On Wed, Dec 4, 2013 at 2:08 PM, Markus Koschany <a...@gambaru.de> wrote: > Hi all, > > while I was working on libjackson-json-java and Co., I saw that > libspring-java is currently affected by a potential security > vulnerability, a XML External Entity (XXE) Injection in the Spring > Framework. > > The security advisory recommends that all users of version 3.x should > upgrade to 3.2.4 or later which affects us. > > http://www.gopivotal.com/security/cve-2013-4152 > > I think I could package a new revision for stable and unstable that only > contains the proposed fix from upstream which looks acceptable for a > stable security release. > > https://github.com/poutsma/spring-framework/commit/2843b7d2ee12e3f9c458f6f816befd21b402e3b9 > > What do other team members and the uploaders of affected r-deps of > libspring-java think about this issue? > > Regards, > > Markus >
Hi Markus I'm working on packaging the latest version of Spring framework for Debian, but due to the change of build system and my lack of packaging experience it's taking quite some time. I think it would be a pragmatic solution to backport the fix into the current codebase as it should clear the grave bug and shouldn't impact the r-deps. I'm working on a local branch right now so I'll be sure not to push anything into master for the time being. Thanks Stephen -- Stephen Nelson T: 07595 300729 E: step...@eccostudio.com -- To UNSUBSCRIBE, email to debian-java-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAHpHs3=clnvnjpe8wgdtbr64qri3hgdoatsas_540qb5v1+...@mail.gmail.com
