[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security issue with libspring-java #720902

On Wed, Dec 4, 2013 at 2:08 PM, Markus Koschany <apo@gambaru.de> wrote:
> Hi all,
> while I was working on libjackson-json-java and Co., I saw that
> libspring-java is currently affected by a potential security
> vulnerability, a XML External Entity (XXE) Injection in the Spring
> Framework.
> The security advisory recommends that all users of version 3.x should
> upgrade to 3.2.4 or later which affects us.
> http://www.gopivotal.com/security/cve-2013-4152
> I think I could package a new revision for stable and unstable that only
> contains the proposed fix from upstream which looks acceptable for a
> stable security release.
> https://github.com/poutsma/spring-framework/commit/2843b7d2ee12e3f9c458f6f816befd21b402e3b9
> What do other team members and the uploaders of affected r-deps of
> libspring-java think about this issue?
> Regards,
> Markus

Hi Markus

I'm working on packaging the latest version of Spring framework for
Debian, but due to the change of build system and my lack of packaging
experience it's taking quite some time.

I think it would be a pragmatic solution to backport the fix into the
current codebase as it should clear the grave bug and shouldn't impact
the r-deps.

I'm working on a local branch right now so I'll be sure not to push
anything into master for the time being.



Stephen Nelson

T: 07595 300729
E: stephen@eccostudio.com

Reply to: