libspring-java: CVE-2016-9878

Debian Bug report logs - #849167
libspring-java: CVE-2016-9878

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libspring-java: CVE-2016-9878

Date: Fri, 23 Dec 2016 07:19:04 +0100

Source: libspring-java
Version: 4.3.4-3
Severity: important
Tags: security patch upstream

Hi,

the following vulnerability was published for libspring-java.

CVE-2016-9878[0]:
Directory Traversal in the Spring Framework ResourceServlet

Interesting, is that the code in
./spring-webmvc/src/main/java/org/springframework/web/servlet/ResourceServlet.java
looks quite more similar to the code-fix as for the 3.2.x branch.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-9878
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9878

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 849167-close@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: 849167-close@bugs.debian.org

Subject: Bug#849167: fixed in libspring-java 4.3.5-1

Date: Fri, 23 Dec 2016 09:06:01 +0000

Source: libspring-java
Source-Version: 4.3.5-1

We believe that the bug you reported is fixed in the latest version of
libspring-java, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 849167@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated libspring-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 23 Dec 2016 09:12:16 +0100
Source: libspring-java
Binary: libspring-core-java libspring-beans-java libspring-aop-java libspring-context-java libspring-context-support-java libspring-web-java libspring-web-servlet-java libspring-web-portlet-java libspring-test-java libspring-transaction-java libspring-jdbc-java libspring-messaging-java libspring-jms-java libspring-orm-java libspring-expression-java libspring-oxm-java libspring-instrument-java
Architecture: source all
Version: 4.3.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
 libspring-aop-java - modular Java/J2EE application framework - AOP
 libspring-beans-java - modular Java/J2EE application framework - Beans
 libspring-context-java - modular Java/J2EE application framework - Context
 libspring-context-support-java - modular Java/J2EE application framework - Context Support
 libspring-core-java - modular Java/J2EE application framework - Core
 libspring-expression-java - modular Java/J2EE application framework - Expression language
 libspring-instrument-java - modular Java/J2EE application framework - Instrumentation
 libspring-jdbc-java - modular Java/J2EE application framework - JDBC tools
 libspring-jms-java - modular Java/J2EE application framework - JMS tools
 libspring-messaging-java - modular Java/J2EE application framework - Messaging tools
 libspring-orm-java - modular Java/J2EE application framework - ORM tools
 libspring-oxm-java - modular Java/J2EE application framework - Object/XML Mapping
 libspring-test-java - modular Java/J2EE application framework - Test helpers
 libspring-transaction-java - modular Java/J2EE application framework - transaction
 libspring-web-java - modular Java/J2EE application framework - Web
 libspring-web-portlet-java - modular Java/J2EE application framework - Portlet MVC
 libspring-web-servlet-java - modular Java/J2EE application framework - Web Portlet
Closes: 849167
Changes:
 libspring-java (4.3.5-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release
     - Fixes CVE-2016-9878: Directory Traversal in ResourceServlet
       (Closes: #849167)
     - Refreshed the patches
Checksums-Sha1:
 b319ef3347f94bb2fe7b68dc2e32dc171095cc23 5221 libspring-java_4.3.5-1.dsc
 1fe50d2dfae0e92c74844d8695be170f6275fdcc 7051404 libspring-java_4.3.5.orig.tar.xz
 459d8d593b227bb4872bb456e8d3645b15da4540 16568 libspring-java_4.3.5-1.debian.tar.xz
 9b075bcafb6246da1174c4d5f1055f4d54995176 384234 libspring-aop-java_4.3.5-1_all.deb
 af502c20b13a47910651c85f0c00fbc418023f70 677860 libspring-beans-java_4.3.5-1_all.deb
 b92626b8a8524aba6bfa17a51c5bcefc94179a4d 975612 libspring-context-java_4.3.5-1_all.deb
 2360d26697be0dd655b26a8f0d086b10fddd287b 170856 libspring-context-support-java_4.3.5-1_all.deb
 c4032ed273eeda7c0cb7ec67874040e10e0cdf73 999198 libspring-core-java_4.3.5-1_all.deb
 de783d37626f6eb19ce5f7900c1eed394e0f9094 250636 libspring-expression-java_4.3.5-1_all.deb
 5697106bb74a341305e4126b33ad96f40615c726 16944 libspring-instrument-java_4.3.5-1_all.deb
 52024909f5060e5ca3c2bd6f91a020d633ddc233 23501 libspring-java_4.3.5-1_amd64.buildinfo
 a7d5fe4ce8936786b53ff0fac5deab18b900e870 381284 libspring-jdbc-java_4.3.5-1_all.deb
 c8aea104090acbd0b482d8c82b114f62e20c17a3 266208 libspring-jms-java_4.3.5-1_all.deb
 39bf7d73383cd53a8d4c5e48c3dc88d44dc6c761 343242 libspring-messaging-java_4.3.5-1_all.deb
 b2bc4d74f459c7349fa7f21a03d03c84cd142548 269346 libspring-orm-java_4.3.5-1_all.deb
 07cd6e4d0f9dff82b118fddfa2d84562cf7a9c3b 87086 libspring-oxm-java_4.3.5-1_all.deb
 a670d711ed1f92152d427f1c5f91dc62dfacb9c2 500044 libspring-test-java_4.3.5-1_all.deb
 649b3d1396a0dd9e7ada85cf040f08fa8ae57d92 228572 libspring-transaction-java_4.3.5-1_all.deb
 c7ea5b0b58e68ee9c522f88c0336c7a6d22313d8 713526 libspring-web-java_4.3.5-1_all.deb
 3aea7f6222afcc364e0e65494b5bde8347dc5143 166390 libspring-web-portlet-java_4.3.5-1_all.deb
 60a5afbea8e9132e477cb0b531c4a581dd0e334d 811870 libspring-web-servlet-java_4.3.5-1_all.deb
Checksums-Sha256:
 83f23de34d8fad045bee3775005293a607b43ff58704b59ba143d632c5ea4c00 5221 libspring-java_4.3.5-1.dsc
 6d20eeb070c65dce58dab9a63c8eeb23aab6d6cd644b74b634ae1ac26c3ce771 7051404 libspring-java_4.3.5.orig.tar.xz
 643a5bdd45882ef6d4a9f6956b8fa2b0391eeef3f66b9bf03ff70c980409a3d6 16568 libspring-java_4.3.5-1.debian.tar.xz
 cf08ebbd6a5bf76f58a7f671ce4295365de9eeca0e9342e1f550e1e4bdf15778 384234 libspring-aop-java_4.3.5-1_all.deb
 a2f0048e3105a1de11df95c06b188d5a42f6f9a86b62000822ae1d3823c0719c 677860 libspring-beans-java_4.3.5-1_all.deb
 63d00c760e3c6ae48f11f7a3e21eb26f7113e7dd4a082780be702a5e62caf930 975612 libspring-context-java_4.3.5-1_all.deb
 851d880f8f93ae174a83ac1d4fbdfc3527c008727d046f935834f09e290263cf 170856 libspring-context-support-java_4.3.5-1_all.deb
 427daeb5048cae95bfb6e6ed88278f66294cde710dff37f0df910d45863cbd76 999198 libspring-core-java_4.3.5-1_all.deb
 2146a92889a76e11ca8d3aea1411b32f5abaa7234673aee06616c73df6c5c40d 250636 libspring-expression-java_4.3.5-1_all.deb
 88965a02cb627cb9de9f1c7e7861747aa0d84e2bddf7c8f6d5110c7a5f6e3600 16944 libspring-instrument-java_4.3.5-1_all.deb
 817c8c14ef3500cf8fafeedfb60d742e0bc96ba8a0014c36f99a9d7b9df41bd2 23501 libspring-java_4.3.5-1_amd64.buildinfo
 cab1cbbcee38865a4d2dcccc3177f9b6fc7d320fa09726b9379cfb13a48c05ed 381284 libspring-jdbc-java_4.3.5-1_all.deb
 2d972d037e864335367da1f0fdd22c281ee3ea59b40005873d46b18b7af140cc 266208 libspring-jms-java_4.3.5-1_all.deb
 ce75018889067513558751be131400c2fa4984c0b0e74b221a441b4a9b20887d 343242 libspring-messaging-java_4.3.5-1_all.deb
 388081c9978f0346870341853ed40f0ca7cdf6088701f8b1ad755d98bd428e33 269346 libspring-orm-java_4.3.5-1_all.deb
 44208b039f76bb19880dff9d1d1d0e99072bc4e5c8567acd86bfb249ab52ca06 87086 libspring-oxm-java_4.3.5-1_all.deb
 5d3b4b4ae3e770f7920a185a60b8a7afb382d62b0f69120a8901bb3e6356f1fe 500044 libspring-test-java_4.3.5-1_all.deb
 5900efc447a7f8c189b0aca1020f97599a51c2255878aa9c09b5bc425fa62a57 228572 libspring-transaction-java_4.3.5-1_all.deb
 a257e2e41865585fc7af77e0cb792f0bb702b4b2e4c01ea270561808f21f44be 713526 libspring-web-java_4.3.5-1_all.deb
 4f6784d097a11d1b9b6a7563a48d5ba5c7c370841ed1c73488644624a1e99ab5 166390 libspring-web-portlet-java_4.3.5-1_all.deb
 2018ad20ff02385849bbd372d119b8e122eb7e7502e6c756d7363f1c2882e06a 811870 libspring-web-servlet-java_4.3.5-1_all.deb
Files:
 fa9e3e197a81d3e28ab7b110c7c8b19e 5221 java optional libspring-java_4.3.5-1.dsc
 72eb85a748f151468bcacb4cf94fc58e 7051404 java optional libspring-java_4.3.5.orig.tar.xz
 27d54eb04c228a5087fc16ab661a1a76 16568 java optional libspring-java_4.3.5-1.debian.tar.xz
 ba50b09ac8906fb6417d757af16eb5ce 384234 java optional libspring-aop-java_4.3.5-1_all.deb
 e706c381fa51a12a1726e81cbee86b4b 677860 java optional libspring-beans-java_4.3.5-1_all.deb
 384b4d647e2d506c774632077e4a04ba 975612 java optional libspring-context-java_4.3.5-1_all.deb
 2352239df2fa2014d3e1f914188e89ce 170856 java optional libspring-context-support-java_4.3.5-1_all.deb
 e4968cf084b2e5cbe77ff68fd99e0292 999198 java optional libspring-core-java_4.3.5-1_all.deb
 4185d7ec7f2f08bcaf3ef4eb8a3b80d1 250636 java optional libspring-expression-java_4.3.5-1_all.deb
 b4c43f8454046ea874a264c816f015d7 16944 java optional libspring-instrument-java_4.3.5-1_all.deb
 745029eb21e8e3289fdd5c3d6d8e79c5 23501 java optional libspring-java_4.3.5-1_amd64.buildinfo
 b924fd00d22d4d9f87aef7cf00999971 381284 java optional libspring-jdbc-java_4.3.5-1_all.deb
 0ab9f3d4d7e189fd907ddc1c56266def 266208 java optional libspring-jms-java_4.3.5-1_all.deb
 cb84fe2a95b9206a60b919a71af00ca7 343242 java optional libspring-messaging-java_4.3.5-1_all.deb
 95fdd14377aedaa10b1667a273aa67cf 269346 java optional libspring-orm-java_4.3.5-1_all.deb
 c992aa7c339b7a655b704f0192e8a86c 87086 java optional libspring-oxm-java_4.3.5-1_all.deb
 b16bade50cc08964f4ae5ec57deb7878 500044 java optional libspring-test-java_4.3.5-1_all.deb
 0119b1bb43476e0af87ba9cc6ea4d30e 228572 java optional libspring-transaction-java_4.3.5-1_all.deb
 f086f986636b6cec7f40b615e8c59007 713526 java optional libspring-web-java_4.3.5-1_all.deb
 49ff60cc3ee89cd0e5cef2507e7a3ee6 166390 java optional libspring-web-portlet-java_4.3.5-1_all.deb
 cf382d4c85a76d5da7cdfe30af46783b 811870 java optional libspring-web-servlet-java_4.3.5-1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlhc3iEACgkQ9RPEGeS5
0KwFjw/8Dk+WunADhMV2N//bVN53DwQvcBL985Fui4y0d8k+OOtyxJhqZV5hN1f5
Ssnw+wIqr38HReXAZFpeDBPH1N51wO6opOBJcAC7L6H8j2Rr4ojw/F4W7SH9u4VY
vEH7jVu2DyS22bsu844EMzeGC8w2ZX9fIN1U1179KtMZaKBM3kVrwnKgZgTsiFA2
EIMrJgmEIKMd836KG9fv0277IollxTOHKHByc0VLQu5bIxy9VKYgQWm4+BJT9J4r
vALR37W6P0ksoee5BQ76+HddDZVvexBqodLQZ8S+pKfl6vWk4kjgNpgHEQ9/9WX4
I6v9adYbxEtru96sTMojr/+bGlRtSWlISd90YMXb65SIN5ZS9i+gF8jbb9zTzZrL
D5a9cDouJ+M3hsR82GT2qARxT35mruRF8C/0TB3IOQFs835Cs+rW+FtgXDBvDadk
Z7GM3o+Gk1rcmpIPLp0/avmf+tNNAZX1JWfaweXwtR2Y9zQaq4mKae/d9K2G07qB
qiXSzamO/tWMT/9BSer7JYB+BJdEurh4pYvFxrHriIxs+NGQ/6Xk6P0VjTc5ovan
2bmL1GTSlHq/EQT+LfzdnfGA5ik5XB8IO9o7CFDm8Z0jCpAZ+MwJ94wjX1iGmNnh
IOaFQpKbMetKSt4tz9xEJdn16CgwBCvuyfRcnneH9ChqfeD+Jzw=
=523j
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.