16dea891c5d 561958 libspring-web-java_3.2.12-1_all.deb
 85345c3901255b2d91fc96ab3eb59319ef2fc51a 567264 libspring-web-servlet-java_3.2.12-1_all.deb
 28ba887dced67965dc1dc5eb8e5a494583dc8dd0 176484 libspring-web-portlet-java_3.2.12-1_all.deb
 c02a14a0ca61410b39be84c6cdc2f649c6c4d597 239010 libspring-test-java_3.2.12-1_all.deb
 ebbc9c37221d0cfd5dc6726498c420d24a1c898a 207590 libspring-transaction-java_3.2.12-1_all.deb
 ba468231a2857437423c08667d4aa12188c158f5 362714 libspring-jdbc-java_3.2.12-1_all.deb
 874182ba685a83a943d78addbaa50394c566409c 191552 libspring-jms-java_3.2.12-1_all.deb
 79a7f5775e60f4d0c272840985336a5d9705f323 315906 libspring-orm-java_3.2.12-1_all.deb
 08db7e518b560a8f46e96f859b8349c6278fe0ad 185118 libspring-expression-java_3.2.12-1_all.deb
 614c06d577f556e2bbeb0288ce7e57cf8018f346 77390 libspring-oxm-java_3.2.12-1_all.deb
 e21efdb8ce336aef9a317a0ff95f40327ed706c3 19234 libspring-instrument-java_3.2.12-1_all.deb
Checksums-Sha256:
 08fead26d5df8a2139d991599a2e0865474d781421633fa93657e90331f56abd 4758 libspring-java_3.2.12-1.dsc
 7d0d0bcaa49e0462ca9b6947a811e545178f6892c550fd822f94b07f83e7960c 6020884 libspring-java_3.2.12.orig.tar.xz
 c1a716bbbe3ffc71d11304d648d2a8358ed014bdea7c71262549b377460bee28 19404 libspring-java_3.2.12-1.debian.tar.xz
 6ef2056bdafb50f72d456f0935ca74120eccfabd3ee47a95b0831fa4a81b1bb8 797934 libspring-core-java_3.2.12-1_all.deb
 bc0fd95bfddf4512a10a91c477e7e238cf5f26a99de63d287e335c3bc1f8509e 553276 libspring-beans-java_3.2.12-1_all.deb
 01af65aa1ce57dde0cace15f08316b8455e398a5d4fd9c98583ddc06cad4d982 337932 libspring-aop-java_3.2.12-1_all.deb
 6bd1fab340baf9cc9b927ddf0df2a0e4df27755f60e8f32ae710e12c1f11ce27 755638 libspring-context-java_3.2.12-1_all.deb
 8ac14c54b4ccb62099b24d0f38aebb9dea1fb4e6d1ab7707f1a84103d81daf76 123970 libspring-context-support-java_3.2.12-1_all.deb
 cde10ed958079ddb06a07a30298f74ea5f84029a9bc102204f9ddad9fae9e0ba 561958 libspring-web-java_3.2.12-1_all.deb
 ed8e81dc81761c01eb163346d2953b775f76393d373675e4a94b126bb1e76c73 567264 libspring-web-servlet-java_3.2.12-1_all.deb
 c38129b78f198829f8131e3d755e3556aacee362805d0f5d71bd0dcf776db3ba 176484 libspring-web-portlet-java_3.2.12-1_all.deb
 8043227be8375ee2455339684ea31563ab86b3b3d56c40cf202a66977975f4be 239010 libspring-test-java_3.2.12-1_all.deb
 91dcb34b60441ff44ded33542338a196c5a5aa62d3153e65a9bca12be4b26686 207590 libspring-transaction-java_3.2.12-1_all.deb
 2b0e9ace781f21ec6e49f9538f428313caac5217a6e0e9bd9f5f0771205a0977 362714 libspring-jdbc-java_3.2.12-1_all.deb
 bb0e77581067c314f710b4573a2071ae5f9c02036d41c4168e7dbf1b6e461ae1 191552 libspring-jms-java_3.2.12-1_all.deb
 d4f2d58d7eed8a69ad1c2dbfdcf5be7b630727d759e8d428f549c8be4874ba19 315906 libspring-orm-java_3.2.12-1_all.deb
 f06a83c889c2ff2865d4dd02fdeec8ee81c3317278667c3c16a1633d7d74c61e 185118 libspring-expression-java_3.2.12-1_all.deb
 61e5749971c19a0e53660c0b7a97bcd8fd5487be9755210536b7e06db08f48ed 77390 libspring-oxm-java_3.2.12-1_all.deb
 3a1275102fea0828421004112c367c8e64265d882c5af54929de5e2150be5292 19234 libspring-instrument-java_3.2.12-1_all.deb
Files:
 6b2f2c05b1ded3d990412fcd5f9ad52e 4758 java extra libspring-java_3.2.12-1.dsc
 7b4727846e434bd4232c18729d4655a9 6020884 java extra libspring-java_3.2.12.orig.tar.xz
 91b34aa68cdc1666583407fb371980d7 19404 java extra libspring-java_3.2.12-1.debian.tar.xz
 81fc7a36f1f2e5c99a4b1d0a10c5c08f 797934 java extra libspring-core-java_3.2.12-1_all.deb
 6bbf2a22bde966c311d0fc1bb115c73c 553276 java extra libspring-beans-java_3.2.12-1_all.deb
 2656e76e735bda6121277081177dfd33 337932 java extra libspring-aop-java_3.2.12-1_all.deb
 ae3c247277593f26c27b79365c2827d5 755638 java extra libspring-context-java_3.2.12-1_all.deb
 00843338a9329f428de2dacbf3fd75eb 123970 java extra libspring-context-support-java_3.2.12-1_all.deb
 8f67f4d21323b2073739630df226ab68 561958 java extra libspring-web-java_3.2.12-1_all.deb
 85cbc92ffef7ec4f45be8c882cb28729 567264 java extra libspring-web-servlet-java_3.2.12-1_all.deb
 a87a0f3ae1489219e7b8725faf8da353 176484 java extra libspring-web-portlet-java_3.2.12-1_all.deb
 594322ab7646f051fdbcac0a6e602f9f 239010 java extra libspring-test-java_3.2.12-1_all.deb
 453016a1e4661bffa054184c1d010169 207590 java extra libspring-transaction-java_3.2.12-1_all.deb
 b2851a81b2d9385733078af6ec2aa5fe 362714 java extra libspring-jdbc-java_3.2.12-1_all.deb
 e6bcc76210020739994b37e632961871 191552 java extra libspring-jms-java_3.2.12-1_all.deb
 9989ec7e313c29af9b2a1ba0cdecd517 315906 java extra libspring-orm-java_3.2.12-1_all.deb
 c2804c7a30ca41df66dce78f14b6a263 185118 java extra libspring-expression-java_3.2.12-1_all.deb
 ff2dcdc092a96547473a7c1b55dec80e 77390 java extra libspring-oxm-java_3.2.12-1_all.deb
 41da2204d1f92dc28680156748a5bb30 19234 java extra libspring-instrument-java_3.2.12-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUfy7jAAoJEPUTxBnkudCsCggP/0ayhje10f0ednaptSr9YYH5
Guu8IkVJQfkdV4KOTSQfZcW+H8pRrPv7Sosek+XPZ8toccoEHRoymq76ERRE2AuW
DhY27CKt4GM0VGtuhW5TPSfUsxI/IgqThv1yk/iuQkftyYFan2uEluklcIg9VYel
1mSeeRTRNrgzMHmxU1VlY/zyMLHWcDRptoElHEm+4XMLE8PF365MZDohyn7mZOYW
uqrPT7F/H2wioL1I9kpxbXuAAlGzi1rQCHYtEsgN9P1Bb4CM970LO41NdrTg77VN
QCgbAep1SOquRI7KOcFGOR56LCpChaDcyQqm3S14E+zAMlnV6MLKxiKYLeD8Aua0
7RgxubzjGTPRERiMTmXrWRvfQwQ2tjhMBSNpFDopfcaoB0aPOPzUkx2mGorw6GLT
m//4syr/Rp9vN/6UuNeqS7ctPyGMUYIqaMnvZABXNDZHdphm7qj/P4TVNErvFjqO
UdqdydyUu2XRQ3rqTd6TSwRQsLmqbM2egBFjFJqoHDbJpvckrZXW2Zp9OYTajnCu
hHUi/tqsUvca1p5wuyckWgMyD8OxX7j79jPGmXfG0XHwoIFycnjWqFPtrZ2VF7WB
45Pr4u8D58xu3JqAByb+6Qpeos2XxxcU3Nhw/a6XkXLD5sSiqC+yQNr0avsdezho
igxj1m2fktuzLdIj8QIU
=5QTe
-----END PGP SIGNATURE-----

Message #62 received at 760733-submitter@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: control@bugs.debian.org

Cc: 760733-submitter@bugs.debian.org

Subject: closing 760733

Date: Mon, 19 Oct 2015 14:42:01 +0200

close 760733 
thanks

Send a report that this bug log contains spam.