Bug#772468: unblock: (pre-approval) libspring-java/3.2.12-1
Le 19/12/2014 01:00, Jonathan Wiltshire a écrit :
> Ok, I did some digging. CVE-2014-3578 seems to be unknown to some sources
> including NVD. Considering they are both meant to be directory traversal,
> I would guess it was a duplicate assignment; let's ignore it for now.
>
> That leaves CVE-2014-3628. NVD links it to upstream issue SPR-12354, and
> the description matches. From the release notes for 3.2.12, the issue is
> mentioned as fixed, which matches the NVD description. The date is 11th
> November.
>
> In the git history for branch 3.2.x commit
> 9cef8e3001ddd61c734281a7556efd84b6cc2755 dated 11th November describes the
> issue and fixes, and contains the relevant issue number. There is a bugfix
> follow-up on 18th November commit 379d2e6da0cf4e1d8009111920b7df8e40496e1f
> also mentioning the same issue number.
>
> It must be at least reasonably straightforward to backport to the Jessie
> package.
>
> Is that enough information to be going on with?
Thank you for double checking Jonathan. I could attempt to backport the
two commits addressing CVE-2014-3625, but I'm not sure to be able to
test if they are applied properly and fully fix the issue.
The most bothering issue here is CVE-2014-3578. I don't think it could
be a duplication since the affected versions do not match (CVE-2014-3578
was said to be fixed in at least Spring 3.2.9 but CVE-2014-3625 was only
fixed in the version 3.2.12 with the commits you pointed out). Only the
reporter of these issues could tell I guess, but I haven't been able to
find his email.
Another point worth considering is the fact that Spring 3.0.x is no
longer supported upstream. The 3.2.x branch still receives security
updates and it would be wise to align on that if we want to support
properly this package for the lifetime of Jessie.
Emmanuel Bourg
Reply to: