On Sun, Sep 7, 2014 at 12:34 PM, Yves-Alexis Perez <cor...@debian.org> wrote:
> On sam., 2014-09-06 at 21:38 -0700, tony mancill wrote: > > On 09/06/2014 11:36 AM, Salvatore Bonaccorso wrote: > > > Hi Tony, > > > > > > On Sat, Sep 06, 2014 at 08:50:24AM -0700, tony mancill wrote: > > >> On Wed, 02 Jul 2014 10:36:55 +0200 Moritz Muehlenhoff <j...@inutil.org > > > > >> wrote: > > >>> Package: libspring-java > > >>> Severity: grave > > >>> Tags: security > > >>> Justification: user security hole > > >>> > > >>> Hi, > > >>> please see http://www.gopivotal.com/security/cve-2014-0225 > > >> > > >> Hello, > > >> > > >> I have uploaded a a patched version (thanks Stephen!) to unstable and > > >> prepared an upload 3.0.6.RELEASE-6+deb7u4 for wheezy-security, for > which > > >> the debdiff for the .dsc and .changes is attached. (It is essentially > > >> identical to the debdiff for unstable.) I also placed the source and > > >> binary packages for the wheezy update here: > > >> > > >> https://people.debian.org/~tmancill/libspring-java_wheezy/ > > >> > > >> for Security Team review. > > > > Thanks for packaging the fix Tony. > > > AFAICS at the time (at least), this CVE was marked no-dsa. Do you > > > concur on this classification or is there something we missed? If so, > > > could you contact the stable release managers to have an update trough > > > stable proposed updates? > > > > Hi Salvatore, > > > > No, I'm not aware of anything that has been missed. I was just trying > > to be proactive about creating a package. If any user needs to build > > for wheezy, the patch is available in the BTS. > > > > Thank you for the information, > > tony > > For what it's worth, CVE-2014-3578 was assigned to a directory traversal > vulnerability in libspring-java > ( http://www.pivotal.io/security/cve-2014-3578) > > Thanks for letting us know about this one. I've had a quick look and it might be more difficult to fix given that there hasn't been a specific commit made in a later version of Spring which could be backported. However, I will look into this in more detail and report back to the BTS for this bug. I think it's no-dsa too, but both can be fixed in a point release. > > Regards, > -- > Yves-Alexis Perez - Debian Security > > > Cheers, Stephen Nelson
