Accepted libspring-java 4.3.5-1+deb9u1 (source) into oldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 23 Apr 2021 17:07:11 +0200
Source: libspring-java
Binary: libspring-core-java libspring-beans-java libspring-aop-java libspring-context-java libspring-context-support-java libspring-web-java libspring-web-servlet-java libspring-web-portlet-java libspring-test-java libspring-transaction-java libspring-jdbc-java libspring-messaging-java libspring-jms-java libspring-orm-java libspring-expression-java libspring-oxm-java libspring-instrument-java
Architecture: source
Version: 4.3.5-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Sylvain Beucler <beuc@debian.org>
Description:
libspring-aop-java - modular Java/J2EE application framework - AOP
libspring-beans-java - modular Java/J2EE application framework - Beans
libspring-context-java - modular Java/J2EE application framework - Context
libspring-context-support-java - modular Java/J2EE application framework - Context Support
libspring-core-java - modular Java/J2EE application framework - Core
libspring-expression-java - modular Java/J2EE application framework - Expression language
libspring-instrument-java - modular Java/J2EE application framework - Instrumentation
libspring-jdbc-java - modular Java/J2EE application framework - JDBC tools
libspring-jms-java - modular Java/J2EE application framework - JMS tools
libspring-messaging-java - modular Java/J2EE application framework - Messaging tools
libspring-orm-java - modular Java/J2EE application framework - ORM tools
libspring-oxm-java - modular Java/J2EE application framework - Object/XML Mapping
libspring-test-java - modular Java/J2EE application framework - Test helpers
libspring-transaction-java - modular Java/J2EE application framework - transaction
libspring-web-java - modular Java/J2EE application framework - Web
libspring-web-portlet-java - modular Java/J2EE application framework - Portlet MVC
libspring-web-servlet-java - modular Java/J2EE application framework - Web Portlet
Changes:
libspring-java (4.3.5-1+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the ELTS Security Team.
* CVE-2018-1270/CVE-2018-1275: Spring Framework allows applications to
expose STOMP over WebSocket endpoints with a simple, in-memory STOMP
broker through the spring-messaging module. A malicious user (or
attacker) can craft a message to the broker that can lead to a remote
code execution attack.
* CVE-2018-11039: Spring Framework allows web applications to change the
HTTP request method to any HTTP method (including TRACE) using the
HiddenHttpMethodFilter in Spring MVC. If an application has a
pre-existing XSS vulnerability, a malicious user (or attacker) can use
this filter to escalate to an XST (Cross Site Tracing) attack.
* CVE-2018-11040: Spring Framework allows web applications to enable
cross-domain requests via JSONP (JSON with Padding) through
AbstractJsonpResponseBodyAdvice for REST controllers and
MappingJackson2JsonView for browser requests. Both are not enabled by
default in Spring Framework nor Spring Boot, however, when
MappingJackson2JsonView is configured in an application, JSONP support
is automatically ready to use through the "jsonp" and "callback" JSONP
parameters, enabling cross-domain requests.
* CVE-2018-15756: Spring Framework provides support for range requests
when serving static resources through the ResourceHttpRequestHandler,
or starting in 5.0 when an annotated controller returns an
org.springframework.core.io.Resource. A malicious user (or attacker)
can add a range header with a high number of ranges, or with wide
ranges that overlap, or both, for a denial of service attack.
Checksums-Sha1:
2366735adb185a8ad8ebb0a182e0a88fa1c35a19 5249 libspring-java_4.3.5-1+deb9u1.dsc
1fe50d2dfae0e92c74844d8695be170f6275fdcc 7051404 libspring-java_4.3.5.orig.tar.xz
ddbbcab10ac6d35ae37a78a25e5f9efaacfad42a 31644 libspring-java_4.3.5-1+deb9u1.debian.tar.xz
ca71b34149f10a1285a199d3bb033c5a924bb6c0 25707 libspring-java_4.3.5-1+deb9u1_all.buildinfo
Checksums-Sha256:
63605b864d2e9713405885b0042684c62105b8b8b5e4be992b7d754e30bbcc85 5249 libspring-java_4.3.5-1+deb9u1.dsc
6d20eeb070c65dce58dab9a63c8eeb23aab6d6cd644b74b634ae1ac26c3ce771 7051404 libspring-java_4.3.5.orig.tar.xz
5bd691557b7fb5cc3916332e7f88eff6ddd934c708465c89117eec9d386dd820 31644 libspring-java_4.3.5-1+deb9u1.debian.tar.xz
7a4428aed7b0296df5780397357a12879c23ee1ae709a738b82b27300c8970ac 25707 libspring-java_4.3.5-1+deb9u1_all.buildinfo
Files:
b8c4e0f94581af1cacdd13835de885ef 5249 java optional libspring-java_4.3.5-1+deb9u1.dsc
72eb85a748f151468bcacb4cf94fc58e 7051404 java optional libspring-java_4.3.5.orig.tar.xz
6b7fd860995ccb67490883f6bc50e14b 31644 java optional libspring-java_4.3.5-1+deb9u1.debian.tar.xz
b01ec1a8e3adfa357ca7bd02ad8e2343 25707 java optional libspring-java_4.3.5-1+deb9u1_all.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmCDCOQACgkQDTl9HeUl
XjB3lA/+LjEr4F6YEdIBv9eKHUbu+RCVXnkzpXKJjTR5/cv1OpycKZjscEJ7296B
ESlmdyyhDQ4xS0HJOrXIAW/UjtXZW5oEIfpcOV8MwmFcyiLGM9vsNomMBTbZtZMt
v1LWfEh2NtDE4aT3z38U31AmuQ15NTLtFZTpXwIJo+AsP8da5Xvxay+A09eEQ1hH
E47Bu3RP7XdfivHLuDPLVSL819b/6zwQiM9SwqFX8ygiRQDIntGmgSqJh06gTNpi
kInkm31UYMHT43+T4vt/PEZecMMnT/ZlqDYCG46Co6wboRfFMjcoPxFJr8Ep3Fay
9GmmMgrsLLov1X5bs2QBg/7Tj5Blrs4TV4OLvo5bzbqZHssM9BxeEyjqOoClsKUp
5qGA/vJyXslRQrAfNMPuWdGbt7wkQGC+H6So2hqDcRPGExFQsC2UpQhtWAfw4PTn
1fVTYiycOr0Vgx5S3eYWynoMdrOqGpvS73cMlB1JglYUL4XOpsLkfU1fiVmWjRW3
1bDbFySMNn5Oghtn/iA5N8MouGrurxRLmfZG/To4qp63rob7oALpXzCdKF/nXfC/
fNXY3LkY65CYz0gDXMhFH1D8Cn5hqSo2cZyXjnsMsvtEWoPxbDOsI0piu96qrldw
+r31bi6Kw+RXH6/We2UHwpC5WbxXg7EOnX5FCd7DjdeRs/N3LY0=
=l1AV
-----END PGP SIGNATURE-----