On 26 Nov 2014 10:45, "Raphael Hertzog" <hertzog@debian.org> wrote:
>
> Hello Stephen,
>
> On Mon, 08 Sep 2014, Stephen Nelson wrote:
> > > For what it's worth, CVE-2014-3578 was assigned to a directory traversal
> > > vulnerability in libspring-java
> > > ( http://www.pivotal.io/security/cve-2014-3578)
> >
> > Thanks for letting us know about this one. I've had a quick look and it
> > might be more difficult to fix given that there hasn't been a specific
> > commit made in a later version of Spring which could be backported.
> > However, I will look into this in more detail and report back to the BTS
> > for this bug.
>
> I haven't seen any followup yet. Do you still plan to do the required
> investigation?
>
> This bug is one of Jessie's remaining release critical bugs so it would
> be nice if there could be some progress. (Of course, packaging a new
> upstream version can also be considered by release team members
> if backporting is too much work)
>
I couldn't find any specifics on this vulnerability other than the upstream saying it's not present in their currently supported versions.
Therefore it looks like upgrading to 3.2.x would solve the security issue but is quite a lot of work and involves dependencies not yet packaged in Debian.
I'm happy to help but ask more experienced Java team members on what's the best course of action here.
Cheers
Stephen