Hi all, two new security flaws were discovered in the Spring framework and bug #735420 was filed. Both affect us. See also http://www.gopivotal.com/security/cve-2013-6429 http://www.gopivotal.com/security/cve-2013-6430 I have created two patches based on these upstream commits: CVE-2013-6430 ============= https://github.com/spring-projects/spring-framework/commit/7a7df6637478607bef0277bf52a4e0a03e20a248 CVE-2013-6429 ============= https://github.com/spring-projects/spring-framework/commit/7387cb990e35b0f1b573faf29d4f9ae183d7a5ef The patch for CVE-2013-6430 was straightforward and the upstream commit applied without problems. The other patch required the addition of a completely new file, StreamUtils.java, and an update of the affected SourceHttpMessageConverter.java file to version 3.2.x. The current version in stable is basically no longer supported. I am looking for feedback and a sponsor for an upload to unstable. If everything works as intended, I will open a new RT ticket for a stable-security update. The package was uploaded to mentors. It is also available in Git. http://mentors.debian.net/debian/pool/main/libs/libspring-java/libspring-java_3.0.6.RELEASE-11.dsc Regards, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature