Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package libspring-java. This package is affected by two security issues: CVE-2014-3578 (#760733) and CVE-2014-3625 (#769698). The fix for CVE-2014-3578 is unknown and can't be backported, the only solution left to address this issue is to package a more recent version. libspring-java 3.2.12 will also require libhibernate-validator-java to be unblocked (#771772). Compared to the version 3.0.x the build system was switched from Maven to Gradle and the source layout has been reorganized. This results in a debdiff impossible to review (70M uncompressed, 1.7M lines), so I'm just attaching the debdiff for the debian directory. Fortunately the compatibility is excellent, only one package had to be updated (libspring-webflow-2.0-java, already unblocked). The following reverse dependencies build fine in a clean chroot: acegi-security activemq guice jasperreports jasypt jenkins libopensaml2-java libopenws-java libshib-common-java libspring-ldap-java libspring-security-2.0-java libspring-webflow-2.0-java libxbean-java mina mina2 mule openid4java osmosis red5 shiro tiles uima-as I'm sorry to push such a big update during the freeze but that's the best I can do to address these issues. Also note that Spring 3.2 is still supported upstream, so this update will greatly help with the future security issues during the Jessie lifecycle. Thank you unblock libspring-java/3.2.12-1
libspring-java_3.0.6_to_3.2.12.debian.debdiff.gz
Description: application/gzip
signature.asc
Description: OpenPGP digital signature