Debian Bug report logs -
#796137
CVE-2015-3192
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Wed, 19 Aug 2015 19:09:02 UTC
Severity: important
Tags: security
Found in version libspring-java/3.2.13-2
Fixed in version libspring-java/4.1.9-1
Done: Emmanuel Bourg <ebourg@apache.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#796137; Package src:libspring-java.
(Wed, 19 Aug 2015 19:09:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Wed, 19 Aug 2015 19:09:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libspring-java
Severity: important
Tags: security
Please see https://pivotal.io/security/cve-2015-3192
Cheers,
Moritz
Marked as found in versions libspring-java/3.2.13-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 20 Aug 2015 21:03:10 GMT) (full text, mbox, link).
Reply sent
to Emmanuel Bourg <ebourg@apache.org>:
You have taken responsibility.
(Tue, 31 May 2016 07:03:10 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Tue, 31 May 2016 07:03:10 GMT) (full text, mbox, link).
Message #12 received at 796137-close@bugs.debian.org (full text, mbox, reply):
Source: libspring-java
Source-Version: 4.1.9-1
We believe that the bug you reported is fixed in the latest version of
libspring-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 796137@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated libspring-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 30 May 2016 21:14:36 +0200
Source: libspring-java
Binary: libspring-core-java libspring-beans-java libspring-aop-java libspring-context-java libspring-context-support-java libspring-web-java libspring-web-servlet-java libspring-web-portlet-java libspring-test-java libspring-transaction-java libspring-jdbc-java libspring-messaging-java libspring-jms-java libspring-orm-java libspring-expression-java libspring-oxm-java libspring-instrument-java
Architecture: source all
Version: 4.1.9-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
libspring-aop-java - modular Java/J2EE application framework - AOP
libspring-beans-java - modular Java/J2EE application framework - Beans
libspring-context-java - modular Java/J2EE application framework - Context
libspring-context-support-java - modular Java/J2EE application framework - Context Support
libspring-core-java - modular Java/J2EE application framework - Core
libspring-expression-java - modular Java/J2EE application framework - Expression language
libspring-instrument-java - modular Java/J2EE application framework - Instrumentation
libspring-jdbc-java - modular Java/J2EE application framework - JDBC tools
libspring-jms-java - modular Java/J2EE application framework - JMS tools
libspring-messaging-java - modular Java/J2EE application framework - Messaging tools
libspring-orm-java - modular Java/J2EE application framework - ORM tools
libspring-oxm-java - modular Java/J2EE application framework - Object/XML Mapping
libspring-test-java - modular Java/J2EE application framework - Test helpers
libspring-transaction-java - modular Java/J2EE application framework - transaction
libspring-web-java - modular Java/J2EE application framework - Web
libspring-web-portlet-java - modular Java/J2EE application framework - Portlet MVC
libspring-web-servlet-java - modular Java/J2EE application framework - Web Portlet
Closes: 796137
Changes:
libspring-java (4.1.9-1) unstable; urgency=medium
.
* Team upload.
* New upstream release
- Fixes CVE-2015-3192: DoS Attack with XML Input (Closes: #796137)
- Refreshed the patches
- Updated the Maven poms
- New binary package for the spring-messaging module
- Switch Spring MVC to Tiles 3 only and drop Tiles 2 support
- Patched Spring MVC to use the older Rome API in Debian
- Depend on libquartz2-java instead of libquartz-java
- New suggested dependency on libyaml-snake-java for libspring-beans-java
- New suggested dependencies on libnetty-java, libprotobuf-java-format-java,
libprotobuf-java, libjackson2-dataformat-xml-java for libspring-web-java
- Ignore the non-free JSONassert dependency
- Depend on libjetty9-extra-java instead of libjetty9-java
Checksums-Sha1:
4129ad89e9dc37f4ceb7fa2b211b6c5b2b477d6e 5154 libspring-java_4.1.9-1.dsc
e5b2d2cad91491ffee71bddaf1288fee588dde19 6483700 libspring-java_4.1.9.orig.tar.xz
215b8ad09b629be6bb74bc8400321e3ecd7ea4d3 19588 libspring-java_4.1.9-1.debian.tar.xz
9cbb2ceb62ed481fcb64d862c1d72b780567677a 364478 libspring-aop-java_4.1.9-1_all.deb
9c277627a219523bee0e6391423424c3f064aa0d 638668 libspring-beans-java_4.1.9-1_all.deb
b9728ac4764c4f4a59b6bc66f6f2cea7ceb4b410 886916 libspring-context-java_4.1.9-1_all.deb
65bf722fc878612879799216e5198402c637d729 168426 libspring-context-support-java_4.1.9-1_all.deb
bbc82870e13b9d0ff36f991690d2a4e52232637b 926390 libspring-core-java_4.1.9-1_all.deb
f201378739bb1061f24560b48aa581977369c876 246534 libspring-expression-java_4.1.9-1_all.deb
78d64718d8130c95e39ec94e761f8657cc591349 20528 libspring-instrument-java_4.1.9-1_all.deb
d1a39c2738b2f961412d3eb3bee521f46716d24e 380582 libspring-jdbc-java_4.1.9-1_all.deb
6c78ce31b4dda356d15e8b2fa518e9a6772405c7 248732 libspring-jms-java_4.1.9-1_all.deb
4265c249efc16a4d44989c9e62a51cbbdfff754b 258528 libspring-messaging-java_4.1.9-1_all.deb
a821e4b1ad428ea337409094317c88978520bc07 262598 libspring-orm-java_4.1.9-1_all.deb
bae19169140ada4a3b8d84bc37ddaa33e2285664 84640 libspring-oxm-java_4.1.9-1_all.deb
6fc0b6ebabc1cac9dad4e5ef68366f3371f0e67a 443906 libspring-test-java_4.1.9-1_all.deb
e03860afe41fed6eee561ce61b97d20ae065c006 216582 libspring-transaction-java_4.1.9-1_all.deb
f0060670116caecdb94aad5f9856776c06d81c13 642144 libspring-web-java_4.1.9-1_all.deb
e0505fa8853926149f8c78a264aefcab3ba99fdc 165794 libspring-web-portlet-java_4.1.9-1_all.deb
ad73cfe44754cce9dadd709631c5c6a91264f4c3 697824 libspring-web-servlet-java_4.1.9-1_all.deb
Checksums-Sha256:
6f583f0f8a838e5e90250bb96f2fdc1734b6b273786d0b33a6b2f15f9f7af58c 5154 libspring-java_4.1.9-1.dsc
39cf224492e449963b8ea189f92666611b64f9cbae4e661ea03cb62a6e18557d 6483700 libspring-java_4.1.9.orig.tar.xz
2825f31644111f4118bd37e2a58f335aefa5c1143ac4913fc43449d29ebaa06e 19588 libspring-java_4.1.9-1.debian.tar.xz
ea2c7b3d4666dda31da3b6fcbe3d0ceddf044f28b97fa8cda0540758182bc6e3 364478 libspring-aop-java_4.1.9-1_all.deb
80f852525f95b0413376365aca0d5803bc2000038c2cb59a55691f4aff0d2add 638668 libspring-beans-java_4.1.9-1_all.deb
e4fe1bb1b233d1a9f7360e17c424e5ace365e7d0aa585174236492a0c45362e9 886916 libspring-context-java_4.1.9-1_all.deb
033e4b39638464c2960ff25ceaf2b98459f0dbc8f6a6217d0d66b39cb7130d61 168426 libspring-context-support-java_4.1.9-1_all.deb
4c1b30a603306c3f2e041758458b096e3d99c7f40fd65e8bb325bf6847ad5915 926390 libspring-core-java_4.1.9-1_all.deb
1cbe8da6269818dc32553f81f7024cc4d274807a1e86443759bae2e83abf2184 246534 libspring-expression-java_4.1.9-1_all.deb
bc34f47dfe7b830856f79d4c32b090dadaceebe6b3c26d1123fd928c82edeb3a 20528 libspring-instrument-java_4.1.9-1_all.deb
50fd2c59f8397fb6409d08337d24adc5cf6d7f9c35ab7dde8568148407654412 380582 libspring-jdbc-java_4.1.9-1_all.deb
7e3c17731e6cf1c2e3a816dd6b241152f7cce9b5dc96d0353ff7a84a0d46605a 248732 libspring-jms-java_4.1.9-1_all.deb
373e5f334b1be36558c071523c7907e608f13b00468e19d4ffc908f92e67d127 258528 libspring-messaging-java_4.1.9-1_all.deb
aa3846dc3a1906c203732534779e304e6f8db6884176e35c41ae1ff7ed3257e0 262598 libspring-orm-java_4.1.9-1_all.deb
31792f3f5d36ae5b4a458a156ae8b06258ec52dc4467b17a4915db1751a5a649 84640 libspring-oxm-java_4.1.9-1_all.deb
c43e8dd6f2d6830417b848f1af91dc7d4635a5387826028dadbfab8b6e6376cd 443906 libspring-test-java_4.1.9-1_all.deb
205c84178cc5ee07a269e4dc573f9c0ab39a890977141ecee208c2a5ec9e986a 216582 libspring-transaction-java_4.1.9-1_all.deb
7d0236a2cd5e448447526707611900bc71dd2995045121a7ec385a426a4b63a1 642144 libspring-web-java_4.1.9-1_all.deb
be70dfb91152175dc2f58b9b2b2ac8918d0eb1ff418a77fa0cda3be8fac1853e 165794 libspring-web-portlet-java_4.1.9-1_all.deb
6799843c7150b0002079d536bb6f087c20b4e75949cfa4955157f734e16fa080 697824 libspring-web-servlet-java_4.1.9-1_all.deb
Files:
b571563fa33137aeb150608bb71239da 5154 java optional libspring-java_4.1.9-1.dsc
9619148de10c3e6ef9702ba4b2d9b8a2 6483700 java optional libspring-java_4.1.9.orig.tar.xz
57b0f629a3d6c7a5eabf118d6928323d 19588 java optional libspring-java_4.1.9-1.debian.tar.xz
166b4e442c29af3a2c29ce273d60f36e 364478 java optional libspring-aop-java_4.1.9-1_all.deb
33a7703eb90f369293bb43fb055da81b 638668 java optional libspring-beans-java_4.1.9-1_all.deb
29291479047fef5ca0232274afe50428 886916 java optional libspring-context-java_4.1.9-1_all.deb
0156d1047e8240163ea9372d70a108c6 168426 java optional libspring-context-support-java_4.1.9-1_all.deb
19b46bcb46a98c20404d1e4c6391af71 926390 java optional libspring-core-java_4.1.9-1_all.deb
956bcbfe85fa30f172748fcb7ff7f720 246534 java optional libspring-expression-java_4.1.9-1_all.deb
ef8c8cc2890f5347e2d89f006054db99 20528 java optional libspring-instrument-java_4.1.9-1_all.deb
93e9b2d77fa9e199e40b603c8cd935d7 380582 java optional libspring-jdbc-java_4.1.9-1_all.deb
8752e55e901cb4f6c4b5e6a17bfe7759 248732 java optional libspring-jms-java_4.1.9-1_all.deb
1dc689188ce0c829138f350da74998ab 258528 java optional libspring-messaging-java_4.1.9-1_all.deb
01eae4cbdd119dcb1efc0ce0282b3524 262598 java optional libspring-orm-java_4.1.9-1_all.deb
01e4be97ffdd36439f2bf348bdaa0447 84640 java optional libspring-oxm-java_4.1.9-1_all.deb
91fa1ec97e899c85f7592b6c11d3919d 443906 java optional libspring-test-java_4.1.9-1_all.deb
10ed88798a76adb13b678f80303eec91 216582 java optional libspring-transaction-java_4.1.9-1_all.deb
340ec93a0196edb27bce10977cf481a7 642144 java optional libspring-web-java_4.1.9-1_all.deb
9064a174b68a6b02c6c0038b7650b2c5 165794 java optional libspring-web-portlet-java_4.1.9-1_all.deb
16c27d3eff6ab7d264a90cd893d6ca02 697824 java optional libspring-web-servlet-java_4.1.9-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJXTK/IAAoJEPUTxBnkudCsZTsP+wbzLI/wZPlmDbTzbANvcd1z
wcpAvNW/5gk3eKP99ZC4agkO123eXFr2IQbN8yo4XnDKX42U7jqWFnIDETfx9lkH
+fkUBof7SsioGSPg9UceDMaakxTGjXVsS1zeM1gYZq+PZHwQVQZOm6Brnyz9qB0P
aJDw2IJ6FaNoIfx/fJthOKrLaSs60X6e7xYzfEx2wdChmaH07hIyynW/UCGb8Zzj
bFqFKSimEta5cnsRrR7jJ5St+OSdNOcCbInhH9aojA6ehMtPZglz8D/Zkx5/nJMf
DUO++hmbfs9fJ9vJL5CeP5ZhX4MCMgk93Nt9NyT9+2D8Hc0/wH9qzGTzrb4Vpeir
0V0DQgskDkNGIGyHGm4hsj4RX5DN4pH+8U3TCaRUeLtBFxUHROWCiMV/n/1zqTnB
hzQoQ+VQNnXrOoE4F7LsMMrtCoWT6hbJQoE/Ui2rYmNQDVU2lVXFl/AorNC9thuR
GTNj6Glkop3Jy/PwfagyLEhtGgbvUWzM9n81XEJ70rDTnsJkfAfsOdA0wckCJJw9
Y7uR7LYbpZFBjbhUx8PCjeiloK2u+5fKNPEaUncHw5WnDMGvhEMQzAEOuRRe9Zx/
vVPbjpYb4E2PXzMYt5AQ7gSQIAl+gmCvfYofojJi6ilamnYX+Lv6MdtBVLJSzaHD
2B6TNAtt9KYPBjBoRw31
=jJ7T
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 03 Jul 2016 07:35:35 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:33:31 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon