On Fri, Dec 19, 2014 at 02:12:31AM +0100, Emmanuel Bourg wrote: > Le 19/12/2014 01:00, Jonathan Wiltshire a écrit : > > > Ok, I did some digging. CVE-2014-3578 seems to be unknown to some sources > > including NVD. Considering they are both meant to be directory traversal, > > I would guess it was a duplicate assignment; let's ignore it for now. > > > > That leaves CVE-2014-3628. NVD links it to upstream issue SPR-12354, and > > the description matches. From the release notes for 3.2.12, the issue is > > mentioned as fixed, which matches the NVD description. The date is 11th > > November. > > > > In the git history for branch 3.2.x commit > > 9cef8e3001ddd61c734281a7556efd84b6cc2755 dated 11th November describes the > > issue and fixes, and contains the relevant issue number. There is a bugfix > > follow-up on 18th November commit 379d2e6da0cf4e1d8009111920b7df8e40496e1f > > also mentioning the same issue number. > > > > It must be at least reasonably straightforward to backport to the Jessie > > package. > > > > Is that enough information to be going on with? > > Thank you for double checking Jonathan. I could attempt to backport the > two commits addressing CVE-2014-3625, but I'm not sure to be able to > test if they are applied properly and fully fix the issue. > > The most bothering issue here is CVE-2014-3578. I don't think it could > be a duplication since the affected versions do not match (CVE-2014-3578 > was said to be fixed in at least Spring 3.2.9 but CVE-2014-3625 was only > fixed in the version 3.2.12 with the commits you pointed out). Only the > reporter of these issues could tell I guess, but I haven't been able to > find his email. > > Another point worth considering is the fact that Spring 3.0.x is no > longer supported upstream. The 3.2.x branch still receives security > updates and it would be wise to align on that if we want to support > properly this package for the lifetime of Jessie. Well, we seem to be at an impasse. I certainly can't review a diff of this size. Out of our usual other options, it sounds like you can't isolate targetted fixes, and removal would impact a large number of dependent packages. Do you have any other suggestions? (I must confess to being a bit disappointed that if 3.0.x is no longer supported upstream, some sort of 3.2 package didn't get uploaded until two days before the freeze started. Even 3.2.5 was released over a year ago now.) -- Jonathan Wiltshire jmw@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Attachment:
signature.asc
Description: Digital signature