On Sun, Dec 07, 2014 at 03:56:33PM +0100, Emmanuel Bourg wrote: > Please unblock package libspring-java. This package is affected by two > security issues: CVE-2014-3578 (#760733) and CVE-2014-3625 (#769698). > The fix for CVE-2014-3578 is unknown and can't be backported, the only > solution left to address this issue is to package a more recent version. > libspring-java 3.2.12 will also require libhibernate-validator-java to > be unblocked (#771772).
On Wed, Dec 17, 2014 at 09:13:39PM +0100, Emmanuel Bourg wrote: > Le 17/12/2014 21:10, Jonathan Wiltshire a écrit : > > > Can you make targetted bug fixes instead? > > I can't unfortunately, the actual fix is unknown. Ok, I did some digging. CVE-2014-3578 seems to be unknown to some sources including NVD. Considering they are both meant to be directory traversal, I would guess it was a duplicate assignment; let's ignore it for now. That leaves CVE-2014-3628. NVD links it to upstream issue SPR-12354, and the description matches. From the release notes for 3.2.12, the issue is mentioned as fixed, which matches the NVD description. The date is 11th November. In the git history for branch 3.2.x commit 9cef8e3001ddd61c734281a7556efd84b6cc2755 dated 11th November describes the issue and fixes, and contains the relevant issue number. There is a bugfix follow-up on 18th November commit 379d2e6da0cf4e1d8009111920b7df8e40496e1f also mentioning the same issue number. It must be at least reasonably straightforward to backport to the Jessie package. Is that enough information to be going on with? -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
signature.asc
Description: Digital signature
