Debian Bug report logs -
#849167
libspring-java: CVE-2016-9878
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#849167
; Package src:libspring-java
.
(Fri, 23 Dec 2016 06:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Fri, 23 Dec 2016 06:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libspring-java
Version: 4.3.4-3
Severity: important
Tags: security patch upstream
Hi,
the following vulnerability was published for libspring-java.
CVE-2016-9878[0]:
Directory Traversal in the Spring Framework ResourceServlet
Interesting, is that the code in
./spring-webmvc/src/main/java/org/springframework/web/servlet/ResourceServlet.java
looks quite more similar to the code-fix as for the 3.2.x branch.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9878
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9878
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Emmanuel Bourg <ebourg@apache.org>
:
You have taken responsibility.
(Fri, 23 Dec 2016 09:09:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Fri, 23 Dec 2016 09:09:07 GMT) (full text, mbox, link).
Message #12 received at 849167-close@bugs.debian.org (full text, mbox, reply):
Source: libspring-java
Source-Version: 4.3.5-1
We believe that the bug you reported is fixed in the latest version of
libspring-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 849167@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated libspring-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 23 Dec 2016 09:12:16 +0100
Source: libspring-java
Binary: libspring-core-java libspring-beans-java libspring-aop-java libspring-context-java libspring-context-support-java libspring-web-java libspring-web-servlet-java libspring-web-portlet-java libspring-test-java libspring-transaction-java libspring-jdbc-java libspring-messaging-java libspring-jms-java libspring-orm-java libspring-expression-java libspring-oxm-java libspring-instrument-java
Architecture: source all
Version: 4.3.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
libspring-aop-java - modular Java/J2EE application framework - AOP
libspring-beans-java - modular Java/J2EE application framework - Beans
libspring-context-java - modular Java/J2EE application framework - Context
libspring-context-support-java - modular Java/J2EE application framework - Context Support
libspring-core-java - modular Java/J2EE application framework - Core
libspring-expression-java - modular Java/J2EE application framework - Expression language
libspring-instrument-java - modular Java/J2EE application framework - Instrumentation
libspring-jdbc-java - modular Java/J2EE application framework - JDBC tools
libspring-jms-java - modular Java/J2EE application framework - JMS tools
libspring-messaging-java - modular Java/J2EE application framework - Messaging tools
libspring-orm-java - modular Java/J2EE application framework - ORM tools
libspring-oxm-java - modular Java/J2EE application framework - Object/XML Mapping
libspring-test-java - modular Java/J2EE application framework - Test helpers
libspring-transaction-java - modular Java/J2EE application framework - transaction
libspring-web-java - modular Java/J2EE application framework - Web
libspring-web-portlet-java - modular Java/J2EE application framework - Portlet MVC
libspring-web-servlet-java - modular Java/J2EE application framework - Web Portlet
Closes: 849167
Changes:
libspring-java (4.3.5-1) unstable; urgency=medium
.
* Team upload.
* New upstream release
- Fixes CVE-2016-9878: Directory Traversal in ResourceServlet
(Closes: #849167)
- Refreshed the patches
Checksums-Sha1:
b319ef3347f94bb2fe7b68dc2e32dc171095cc23 5221 libspring-java_4.3.5-1.dsc
1fe50d2dfae0e92c74844d8695be170f6275fdcc 7051404 libspring-java_4.3.5.orig.tar.xz
459d8d593b227bb4872bb456e8d3645b15da4540 16568 libspring-java_4.3.5-1.debian.tar.xz
9b075bcafb6246da1174c4d5f1055f4d54995176 384234 libspring-aop-java_4.3.5-1_all.deb
af502c20b13a47910651c85f0c00fbc418023f70 677860 libspring-beans-java_4.3.5-1_all.deb
b92626b8a8524aba6bfa17a51c5bcefc94179a4d 975612 libspring-context-java_4.3.5-1_all.deb
2360d26697be0dd655b26a8f0d086b10fddd287b 170856 libspring-context-support-java_4.3.5-1_all.deb
c4032ed273eeda7c0cb7ec67874040e10e0cdf73 999198 libspring-core-java_4.3.5-1_all.deb
de783d37626f6eb19ce5f7900c1eed394e0f9094 250636 libspring-expression-java_4.3.5-1_all.deb
5697106bb74a341305e4126b33ad96f40615c726 16944 libspring-instrument-java_4.3.5-1_all.deb
52024909f5060e5ca3c2bd6f91a020d633ddc233 23501 libspring-java_4.3.5-1_amd64.buildinfo
a7d5fe4ce8936786b53ff0fac5deab18b900e870 381284 libspring-jdbc-java_4.3.5-1_all.deb
c8aea104090acbd0b482d8c82b114f62e20c17a3 266208 libspring-jms-java_4.3.5-1_all.deb
39bf7d73383cd53a8d4c5e48c3dc88d44dc6c761 343242 libspring-messaging-java_4.3.5-1_all.deb
b2bc4d74f459c7349fa7f21a03d03c84cd142548 269346 libspring-orm-java_4.3.5-1_all.deb
07cd6e4d0f9dff82b118fddfa2d84562cf7a9c3b 87086 libspring-oxm-java_4.3.5-1_all.deb
a670d711ed1f92152d427f1c5f91dc62dfacb9c2 500044 libspring-test-java_4.3.5-1_all.deb
649b3d1396a0dd9e7ada85cf040f08fa8ae57d92 228572 libspring-transaction-java_4.3.5-1_all.deb
c7ea5b0b58e68ee9c522f88c0336c7a6d22313d8 713526 libspring-web-java_4.3.5-1_all.deb
3aea7f6222afcc364e0e65494b5bde8347dc5143 166390 libspring-web-portlet-java_4.3.5-1_all.deb
60a5afbea8e9132e477cb0b531c4a581dd0e334d 811870 libspring-web-servlet-java_4.3.5-1_all.deb
Checksums-Sha256:
83f23de34d8fad045bee3775005293a607b43ff58704b59ba143d632c5ea4c00 5221 libspring-java_4.3.5-1.dsc
6d20eeb070c65dce58dab9a63c8eeb23aab6d6cd644b74b634ae1ac26c3ce771 7051404 libspring-java_4.3.5.orig.tar.xz
643a5bdd45882ef6d4a9f6956b8fa2b0391eeef3f66b9bf03ff70c980409a3d6 16568 libspring-java_4.3.5-1.debian.tar.xz
cf08ebbd6a5bf76f58a7f671ce4295365de9eeca0e9342e1f550e1e4bdf15778 384234 libspring-aop-java_4.3.5-1_all.deb
a2f0048e3105a1de11df95c06b188d5a42f6f9a86b62000822ae1d3823c0719c 677860 libspring-beans-java_4.3.5-1_all.deb
63d00c760e3c6ae48f11f7a3e21eb26f7113e7dd4a082780be702a5e62caf930 975612 libspring-context-java_4.3.5-1_all.deb
851d880f8f93ae174a83ac1d4fbdfc3527c008727d046f935834f09e290263cf 170856 libspring-context-support-java_4.3.5-1_all.deb
427daeb5048cae95bfb6e6ed88278f66294cde710dff37f0df910d45863cbd76 999198 libspring-core-java_4.3.5-1_all.deb
2146a92889a76e11ca8d3aea1411b32f5abaa7234673aee06616c73df6c5c40d 250636 libspring-expression-java_4.3.5-1_all.deb
88965a02cb627cb9de9f1c7e7861747aa0d84e2bddf7c8f6d5110c7a5f6e3600 16944 libspring-instrument-java_4.3.5-1_all.deb
817c8c14ef3500cf8fafeedfb60d742e0bc96ba8a0014c36f99a9d7b9df41bd2 23501 libspring-java_4.3.5-1_amd64.buildinfo
cab1cbbcee38865a4d2dcccc3177f9b6fc7d320fa09726b9379cfb13a48c05ed 381284 libspring-jdbc-java_4.3.5-1_all.deb
2d972d037e864335367da1f0fdd22c281ee3ea59b40005873d46b18b7af140cc 266208 libspring-jms-java_4.3.5-1_all.deb
ce75018889067513558751be131400c2fa4984c0b0e74b221a441b4a9b20887d 343242 libspring-messaging-java_4.3.5-1_all.deb
388081c9978f0346870341853ed40f0ca7cdf6088701f8b1ad755d98bd428e33 269346 libspring-orm-java_4.3.5-1_all.deb
44208b039f76bb19880dff9d1d1d0e99072bc4e5c8567acd86bfb249ab52ca06 87086 libspring-oxm-java_4.3.5-1_all.deb
5d3b4b4ae3e770f7920a185a60b8a7afb382d62b0f69120a8901bb3e6356f1fe 500044 libspring-test-java_4.3.5-1_all.deb
5900efc447a7f8c189b0aca1020f97599a51c2255878aa9c09b5bc425fa62a57 228572 libspring-transaction-java_4.3.5-1_all.deb
a257e2e41865585fc7af77e0cb792f0bb702b4b2e4c01ea270561808f21f44be 713526 libspring-web-java_4.3.5-1_all.deb
4f6784d097a11d1b9b6a7563a48d5ba5c7c370841ed1c73488644624a1e99ab5 166390 libspring-web-portlet-java_4.3.5-1_all.deb
2018ad20ff02385849bbd372d119b8e122eb7e7502e6c756d7363f1c2882e06a 811870 libspring-web-servlet-java_4.3.5-1_all.deb
Files:
fa9e3e197a81d3e28ab7b110c7c8b19e 5221 java optional libspring-java_4.3.5-1.dsc
72eb85a748f151468bcacb4cf94fc58e 7051404 java optional libspring-java_4.3.5.orig.tar.xz
27d54eb04c228a5087fc16ab661a1a76 16568 java optional libspring-java_4.3.5-1.debian.tar.xz
ba50b09ac8906fb6417d757af16eb5ce 384234 java optional libspring-aop-java_4.3.5-1_all.deb
e706c381fa51a12a1726e81cbee86b4b 677860 java optional libspring-beans-java_4.3.5-1_all.deb
384b4d647e2d506c774632077e4a04ba 975612 java optional libspring-context-java_4.3.5-1_all.deb
2352239df2fa2014d3e1f914188e89ce 170856 java optional libspring-context-support-java_4.3.5-1_all.deb
e4968cf084b2e5cbe77ff68fd99e0292 999198 java optional libspring-core-java_4.3.5-1_all.deb
4185d7ec7f2f08bcaf3ef4eb8a3b80d1 250636 java optional libspring-expression-java_4.3.5-1_all.deb
b4c43f8454046ea874a264c816f015d7 16944 java optional libspring-instrument-java_4.3.5-1_all.deb
745029eb21e8e3289fdd5c3d6d8e79c5 23501 java optional libspring-java_4.3.5-1_amd64.buildinfo
b924fd00d22d4d9f87aef7cf00999971 381284 java optional libspring-jdbc-java_4.3.5-1_all.deb
0ab9f3d4d7e189fd907ddc1c56266def 266208 java optional libspring-jms-java_4.3.5-1_all.deb
cb84fe2a95b9206a60b919a71af00ca7 343242 java optional libspring-messaging-java_4.3.5-1_all.deb
95fdd14377aedaa10b1667a273aa67cf 269346 java optional libspring-orm-java_4.3.5-1_all.deb
c992aa7c339b7a655b704f0192e8a86c 87086 java optional libspring-oxm-java_4.3.5-1_all.deb
b16bade50cc08964f4ae5ec57deb7878 500044 java optional libspring-test-java_4.3.5-1_all.deb
0119b1bb43476e0af87ba9cc6ea4d30e 228572 java optional libspring-transaction-java_4.3.5-1_all.deb
f086f986636b6cec7f40b615e8c59007 713526 java optional libspring-web-java_4.3.5-1_all.deb
49ff60cc3ee89cd0e5cef2507e7a3ee6 166390 java optional libspring-web-portlet-java_4.3.5-1_all.deb
cf382d4c85a76d5da7cdfe30af46783b 811870 java optional libspring-web-servlet-java_4.3.5-1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlhc3iEACgkQ9RPEGeS5
0KwFjw/8Dk+WunADhMV2N//bVN53DwQvcBL985Fui4y0d8k+OOtyxJhqZV5hN1f5
Ssnw+wIqr38HReXAZFpeDBPH1N51wO6opOBJcAC7L6H8j2Rr4ojw/F4W7SH9u4VY
vEH7jVu2DyS22bsu844EMzeGC8w2ZX9fIN1U1179KtMZaKBM3kVrwnKgZgTsiFA2
EIMrJgmEIKMd836KG9fv0277IollxTOHKHByc0VLQu5bIxy9VKYgQWm4+BJT9J4r
vALR37W6P0ksoee5BQ76+HddDZVvexBqodLQZ8S+pKfl6vWk4kjgNpgHEQ9/9WX4
I6v9adYbxEtru96sTMojr/+bGlRtSWlISd90YMXb65SIN5ZS9i+gF8jbb9zTzZrL
D5a9cDouJ+M3hsR82GT2qARxT35mruRF8C/0TB3IOQFs835Cs+rW+FtgXDBvDadk
Z7GM3o+Gk1rcmpIPLp0/avmf+tNNAZX1JWfaweXwtR2Y9zQaq4mKae/d9K2G07qB
qiXSzamO/tWMT/9BSer7JYB+BJdEurh4pYvFxrHriIxs+NGQ/6Xk6P0VjTc5ovan
2bmL1GTSlHq/EQT+LfzdnfGA5ik5XB8IO9o7CFDm8Z0jCpAZ+MwJ94wjX1iGmNnh
IOaFQpKbMetKSt4tz9xEJdn16CgwBCvuyfRcnneH9ChqfeD+Jzw=
=523j
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 31 Jan 2017 07:33:47 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:47:35 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.