Hi all, I have received a reply from the security team regarding the security issue in the spring framework. I'm forwarding the mail to this list as a reference. I have pushed the fix to the stable-security branch of the git repository and also applied the same changes to master. I'm hereby looking for a sponsor who can upload the package to stable-security and unstable. http://anonscm.debian.org/gitweb/?p=pkg-java/libspring-java.git Regards, Markus -------- Original Message -------- Subject: Re: [rt.debian.org #4815] CVE-2013-4152 XML External Entity (XXE) injection in Spring Date: Sun, 29 Dec 2013 12:07:15 +0000 From: Moritz Muehlenhoff via RT <rt@rt.debian.org> Reply-To: rt@rt.debian.org To: apo@gambaru.de On Sat, Dec 07, 2013 at 12:07:25PM +0000, Markus Koschany via RT wrote: > Sat Dec 07 12:07:24 2013: Request 4815 was acted upon. > Transaction: Ticket created by apo@gambaru.de > Queue: Security - Incoming > Subject: CVE-2013-4152 XML External Entity (XXE) injection in Spring > Owner: Nobody > Requestors: apo@gambaru.de > Status: new > Ticket <URL: https://rt.debian.org/Ticket/Display.html?id=4815 > > > > Dear security team, > > I have prepared a new version of libspring-java to fix CVE-2013-4152 > (#720902) by backporting the related upstream patch [1]. I'm attaching > the debdiff against the version of libspring-java in stable. You can > also find an updated package at mentors.debian.net for an initial > review. [2] Sorry for the late reply, this fell through the cracks. Please upload to security-master. Cheers, Moritz
Attachment:
signature.asc
Description: OpenPGP digital signature