Source: libspring-java Version: 4.3.19-1 Severity: important Tags: security upstream
Hi, The following vulnerability was published for libspring-java. CVE-2018-15756[0]: | Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, | versions 4.3.x prior to 4.3.20, and older unsupported versions on the | 4.2.x branch provide support for range requests when serving static | resources through the ResourceHttpRequestHandler, or starting in 5.0 | when an annotated controller returns an | org.springframework.core.io.Resource. A malicious user (or attacker) | can add a range header with a high number of ranges, or with wide | ranges that overlap, or both, for a denial of service attack. This | vulnerability affects applications that depend on either spring-webmvc | or spring-webflux. Such applications must also have a registration for | serving static resources (e.g. JS, CSS, images, and others), or have | an annotated controller that returns an | org.springframework.core.io.Resource. Spring Boot applications that | depend on spring-boot-starter-web or spring-boot-starter-webflux are | ready to serve static resources out of the box and are therefore | vulnerable. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-15756 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15756 [1] https://pivotal.io/security/cve-2018-15756 Please adjust the affected versions in the BTS as needed, but basically as well already it is know older 4.2 versions (wich are unsupported) are affected as well. Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
