Bug#753470: libspring-java: CVE-2014-0225

tony mancill tmancill at debian.org
Sun Sep 7 04:38:49 UTC 2014


On 09/06/2014 11:36 AM, Salvatore Bonaccorso wrote:
> Hi Tony,
> 
> On Sat, Sep 06, 2014 at 08:50:24AM -0700, tony mancill wrote:
>> On Wed, 02 Jul 2014 10:36:55 +0200 Moritz Muehlenhoff <jmm at inutil.org>
>> wrote:
>>> Package: libspring-java
>>> Severity: grave
>>> Tags: security
>>> Justification: user security hole
>>>
>>> Hi,
>>> please see http://www.gopivotal.com/security/cve-2014-0225
>>
>> Hello,
>>
>> I have uploaded a a patched version (thanks Stephen!) to unstable and
>> prepared an upload 3.0.6.RELEASE-6+deb7u4 for wheezy-security, for which
>> the debdiff for the .dsc and .changes is attached.  (It is essentially
>> identical to the debdiff for unstable.)  I also placed the source and
>> binary packages for the wheezy update here:
>>
>>   https://people.debian.org/~tmancill/libspring-java_wheezy/
>>
>> for Security Team review.
> 
> AFAICS at the time (at least), this CVE was marked no-dsa. Do you
> concur on this classification or is there something we missed? If so,
> could you contact the stable release managers to have an update trough
> stable proposed updates?

Hi Salvatore,

No, I'm not aware of anything that has been missed.  I was just trying
to be proactive about creating a package.  If any user needs to build
for wheezy, the patch is available in the BTS.

Thank you for the information,
tony


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20140906/87f80910/attachment.sig>


More information about the pkg-java-maintainers mailing list