Bug#760733: libspring-java: CVE-2014-0225
Yves-Alexis Perez
corsac at debian.org
Sun Sep 7 11:34:08 UTC 2014
On sam., 2014-09-06 at 21:38 -0700, tony mancill wrote:
> On 09/06/2014 11:36 AM, Salvatore Bonaccorso wrote:
> > Hi Tony,
> >
> > On Sat, Sep 06, 2014 at 08:50:24AM -0700, tony mancill wrote:
> >> On Wed, 02 Jul 2014 10:36:55 +0200 Moritz Muehlenhoff <jmm at inutil.org>
> >> wrote:
> >>> Package: libspring-java
> >>> Severity: grave
> >>> Tags: security
> >>> Justification: user security hole
> >>>
> >>> Hi,
> >>> please see http://www.gopivotal.com/security/cve-2014-0225
> >>
> >> Hello,
> >>
> >> I have uploaded a a patched version (thanks Stephen!) to unstable and
> >> prepared an upload 3.0.6.RELEASE-6+deb7u4 for wheezy-security, for which
> >> the debdiff for the .dsc and .changes is attached. (It is essentially
> >> identical to the debdiff for unstable.) I also placed the source and
> >> binary packages for the wheezy update here:
> >>
> >> https://people.debian.org/~tmancill/libspring-java_wheezy/
> >>
> >> for Security Team review.
> >
> > AFAICS at the time (at least), this CVE was marked no-dsa. Do you
> > concur on this classification or is there something we missed? If so,
> > could you contact the stable release managers to have an update trough
> > stable proposed updates?
>
> Hi Salvatore,
>
> No, I'm not aware of anything that has been missed. I was just trying
> to be proactive about creating a package. If any user needs to build
> for wheezy, the patch is available in the BTS.
>
> Thank you for the information,
> tony
For what it's worth, CVE-2014-3578 was assigned to a directory traversal
vulnerability in libspring-java
( http://www.pivotal.io/security/cve-2014-3578)
I think it's no-dsa too, but both can be fixed in a point release.
Regards,
--
Yves-Alexis Perez - Debian Security
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20140907/bf55dc6d/attachment-0002.sig>
More information about the pkg-java-maintainers
mailing list