Hi all,
I have received a reply from the security team regarding the security
issue in the spring framework. I'm forwarding the mail to this list as a
reference.
I have pushed the fix to the stable-security branch of the git
repository and also applied the same changes to master. I'm hereby
looking for a sponsor who can upload the package to stable-security and
unstable.
http://anonscm.debian.org/gitweb/?p=pkg-java/libspring-java.git
Regards,
Markus
-------- Original Message --------
Subject: Re: [rt.debian.org #4815] CVE-2013-4152 XML External Entity
(XXE) injection in Spring
Date: Sun, 29 Dec 2013 12:07:15 +0000
From: Moritz Muehlenhoff via RT <rt@rt.debian.org>
Reply-To: rt@rt.debian.org
To: apo@gambaru.de
On Sat, Dec 07, 2013 at 12:07:25PM +0000, Markus Koschany via RT wrote:
> Sat Dec 07 12:07:24 2013: Request 4815 was acted upon.
> Transaction: Ticket created by apo@gambaru.de
> Queue: Security - Incoming
> Subject: CVE-2013-4152 XML External Entity (XXE) injection in Spring
> Owner: Nobody
> Requestors: apo@gambaru.de
> Status: new
> Ticket <URL: https://rt.debian.org/Ticket/Display.html?id=4815 >
>
>
> Dear security team,
>
> I have prepared a new version of libspring-java to fix CVE-2013-4152
> (#720902) by backporting the related upstream patch [1]. I'm attaching
> the debdiff against the version of libspring-java in stable. You can
> also find an updated package at mentors.debian.net for an initial
> review. [2]
Sorry for the late reply, this fell through the cracks. Please upload to
security-master.
Cheers,
Moritz
Attachment:
signature.asc
Description: OpenPGP digital signature