Your message dated Fri, 05 Oct 2018 13:37:28 +0000 with message-id <e1g8qik-0006af...@fasolo.debian.org> and subject line Bug#895114: fixed in libspring-java 4.3.19-1 has caused the Debian Bug report #895114, regarding libspring-java: CVE-2018-1270 CVE-2018-1272 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 895114: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895114 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libspring-java Version: 4.3.5-1 Severity: grave Tags: security upstream fixed-upstream Hi, The following vulnerabilities were published for libspring-java, filling only one bug this time since the common set of affected versions for the two is all 4.3 versions and older unsupported versions. CVE-2018-1270[0]: | Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior | to 4.3.15 and older unsupported versions, allow applications to expose | STOMP over WebSocket endpoints with a simple, in-memory STOMP broker | through the spring-messaging module. A malicious user (or attacker) | can craft a message to the broker that can lead to a remote code | execution attack. CVE-2018-1272[1]: | Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior | to 4.3.15 and older unsupported versions, provide client-side support | for multipart requests. When Spring MVC or Spring WebFlux server | application (server A) receives input from a remote client, and then | uses that input to make a multipart request to another server (server | B), it can be exposed to an attack, where an extra multipart is | inserted in the content of the request from server A, causing server B | to use the wrong value for a part it expects. This could to lead | privilege escalation, for example, if the part content represents a | username or user roles. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1270 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1270 https://pivotal.io/security/cve-2018-1270 [1] https://security-tracker.debian.org/tracker/CVE-2018-1272 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1272 https://pivotal.io/security/cve-2018-1272 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libspring-java Source-Version: 4.3.19-1 We believe that the bug you reported is fixed in the latest version of libspring-java, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 895...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg <ebo...@apache.org> (supplier of updated libspring-java package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 05 Oct 2018 14:19:52 +0200 Source: libspring-java Binary: libspring-core-java libspring-beans-java libspring-aop-java libspring-context-java libspring-context-support-java libspring-web-java libspring-web-servlet-java libspring-web-portlet-java libspring-test-java libspring-transaction-java libspring-jdbc-java libspring-messaging-java libspring-jms-java libspring-orm-java libspring-expression-java libspring-oxm-java libspring-instrument-java Architecture: source Version: 4.3.19-1 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebo...@apache.org> Description: libspring-aop-java - modular Java/J2EE application framework - AOP libspring-beans-java - modular Java/J2EE application framework - Beans libspring-context-java - modular Java/J2EE application framework - Context libspring-context-support-java - modular Java/J2EE application framework - Context Support libspring-core-java - modular Java/J2EE application framework - Core libspring-expression-java - modular Java/J2EE application framework - Expression language libspring-instrument-java - modular Java/J2EE application framework - Instrumentation libspring-jdbc-java - modular Java/J2EE application framework - JDBC tools libspring-jms-java - modular Java/J2EE application framework - JMS tools libspring-messaging-java - modular Java/J2EE application framework - Messaging tools libspring-orm-java - modular Java/J2EE application framework - ORM tools libspring-oxm-java - modular Java/J2EE application framework - Object/XML Mapping libspring-test-java - modular Java/J2EE application framework - Test helpers libspring-transaction-java - modular Java/J2EE application framework - transaction libspring-web-java - modular Java/J2EE application framework - Web libspring-web-portlet-java - modular Java/J2EE application framework - Portlet MVC libspring-web-servlet-java - modular Java/J2EE application framework - Web Portlet Closes: 895114 Changes: libspring-java (4.3.19-1) unstable; urgency=medium . * Team upload. * New upstream release - Fixes CVE-2018-1270, CVE-2018-1272 and CVE-2018-1275 (Closes: #895114) - Refreshed the patches - Updated the Maven rules * Fixed the compatibility with the version of SnakeYAML in Debian * Replaced debian/orig-tar.sh with the File-Excluded field in debian/copyright * Standards-Version updated to 4.2.1 * Use salsa.debian.org Vcs-* URLs Checksums-Sha1: efefcae934e97bf3f1b95969ba0d848a6fdebbae 5166 libspring-java_4.3.19-1.dsc bbcd113e3fae293d4c0097b9826ae15d7e4db256 7194452 libspring-java_4.3.19.orig.tar.xz 2d70b411e5d8e451ccfd7e22e025dc5b6f998786 18016 libspring-java_4.3.19-1.debian.tar.xz b6c631080d8a6ac99cc1c3a0e6d9278726929e38 15090 libspring-java_4.3.19-1_source.buildinfo Checksums-Sha256: 69b5f3007f98fbb36bf4b30867a9927d724717384a7fc8595466ef01242b7e21 5166 libspring-java_4.3.19-1.dsc 1000c7ac8fc57addbf99318543b59321dc3effa936918d0b0f6dda417be1ef59 7194452 libspring-java_4.3.19.orig.tar.xz c55efbcd99c1ea201bca7d92b79819a4af4a6733c2a0076cf6f9617123422e65 18016 libspring-java_4.3.19-1.debian.tar.xz beb9f9a123eebb3f1b62b832940a227043352549e63646d0b2a9636a77bd8c34 15090 libspring-java_4.3.19-1_source.buildinfo Files: e4b2ee00db932fc679fe322e1b63cf49 5166 java optional libspring-java_4.3.19-1.dsc e2009b412ca41a8da348b22a0f1019b8 7194452 java optional libspring-java_4.3.19.orig.tar.xz 64d817e7bd04f37708d1fa4e99f0d32f 18016 java optional libspring-java_4.3.19-1.debian.tar.xz 988b731654d239b40f34a086f38dbd22 15090 java optional libspring-java_4.3.19-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlu3X3YSHGVib3VyZ0Bh cGFjaGUub3JnAAoJEPUTxBnkudCsfTMQAJU4Yqad5oZ2AxbiDTgGgmPKPYYUG/XF owX7zmedg0q3jT+COvUV0oPVjBiNs9d1xjQppnExXxXbqpayyj/6Lpghowd3Q8Vo lt7Q7rq9h+DyX5KQDAij79Jo5HwzpCRBQMVGhZq+SuiofQwnWBEUKlvO3klKSCJh 0l7hv0lVmGgriBox/TmiR9bUzpp5AC/q74PU7TZhBJg60OK+s3/CPPhpcXxz8pK7 LmNhm1hPPzD7EEamIpme9rQrE7TnhfnbfRBYTYLZ5Or5MnHOBrRxpQlRkdUPTyM1 /yfd1PImOGhi8UIx0oApEcAieBTcFUkJ9iBlx5mVUpimNVqTZJjnbl4OFAEPBbNT AJLw0gTWg0gNv8HtLkUiK94D0LtobId5tyHU6RQcUh/vSWZv6o76TgDbJ89Z8lLH 7Nt9FM59M4u3T3ltRzpym3SU1kbjlopDaHd9yY9NETVMNFVenC8xKxeQynrwxqKC AxMBG4uRBhhlqCWgV+BjP4VyFbp4NdLrMS1pvuSgetXh5KyoEgF9gcLnW+AAejSc c0+jX7DkxKu4nWadlHGo+DDyaXRSLJKJ/fFwbVD9eAO+ExD5QQdV5zJQ/VE5iKee mGmQEvtDadandm1EkZ17BmM9UgilqTqfSCSliyR9lgVo9M24xBsxWUCldSk1BCdJ xL2pJT5DWo8a =0noK -----END PGP SIGNATURE-----
--- End Message ---
