Your message dated Sat, 08 Feb 2014 23:17:06 +0000 with message-id <e1wch90-0005kl...@franck.debian.org> and subject line Bug#735420: fixed in libspring-java 3.0.6.RELEASE-6+deb7u2 has caused the Debian Bug report #735420, regarding libspring-java: CVE-2013-6429 CVE-2013-6430 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 735420: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=735420 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libspring-java Severity: grave Tags: security Justification: user security hole Please see http://www.gopivotal.com/security/cve-2013-6429 http://www.gopivotal.com/security/cve-2013-6430 Cheers, Moritz
--- End Message ---
--- Begin Message ---Source: libspring-java Source-Version: 3.0.6.RELEASE-6+deb7u2 We believe that the bug you reported is fixed in the latest version of libspring-java, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 735...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@gambaru.de> (supplier of updated libspring-java package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 27 Jan 2014 15:56:41 +0100 Source: libspring-java Binary: libspring-core-java libspring-beans-java libspring-aop-java libspring-context-java libspring-context-support-java libspring-web-java libspring-web-servlet-java libspring-web-struts-java libspring-web-portlet-java libspring-test-java libspring-transaction-java libspring-jdbc-java libspring-jms-java libspring-orm-java libspring-expression-java libspring-oxm-java libspring-instrument-java Architecture: source all Version: 3.0.6.RELEASE-6+deb7u2 Distribution: wheezy-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@gambaru.de> Description: libspring-aop-java - modular Java/J2EE application framework - AOP libspring-beans-java - modular Java/J2EE application framework - Beans libspring-context-java - modular Java/J2EE application framework - Context libspring-context-support-java - modular Java/J2EE application framework - Context Support libspring-core-java - modular Java/J2EE application framework - Core libspring-expression-java - modular Java/J2EE application framework - Expression language libspring-instrument-java - modular Java/J2EE application framework - Instrumentation libspring-jdbc-java - modular Java/J2EE application framework - JDBC tools libspring-jms-java - modular Java/J2EE application framework - JMS tools libspring-orm-java - modular Java/J2EE application framework - ORM tools libspring-oxm-java - modular Java/J2EE application framework - Object/XML Mapping libspring-test-java - modular Java/J2EE application framework - Test helpers libspring-transaction-java - modular Java/J2EE application framework - transaction libspring-web-java - modular Java/J2EE application framework - Web libspring-web-portlet-java - modular Java/J2EE application framework - Portlet MVC libspring-web-servlet-java - modular Java/J2EE application framework - Web Portlet libspring-web-struts-java - modular Java/J2EE application framework - Struts MVC Closes: 735420 Changes: libspring-java (3.0.6.RELEASE-6+deb7u2) wheezy-security; urgency=high . * Team upload. * Fix CVE-2013-6429 and CVE-2013-6430. (Closes: #735420) - New patches: CVE-2013-6429.patch and CVE-2013-6430.patch. - Spring MVC's SourceHttpMessageConverter also processed user provided XML and neither disabled XML external entities nor provided an option to disable them. SourceHttpMessageConverter has been modified to provide an option to control the processing of XML external entities and that processing is now disabled by default. - The JavaScriptUtils.javaScriptEscape() method did not escape all characters that are sensitive within either a JS single quoted string, JS double quoted string, or HTML script data context. In most cases this will result in an unexploitable parse error but in some cases it could result in an XSS vulnerability. Checksums-Sha1: 1b86102ae182ecd0011fa2412281026949c5d200 3912 libspring-java_3.0.6.RELEASE-6+deb7u2.dsc 81885fee9ef134d5c58c673e3fc32d30209188d4 26473 libspring-java_3.0.6.RELEASE-6+deb7u2.debian.tar.gz 92ede14922c0a914799008aafe2bd29e3546ed36 366696 libspring-core-java_3.0.6.RELEASE-6+deb7u2_all.deb a3ff593c0b846563ad900f0c40bdb71862a1b5e1 520240 libspring-beans-java_3.0.6.RELEASE-6+deb7u2_all.deb f902d67113f12579c19238175fefbd5ce6d8c420 331238 libspring-aop-java_3.0.6.RELEASE-6+deb7u2_all.deb 09e458273df075627ea523644572e4e4debfe858 598900 libspring-context-java_3.0.6.RELEASE-6+deb7u2_all.deb 379e9307afa701827cf1e904dc0c6aec9bc160dc 113720 libspring-context-support-java_3.0.6.RELEASE-6+deb7u2_all.deb cc97195d37c7600570ff53c38109dad8e25d741e 374356 libspring-web-java_3.0.6.RELEASE-6+deb7u2_all.deb bee515e08916ba1237e2e912d21d5000bc83d248 399054 libspring-web-servlet-java_3.0.6.RELEASE-6+deb7u2_all.deb 8aea197151faf5b39f2a7a9a84d331e438df3415 51756 libspring-web-struts-java_3.0.6.RELEASE-6+deb7u2_all.deb d14d416ceecc8ab270d0fd26e7e7e8376c7bf571 180334 libspring-web-portlet-java_3.0.6.RELEASE-6+deb7u2_all.deb dea3d9daea271710c110b9881a60d6f1bda9fc8a 204992 libspring-test-java_3.0.6.RELEASE-6+deb7u2_all.deb 17d09bc7af5e334c34288af5fa9c28da888082c5 214186 libspring-transaction-java_3.0.6.RELEASE-6+deb7u2_all.deb 9c792fc287a53239cf9fc31aa23e7ab790088cb1 358812 libspring-jdbc-java_3.0.6.RELEASE-6+deb7u2_all.deb 34bf3455eb12c4c451a70c4418bca87d0d4510c0 186992 libspring-jms-java_3.0.6.RELEASE-6+deb7u2_all.deb b1d0ec2166dc503441242a17292739e0bc32c9da 317942 libspring-orm-java_3.0.6.RELEASE-6+deb7u2_all.deb 6ba393f1b8665ea38dc4abca7817101f75f6074f 176696 libspring-expression-java_3.0.6.RELEASE-6+deb7u2_all.deb e5dc5419d8f4af19cddb34ada27a19790056e9cc 78142 libspring-oxm-java_3.0.6.RELEASE-6+deb7u2_all.deb 43d00b730dfa9c6b6acd378506fec50e949a25b8 30044 libspring-instrument-java_3.0.6.RELEASE-6+deb7u2_all.deb Checksums-Sha256: f676c330968e7ff710d61d3781f736163c71ae7a1698597b271c419f70b09cd8 3912 libspring-java_3.0.6.RELEASE-6+deb7u2.dsc a6f3fc1a76a103e0d51d83251c534f4e5c0958c64d37ba45242099f7ed878e7d 26473 libspring-java_3.0.6.RELEASE-6+deb7u2.debian.tar.gz d6ba99a8f78ce9afd34d1c7b8509bb1f7b50efe6004fa238151e0e8760459698 366696 libspring-core-java_3.0.6.RELEASE-6+deb7u2_all.deb 99c91ec865b1d656733efc9d86c8a1cdfa5132c64b3a35ce9f0d3885c5906399 520240 libspring-beans-java_3.0.6.RELEASE-6+deb7u2_all.deb 42af2e1f439b413677ab9f0bbb14d11073f1a70f1e518b17776f90473b019f9a 331238 libspring-aop-java_3.0.6.RELEASE-6+deb7u2_all.deb f6b1bda1a239b587bfca9c63789fc7b59cd75e614859813b54fb688cd899c746 598900 libspring-context-java_3.0.6.RELEASE-6+deb7u2_all.deb 43788024407f47695965f6c48047e1909a4a8a638dff7fc339244805bcd270ba 113720 libspring-context-support-java_3.0.6.RELEASE-6+deb7u2_all.deb 839c0021b45f295d38bf7de1eb4928e5eda901acafe89afea9dca8af81138367 374356 libspring-web-java_3.0.6.RELEASE-6+deb7u2_all.deb 6e5642f566d5192749651f1c34df014105fb70dc80f042d9869425b13d268d4d 399054 libspring-web-servlet-java_3.0.6.RELEASE-6+deb7u2_all.deb ee0fca647d840695bf35652f1440ad8d5f42644991b22f227c0ceca5462653cc 51756 libspring-web-struts-java_3.0.6.RELEASE-6+deb7u2_all.deb 331bece4834361f832879e6787565f89eb73c60b363885f460cc8bf9cacf344e 180334 libspring-web-portlet-java_3.0.6.RELEASE-6+deb7u2_all.deb 48974e4127d7cc088e9f7f23d5369990c3f76e848ed73b3e323dadd436c24414 204992 libspring-test-java_3.0.6.RELEASE-6+deb7u2_all.deb 6c4ba38ce22d02641b933a92a16caff4889b053fcca3c9de058ebb2900af8cf8 214186 libspring-transaction-java_3.0.6.RELEASE-6+deb7u2_all.deb d496c19a7a618c48bc0dce1ae8c6f189a81a6b0218c401dc3c6761998135c333 358812 libspring-jdbc-java_3.0.6.RELEASE-6+deb7u2_all.deb 19814e5d2b12b97f011d892d2b45dde09e8612603fbb09ecb90e5d7dfffa4114 186992 libspring-jms-java_3.0.6.RELEASE-6+deb7u2_all.deb a5dd2527d0d9bc4865ebe9ce04ef4aa11c69243d5a359911ef541d7586ffc8e6 317942 libspring-orm-java_3.0.6.RELEASE-6+deb7u2_all.deb 9bcd5e08e8259728ae6b641a5c0e5e2ea5f3bea3aa7d53d7af94bf0482bc896c 176696 libspring-expression-java_3.0.6.RELEASE-6+deb7u2_all.deb 68bcb5df1b0f8a6110b078810c03bfff69257802376f2338593d45861d5de8de 78142 libspring-oxm-java_3.0.6.RELEASE-6+deb7u2_all.deb f2df63fba8df39889878a1267ed13afd2a1c4ab84dd16bff560af8c5134af2b7 30044 libspring-instrument-java_3.0.6.RELEASE-6+deb7u2_all.deb Files: 66d05125a6d014bd5841a55e345547bf 3912 java extra libspring-java_3.0.6.RELEASE-6+deb7u2.dsc 62b0d595dd20ea20b863bde81b4c7dd2 26473 java extra libspring-java_3.0.6.RELEASE-6+deb7u2.debian.tar.gz 8d9b24031a6666c92c01ad2c618ff712 366696 java extra libspring-core-java_3.0.6.RELEASE-6+deb7u2_all.deb dae92f5a7af1ed3199d4b2210c747960 520240 java extra libspring-beans-java_3.0.6.RELEASE-6+deb7u2_all.deb d2f7ddb1fdb2b8b29515de2cb9c6b457 331238 java extra libspring-aop-java_3.0.6.RELEASE-6+deb7u2_all.deb 2f1a806a59729e51d2ef28fcb6959685 598900 java extra libspring-context-java_3.0.6.RELEASE-6+deb7u2_all.deb 548a89fdea7468821131e8b5b8dfb145 113720 java extra libspring-context-support-java_3.0.6.RELEASE-6+deb7u2_all.deb ac11b1869b86153c7357b484ad951e5a 374356 java extra libspring-web-java_3.0.6.RELEASE-6+deb7u2_all.deb a34762c493a1c856d0d2a93e0d6274ff 399054 java extra libspring-web-servlet-java_3.0.6.RELEASE-6+deb7u2_all.deb 96d970760160788bc5a22ec952d3786c 51756 java extra libspring-web-struts-java_3.0.6.RELEASE-6+deb7u2_all.deb f0220756c4d460649564d2ff9f0182c8 180334 java extra libspring-web-portlet-java_3.0.6.RELEASE-6+deb7u2_all.deb 7728c5ca6ed945ec3ec6e2534e336e55 204992 java extra libspring-test-java_3.0.6.RELEASE-6+deb7u2_all.deb 074095c523e4de3782e514fd390d0424 214186 java extra libspring-transaction-java_3.0.6.RELEASE-6+deb7u2_all.deb 50f55d8c4e54023b8d2745f8963305bb 358812 java extra libspring-jdbc-java_3.0.6.RELEASE-6+deb7u2_all.deb a7157d66bf7cb40f1b98ce9727fa0343 186992 java extra libspring-jms-java_3.0.6.RELEASE-6+deb7u2_all.deb 9cd8e791b130d059a246c1a93cf72f29 317942 java extra libspring-orm-java_3.0.6.RELEASE-6+deb7u2_all.deb f7baa35ee250459df0321dedf1667f23 176696 java extra libspring-expression-java_3.0.6.RELEASE-6+deb7u2_all.deb e3a532ac931ba4bf26e8deeb638e2889 78142 java extra libspring-oxm-java_3.0.6.RELEASE-6+deb7u2_all.deb f415f97c2b17ff5b6bc12012fdeeafb0 30044 java extra libspring-instrument-java_3.0.6.RELEASE-6+deb7u2_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlL1dLEACgkQXm3vHE4uylrbTwCgvETA2fuyZ5a2yt7K1wovrQ6A LYwAoJuH/nNawQn9DIaPO7UjxE5JzftP =g88b -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
