Back to libspring-java PTS page

Accepted libspring-java 4.3.5-1+deb9u1 (source) into oldstable



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 23 Apr 2021 17:07:11 +0200
Source: libspring-java
Binary: libspring-core-java libspring-beans-java libspring-aop-java libspring-context-java libspring-context-support-java libspring-web-java libspring-web-servlet-java libspring-web-portlet-java libspring-test-java libspring-transaction-java libspring-jdbc-java libspring-messaging-java libspring-jms-java libspring-orm-java libspring-expression-java libspring-oxm-java libspring-instrument-java
Architecture: source
Version: 4.3.5-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Sylvain Beucler <beuc@debian.org>
Description:
 libspring-aop-java - modular Java/J2EE application framework - AOP
 libspring-beans-java - modular Java/J2EE application framework - Beans
 libspring-context-java - modular Java/J2EE application framework - Context
 libspring-context-support-java - modular Java/J2EE application framework - Context Support
 libspring-core-java - modular Java/J2EE application framework - Core
 libspring-expression-java - modular Java/J2EE application framework - Expression language
 libspring-instrument-java - modular Java/J2EE application framework - Instrumentation
 libspring-jdbc-java - modular Java/J2EE application framework - JDBC tools
 libspring-jms-java - modular Java/J2EE application framework - JMS tools
 libspring-messaging-java - modular Java/J2EE application framework - Messaging tools
 libspring-orm-java - modular Java/J2EE application framework - ORM tools
 libspring-oxm-java - modular Java/J2EE application framework - Object/XML Mapping
 libspring-test-java - modular Java/J2EE application framework - Test helpers
 libspring-transaction-java - modular Java/J2EE application framework - transaction
 libspring-web-java - modular Java/J2EE application framework - Web
 libspring-web-portlet-java - modular Java/J2EE application framework - Portlet MVC
 libspring-web-servlet-java - modular Java/J2EE application framework - Web Portlet
Changes:
 libspring-java (4.3.5-1+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the ELTS Security Team.
   * CVE-2018-1270/CVE-2018-1275: Spring Framework allows applications to
     expose STOMP over WebSocket endpoints with a simple, in-memory STOMP
     broker through the spring-messaging module. A malicious user (or
     attacker) can craft a message to the broker that can lead to a remote
     code execution attack.
   * CVE-2018-11039: Spring Framework allows web applications to change the
     HTTP request method to any HTTP method (including TRACE) using the
     HiddenHttpMethodFilter in Spring MVC. If an application has a
     pre-existing XSS vulnerability, a malicious user (or attacker) can use
     this filter to escalate to an XST (Cross Site Tracing) attack.
   * CVE-2018-11040: Spring Framework allows web applications to enable
     cross-domain requests via JSONP (JSON with Padding) through
     AbstractJsonpResponseBodyAdvice for REST controllers and
     MappingJackson2JsonView for browser requests. Both are not enabled by
     default in Spring Framework nor Spring Boot, however, when
     MappingJackson2JsonView is configured in an application, JSONP support
     is automatically ready to use through the "jsonp" and "callback" JSONP
     parameters, enabling cross-domain requests.
   * CVE-2018-15756: Spring Framework provides support for range requests
     when serving static resources through the ResourceHttpRequestHandler,
     or starting in 5.0 when an annotated controller returns an
     org.springframework.core.io.Resource. A malicious user (or attacker)
     can add a range header with a high number of ranges, or with wide
     ranges that overlap, or both, for a denial of service attack.
Checksums-Sha1:
 2366735adb185a8ad8ebb0a182e0a88fa1c35a19 5249 libspring-java_4.3.5-1+deb9u1.dsc
 1fe50d2dfae0e92c74844d8695be170f6275fdcc 7051404 libspring-java_4.3.5.orig.tar.xz
 ddbbcab10ac6d35ae37a78a25e5f9efaacfad42a 31644 libspring-java_4.3.5-1+deb9u1.debian.tar.xz
 ca71b34149f10a1285a199d3bb033c5a924bb6c0 25707 libspring-java_4.3.5-1+deb9u1_all.buildinfo
Checksums-Sha256:
 63605b864d2e9713405885b0042684c62105b8b8b5e4be992b7d754e30bbcc85 5249 libspring-java_4.3.5-1+deb9u1.dsc
 6d20eeb070c65dce58dab9a63c8eeb23aab6d6cd644b74b634ae1ac26c3ce771 7051404 libspring-java_4.3.5.orig.tar.xz
 5bd691557b7fb5cc3916332e7f88eff6ddd934c708465c89117eec9d386dd820 31644 libspring-java_4.3.5-1+deb9u1.debian.tar.xz
 7a4428aed7b0296df5780397357a12879c23ee1ae709a738b82b27300c8970ac 25707 libspring-java_4.3.5-1+deb9u1_all.buildinfo
Files:
 b8c4e0f94581af1cacdd13835de885ef 5249 java optional libspring-java_4.3.5-1+deb9u1.dsc
 72eb85a748f151468bcacb4cf94fc58e 7051404 java optional libspring-java_4.3.5.orig.tar.xz
 6b7fd860995ccb67490883f6bc50e14b 31644 java optional libspring-java_4.3.5-1+deb9u1.debian.tar.xz
 b01ec1a8e3adfa357ca7bd02ad8e2343 25707 java optional libspring-java_4.3.5-1+deb9u1_all.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmCDCOQACgkQDTl9HeUl
XjB3lA/+LjEr4F6YEdIBv9eKHUbu+RCVXnkzpXKJjTR5/cv1OpycKZjscEJ7296B
ESlmdyyhDQ4xS0HJOrXIAW/UjtXZW5oEIfpcOV8MwmFcyiLGM9vsNomMBTbZtZMt
v1LWfEh2NtDE4aT3z38U31AmuQ15NTLtFZTpXwIJo+AsP8da5Xvxay+A09eEQ1hH
E47Bu3RP7XdfivHLuDPLVSL819b/6zwQiM9SwqFX8ygiRQDIntGmgSqJh06gTNpi
kInkm31UYMHT43+T4vt/PEZecMMnT/ZlqDYCG46Co6wboRfFMjcoPxFJr8Ep3Fay
9GmmMgrsLLov1X5bs2QBg/7Tj5Blrs4TV4OLvo5bzbqZHssM9BxeEyjqOoClsKUp
5qGA/vJyXslRQrAfNMPuWdGbt7wkQGC+H6So2hqDcRPGExFQsC2UpQhtWAfw4PTn
1fVTYiycOr0Vgx5S3eYWynoMdrOqGpvS73cMlB1JglYUL4XOpsLkfU1fiVmWjRW3
1bDbFySMNn5Oghtn/iA5N8MouGrurxRLmfZG/To4qp63rob7oALpXzCdKF/nXfC/
fNXY3LkY65CYz0gDXMhFH1D8Cn5hqSo2cZyXjnsMsvtEWoPxbDOsI0piu96qrldw
+r31bi6Kw+RXH6/We2UHwpC5WbxXg7EOnX5FCd7DjdeRs/N3LY0=
=l1AV
-----END PGP SIGNATURE-----