Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package libspring-java. This package is affected by two
security issues: CVE-2014-3578 (#760733) and CVE-2014-3625 (#769698).
The fix for CVE-2014-3578 is unknown and can't be backported, the only
solution left to address this issue is to package a more recent version.
libspring-java 3.2.12 will also require libhibernate-validator-java to
be unblocked (#771772).

Compared to the version 3.0.x the build system was switched from Maven
to Gradle and the source layout has been reorganized. This results in a
debdiff impossible to review (70M uncompressed, 1.7M lines), so I'm just
attaching the debdiff for the debian directory.

Fortunately the compatibility is excellent, only one package had to be
updated (libspring-webflow-2.0-java, already unblocked). The following
reverse dependencies build fine in a clean chroot:

acegi-security
activemq
guice
jasperreports
jasypt
jenkins
libopensaml2-java
libopenws-java
libshib-common-java
libspring-ldap-java
libspring-security-2.0-java
libspring-webflow-2.0-java
libxbean-java
mina
mina2
mule
openid4java
osmosis
red5
shiro
tiles
uima-as

I'm sorry to push such a big update during the freeze but that's the
best I can do to address these issues. Also note that Spring 3.2 is
still supported upstream, so this update will greatly help with the
future security issues during the Jessie lifecycle.

Thank you

unblock libspring-java/3.2.12-1

Attachment: libspring-java_3.0.6_to_3.2.12.debian.debdiff.gz
Description: application/gzip

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to