Re: Security issue with libspring-java #720902
On Wed, Dec 4, 2013 at 2:08 PM, Markus Koschany <apo@gambaru.de> wrote:
> Hi all,
>
> while I was working on libjackson-json-java and Co., I saw that
> libspring-java is currently affected by a potential security
> vulnerability, a XML External Entity (XXE) Injection in the Spring
> Framework.
>
> The security advisory recommends that all users of version 3.x should
> upgrade to 3.2.4 or later which affects us.
>
> http://www.gopivotal.com/security/cve-2013-4152
>
> I think I could package a new revision for stable and unstable that only
> contains the proposed fix from upstream which looks acceptable for a
> stable security release.
>
> https://github.com/poutsma/spring-framework/commit/2843b7d2ee12e3f9c458f6f816befd21b402e3b9
>
> What do other team members and the uploaders of affected r-deps of
> libspring-java think about this issue?
>
> Regards,
>
> Markus
>
Hi Markus
I'm working on packaging the latest version of Spring framework for
Debian, but due to the change of build system and my lack of packaging
experience it's taking quite some time.
I think it would be a pragmatic solution to backport the fix into the
current codebase as it should clear the grave bug and shouldn't impact
the r-deps.
I'm working on a local branch right now so I'll be sure not to push
anything into master for the time being.
Thanks
Stephen
--
Stephen Nelson
T: 07595 300729
E: stephen@eccostudio.com
Reply to: