Re: Bug#760733: libspring-java: CVE-2014-0225

To: Stephen Nelson <stephen@eccostudio.com>, 760733@bugs.debian.org, Raphael Hertzog <hertzog@debian.org>
Cc: Debian Java <debian-java@lists.debian.org>, team@security.debian.org
Subject: Re: Bug#760733: libspring-java: CVE-2014-0225
From: Emmanuel Bourg <ebourg@apache.org>
Date: Wed, 26 Nov 2014 12:40:37 +0100
Message-id: <[🔎] 5475BC35.5030905@apache.org>
In-reply-to: <[🔎] CAHpHs3=0C4U3zP0YBFM7aELrd4bT3hOTv7yc8tDeT8dPJsA8kQ@mail.gmail.com>
References: <20140702083655.25937.97806.reportbug@m25s06.vlinux.de> <540B2D40.3040900@debian.org> <20140906183635.GB3611@eldamar.local> <540BE159.1050709@debian.org> <1410089648.29048.22.camel@debian.org> <CAHpHs3nYWSDWHfN=UR629wKCA6Ok02FOQvrQmnF7Kixc7V6hAA@mail.gmail.com> <20141126104558.GA4037@home.ouaza.com> <[🔎] CAHpHs3=0C4U3zP0YBFM7aELrd4bT3hOTv7yc8tDeT8dPJsA8kQ@mail.gmail.com>

I've been investigating this issue as well. I contacted an upstream
developer and it seems the actual fix for this issue is unknown. The
version 3.2.0 was just reported as not vulnerable by the security
researched who discovered this issue.

I can prepare an upgrade to the latest 3.2.x version but this will at
least require libhibernate-validator-java to be unblocked as well.

Emmanuel Bourg

Reply to:

Follow-Ups:
- Re: Bug#760733: libspring-java: CVE-2014-0225
  - From: Moritz Muehlenhoff <jmm@inutil.org>

References:
- libspring-java: CVE-2014-0225
  - From: Stephen Nelson <stephen@eccostudio.com>

Prev by Date: libspring-java: CVE-2014-0225
Next by Date: Re: Bug#760733: libspring-java: CVE-2014-0225
Previous by thread: libspring-java: CVE-2014-0225
Next by thread: Re: Bug#760733: libspring-java: CVE-2014-0225
Index(es):
- Date
- Thread