On sam., 2014-09-06 at 21:38 -0700, tony mancill wrote: > On 09/06/2014 11:36 AM, Salvatore Bonaccorso wrote: > > Hi Tony, > > > > On Sat, Sep 06, 2014 at 08:50:24AM -0700, tony mancill wrote: > >> On Wed, 02 Jul 2014 10:36:55 +0200 Moritz Muehlenhoff <j...@inutil.org> > >> wrote: > >>> Package: libspring-java > >>> Severity: grave > >>> Tags: security > >>> Justification: user security hole > >>> > >>> Hi, > >>> please see http://www.gopivotal.com/security/cve-2014-0225 > >> > >> Hello, > >> > >> I have uploaded a a patched version (thanks Stephen!) to unstable and > >> prepared an upload 3.0.6.RELEASE-6+deb7u4 for wheezy-security, for which > >> the debdiff for the .dsc and .changes is attached. (It is essentially > >> identical to the debdiff for unstable.) I also placed the source and > >> binary packages for the wheezy update here: > >> > >> https://people.debian.org/~tmancill/libspring-java_wheezy/ > >> > >> for Security Team review. > > > > AFAICS at the time (at least), this CVE was marked no-dsa. Do you > > concur on this classification or is there something we missed? If so, > > could you contact the stable release managers to have an update trough > > stable proposed updates? > > Hi Salvatore, > > No, I'm not aware of anything that has been missed. I was just trying > to be proactive about creating a package. If any user needs to build > for wheezy, the patch is available in the BTS. > > Thank you for the information, > tony
For what it's worth, CVE-2014-3578 was assigned to a directory traversal vulnerability in libspring-java ( http://www.pivotal.io/security/cve-2014-3578) I think it's no-dsa too, but both can be fixed in a point release. Regards, -- Yves-Alexis Perez - Debian Security
signature.asc
Description: This is a digitally signed message part
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.