Debian Bug report logs -
#895114
libspring-java: CVE-2018-1270 CVE-2018-1272
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 7 Apr 2018 07:51:01 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in version libspring-java/4.3.5-1
Fixed in version libspring-java/4.3.19-1
Done: Emmanuel Bourg <ebourg@apache.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#895114
; Package src:libspring-java
.
(Sat, 07 Apr 2018 07:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Sat, 07 Apr 2018 07:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libspring-java
Version: 4.3.5-1
Severity: grave
Tags: security upstream fixed-upstream
Hi,
The following vulnerabilities were published for libspring-java,
filling only one bug this time since the common set of affected
versions for the two is all 4.3 versions and older unsupported
versions.
CVE-2018-1270[0]:
| Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior
| to 4.3.15 and older unsupported versions, allow applications to expose
| STOMP over WebSocket endpoints with a simple, in-memory STOMP broker
| through the spring-messaging module. A malicious user (or attacker)
| can craft a message to the broker that can lead to a remote code
| execution attack.
CVE-2018-1272[1]:
| Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior
| to 4.3.15 and older unsupported versions, provide client-side support
| for multipart requests. When Spring MVC or Spring WebFlux server
| application (server A) receives input from a remote client, and then
| uses that input to make a multipart request to another server (server
| B), it can be exposed to an attack, where an extra multipart is
| inserted in the content of the request from server A, causing server B
| to use the wrong value for a part it expects. This could to lead
| privilege escalation, for example, if the part content represents a
| username or user roles.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1270
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1270
https://pivotal.io/security/cve-2018-1270
[1] https://security-tracker.debian.org/tracker/CVE-2018-1272
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1272
https://pivotal.io/security/cve-2018-1272
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#895114
; Package src:libspring-java
.
(Tue, 10 Apr 2018 06:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Tue, 10 Apr 2018 06:33:03 GMT) (full text, mbox, link).
Message #10 received at 895114@bugs.debian.org (full text, mbox, reply):
On Sat, Apr 07, 2018 at 09:46:13AM +0200, Salvatore Bonaccorso wrote:
> Source: libspring-java
> Version: 4.3.5-1
> Severity: grave
> Tags: security upstream fixed-upstream
>
> Hi,
>
> The following vulnerabilities were published for libspring-java,
> filling only one bug this time since the common set of affected
> versions for the two is all 4.3 versions and older unsupported
> versions.
>
> CVE-2018-1270[0]:
> | Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior
> | to 4.3.15 and older unsupported versions, allow applications to expose
> | STOMP over WebSocket endpoints with a simple, in-memory STOMP broker
> | through the spring-messaging module. A malicious user (or attacker)
> | can craft a message to the broker that can lead to a remote code
> | execution attack.
For this one:
https://bugzilla.redhat.com/show_bug.cgi?id=1565307
So when trying to address CVE-2018-1270 one needs to make sure it's
not only partially fixed to not open the CVE-2018-1275 CVE.
Regards,
Salvatore
Reply sent
to Emmanuel Bourg <ebourg@apache.org>
:
You have taken responsibility.
(Fri, 05 Oct 2018 13:39:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Fri, 05 Oct 2018 13:39:03 GMT) (full text, mbox, link).
Message #15 received at 895114-close@bugs.debian.org (full text, mbox, reply):
Source: libspring-java
Source-Version: 4.3.19-1
We believe that the bug you reported is fixed in the latest version of
libspring-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 895114@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated libspring-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 05 Oct 2018 14:19:52 +0200
Source: libspring-java
Binary: libspring-core-java libspring-beans-java libspring-aop-java libspring-context-java libspring-context-support-java libspring-web-java libspring-web-servlet-java libspring-web-portlet-java libspring-test-java libspring-transaction-java libspring-jdbc-java libspring-messaging-java libspring-jms-java libspring-orm-java libspring-expression-java libspring-oxm-java libspring-instrument-java
Architecture: source
Version: 4.3.19-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
libspring-aop-java - modular Java/J2EE application framework - AOP
libspring-beans-java - modular Java/J2EE application framework - Beans
libspring-context-java - modular Java/J2EE application framework - Context
libspring-context-support-java - modular Java/J2EE application framework - Context Support
libspring-core-java - modular Java/J2EE application framework - Core
libspring-expression-java - modular Java/J2EE application framework - Expression language
libspring-instrument-java - modular Java/J2EE application framework - Instrumentation
libspring-jdbc-java - modular Java/J2EE application framework - JDBC tools
libspring-jms-java - modular Java/J2EE application framework - JMS tools
libspring-messaging-java - modular Java/J2EE application framework - Messaging tools
libspring-orm-java - modular Java/J2EE application framework - ORM tools
libspring-oxm-java - modular Java/J2EE application framework - Object/XML Mapping
libspring-test-java - modular Java/J2EE application framework - Test helpers
libspring-transaction-java - modular Java/J2EE application framework - transaction
libspring-web-java - modular Java/J2EE application framework - Web
libspring-web-portlet-java - modular Java/J2EE application framework - Portlet MVC
libspring-web-servlet-java - modular Java/J2EE application framework - Web Portlet
Closes: 895114
Changes:
libspring-java (4.3.19-1) unstable; urgency=medium
.
* Team upload.
* New upstream release
- Fixes CVE-2018-1270, CVE-2018-1272 and CVE-2018-1275 (Closes: #895114)
- Refreshed the patches
- Updated the Maven rules
* Fixed the compatibility with the version of SnakeYAML in Debian
* Replaced debian/orig-tar.sh with the File-Excluded field in debian/copyright
* Standards-Version updated to 4.2.1
* Use salsa.debian.org Vcs-* URLs
Checksums-Sha1:
efefcae934e97bf3f1b95969ba0d848a6fdebbae 5166 libspring-java_4.3.19-1.dsc
bbcd113e3fae293d4c0097b9826ae15d7e4db256 7194452 libspring-java_4.3.19.orig.tar.xz
2d70b411e5d8e451ccfd7e22e025dc5b6f998786 18016 libspring-java_4.3.19-1.debian.tar.xz
b6c631080d8a6ac99cc1c3a0e6d9278726929e38 15090 libspring-java_4.3.19-1_source.buildinfo
Checksums-Sha256:
69b5f3007f98fbb36bf4b30867a9927d724717384a7fc8595466ef01242b7e21 5166 libspring-java_4.3.19-1.dsc
1000c7ac8fc57addbf99318543b59321dc3effa936918d0b0f6dda417be1ef59 7194452 libspring-java_4.3.19.orig.tar.xz
c55efbcd99c1ea201bca7d92b79819a4af4a6733c2a0076cf6f9617123422e65 18016 libspring-java_4.3.19-1.debian.tar.xz
beb9f9a123eebb3f1b62b832940a227043352549e63646d0b2a9636a77bd8c34 15090 libspring-java_4.3.19-1_source.buildinfo
Files:
e4b2ee00db932fc679fe322e1b63cf49 5166 java optional libspring-java_4.3.19-1.dsc
e2009b412ca41a8da348b22a0f1019b8 7194452 java optional libspring-java_4.3.19.orig.tar.xz
64d817e7bd04f37708d1fa4e99f0d32f 18016 java optional libspring-java_4.3.19-1.debian.tar.xz
988b731654d239b40f34a086f38dbd22 15090 java optional libspring-java_4.3.19-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlu3X3YSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsfTMQAJU4Yqad5oZ2AxbiDTgGgmPKPYYUG/XF
owX7zmedg0q3jT+COvUV0oPVjBiNs9d1xjQppnExXxXbqpayyj/6Lpghowd3Q8Vo
lt7Q7rq9h+DyX5KQDAij79Jo5HwzpCRBQMVGhZq+SuiofQwnWBEUKlvO3klKSCJh
0l7hv0lVmGgriBox/TmiR9bUzpp5AC/q74PU7TZhBJg60OK+s3/CPPhpcXxz8pK7
LmNhm1hPPzD7EEamIpme9rQrE7TnhfnbfRBYTYLZ5Or5MnHOBrRxpQlRkdUPTyM1
/yfd1PImOGhi8UIx0oApEcAieBTcFUkJ9iBlx5mVUpimNVqTZJjnbl4OFAEPBbNT
AJLw0gTWg0gNv8HtLkUiK94D0LtobId5tyHU6RQcUh/vSWZv6o76TgDbJ89Z8lLH
7Nt9FM59M4u3T3ltRzpym3SU1kbjlopDaHd9yY9NETVMNFVenC8xKxeQynrwxqKC
AxMBG4uRBhhlqCWgV+BjP4VyFbp4NdLrMS1pvuSgetXh5KyoEgF9gcLnW+AAejSc
c0+jX7DkxKu4nWadlHGo+DDyaXRSLJKJ/fFwbVD9eAO+ExD5QQdV5zJQ/VE5iKee
mGmQEvtDadandm1EkZ17BmM9UgilqTqfSCSliyR9lgVo9M24xBsxWUCldSk1BCdJ
xL2pJT5DWo8a
=0noK
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:28:25 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.