[Git][security-tracker-team/security-tracker][master] CVE-2018-1199,CVE-2018-1257,CVE-2018-1272,CVE-2020-5421/libspring-java: stretch ignored
Sylvain Beucler
beuc at debian.org
Thu Apr 22 15:43:52 BST 2021
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits:
4a60b526 by Sylvain Beucler at 2021-04-22T16:38:04+02:00
CVE-2018-1199,CVE-2018-1257,CVE-2018-1272,CVE-2020-5421/libspring-java: stretch ignored
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -93325,8 +93325,9 @@ CVE-2020-5422 (BOSH System Metrics Server releases prior to 0.1.0 exposed the UA
CVE-2020-5421 (In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5. ...)
- libspring-java 4.3.30-1 (bug #973381)
[buster] - libspring-java <no-dsa> (Minor issue)
- [stretch] - libspring-java <no-dsa> (Minor issue)
+ [stretch] - libspring-java <ignored> (Minor issue, no known patch)
NOTE: https://tanzu.vmware.com/security/cve-2020-5421
+ NOTE: https://github.com/spring-projects/spring-framework/issues/26821 (patch unidentifiable)
CVE-2020-5420 (Cloud Foundry Routing (Gorouter) versions prior to 0.206.0 allow a mal ...)
NOT-FOR-US: Cloud Foundry
CVE-2020-5419 (RabbitMQ versions 3.8.x prior to 3.8.7 are prone to a Windows-specific ...)
@@ -215324,10 +215325,11 @@ CVE-2018-1273 (Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.
NOT-FOR-US: Spring Data Commons
CVE-2018-1272 (Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior t ...)
- libspring-java 4.3.19-1 (bug #895114)
- [stretch] - libspring-java <no-dsa> (Minor issue)
+ [stretch] - libspring-java <ignored> (Minor issue, no known patch)
[jessie] - libspring-java <no-dsa> (Minor issue)
[wheezy] - libspring-java <no-dsa> (Minor issue)
NOTE: https://pivotal.io/security/cve-2018-1272
+ NOTE: https://github.com/spring-projects/spring-framework/issues/26821 (patch unidentifiable)
CVE-2018-1271 (Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior t ...)
- libspring-java <not-affected> (Issue specific when served from a file system on Windows)
NOTE: https://pivotal.io/security/cve-2018-1271
@@ -215368,10 +215370,11 @@ CVE-2018-1258 (Spring Framework version 5.0.5 when used in combination with any
NOTE: https://pivotal.io/security/cve-2018-1258
CVE-2018-1257 (Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior ...)
- libspring-java 4.3.19-1
- [stretch] - libspring-java <no-dsa> (Minor issue)
+ [stretch] - libspring-java <ignored> (Minor issue, no known patch)
[jessie] - libspring-java <not-affected> (Vulnerable code introduced later)
NOTE: https://pivotal.io/security/cve-2018-1257
NOTE: websocket introduced in v4 https://github.com/spring-projects/spring-framework/commit/4e67f809fbc1957e40fc787686b63254eaa8d7fa
+ NOTE: https://github.com/spring-projects/spring-framework/issues/26821 (patch unidentifiable)
CVE-2018-1256 (Spring Cloud SSO Connector, version 2.1.2, contains a regression which ...)
NOT-FOR-US: Spring Cloud SSO Connector
CVE-2018-1255 (RSA Identity Lifecycle and Governance versions 7.0.1, 7.0.2 and 7.1.0 ...)
@@ -215488,13 +215491,14 @@ CVE-2018-1200 (Apps Manager for PCF (Pivotal Application Service 1.11.x before 1
NOT-FOR-US: Pivotal
CVE-2018-1199 (Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2. ...)
- libspring-java 4.3.14-1 (bug #890001)
- [stretch] - libspring-java <no-dsa> (Minor issue)
- [wheezy] - libspring-java <ignored> (Too intrusive to fix by upgrade)
+ [stretch] - libspring-java <ignored> (Minor issue, no known patch for spring-framework)
[jessie] - libspring-java <no-dsa> (fix for spring-security available but not for springframework)
+ [wheezy] - libspring-java <ignored> (Too intrusive to fix by upgrade)
- libspring-security-2.0-java <removed>
- libspring-security-java <itp> (bug #582181)
NOTE: https://pivotal.io/security/cve-2018-1199
NOTE: https://github.com/spring-projects/spring-security/commit/65da28e4bf62f58fb130ba727cbbd621b44a36d1 (spring-security 4.1.5)
+ NOTE: https://github.com/spring-projects/spring-framework/issues/26821 (spring-framework patch unidentifiable)
CVE-2018-1198 (Pivotal Cloud Cache, versions prior to 1.3.1, prints a superuser passw ...)
NOT-FOR-US: Pivotal Cloud Cache
CVE-2018-1197 (In Windows Stemcells versions prior to 1200.14, apps running inside co ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a60b526842c879c651723ffc23a57412b4798ef
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a60b526842c879c651723ffc23a57412b4798ef
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210422/eb5311d8/attachment.htm>
More information about the debian-security-tracker-commits
mailing list