Bug#753470: libspring-java: CVE-2014-0225

Salvatore Bonaccorso carnil at debian.org
Sat Sep 6 18:36:35 UTC 2014


Hi Tony,

On Sat, Sep 06, 2014 at 08:50:24AM -0700, tony mancill wrote:
> On Wed, 02 Jul 2014 10:36:55 +0200 Moritz Muehlenhoff <jmm at inutil.org>
> wrote:
> > Package: libspring-java
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> > 
> > Hi,
> > please see http://www.gopivotal.com/security/cve-2014-0225
> 
> Hello,
> 
> I have uploaded a a patched version (thanks Stephen!) to unstable and
> prepared an upload 3.0.6.RELEASE-6+deb7u4 for wheezy-security, for which
> the debdiff for the .dsc and .changes is attached.  (It is essentially
> identical to the debdiff for unstable.)  I also placed the source and
> binary packages for the wheezy update here:
> 
>   https://people.debian.org/~tmancill/libspring-java_wheezy/
> 
> for Security Team review.

AFAICS at the time (at least), this CVE was marked no-dsa. Do you
concur on this classification or is there something we missed? If so,
could you contact the stable release managers to have an update trough
stable proposed updates?

Regards,
Salvatore



More information about the pkg-java-maintainers mailing list