Bug#735420: marked as done (libspring-java: CVE-2013-6429 CVE-2013-6430)
Your message dated Sat, 08 Feb 2014 23:17:06 + with message-id and subject line Bug#735420: fixed in libspring-java 3.0.6.RELEASE-6+deb7u2 has caused the Debian Bug report #735420, regarding libspring-java: CVE-2013-6429 CVE-2013-6430 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 735420: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=735420 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: libspring-java Severity: grave Tags: security Justification: user security hole Please see http://www.gopivotal.com/security/cve-2013-6429 http://www.gopivotal.com/security/cve-2013-6430 Cheers, Moritz --- End Message --- --- Begin Message --- Source: libspring-java Source-Version: 3.0.6.RELEASE-6+deb7u2 We believe that the bug you reported is fixed in the latest version of libspring-java, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 735...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany (supplier of updated libspring-java package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Mon, 27 Jan 2014 15:56:41 +0100 Source: libspring-java Binary: libspring-core-java libspring-beans-java libspring-aop-java libspring-context-java libspring-context-support-java libspring-web-java libspring-web-servlet-java libspring-web-struts-java libspring-web-portlet-java libspring-test-java libspring-transaction-java libspring-jdbc-java libspring-jms-java libspring-orm-java libspring-expression-java libspring-oxm-java libspring-instrument-java Architecture: source all Version: 3.0.6.RELEASE-6+deb7u2 Distribution: wheezy-security Urgency: high Maintainer: Debian Java Maintainers Changed-By: Markus Koschany Description: libspring-aop-java - modular Java/J2EE application framework - AOP libspring-beans-java - modular Java/J2EE application framework - Beans libspring-context-java - modular Java/J2EE application framework - Context libspring-context-support-java - modular Java/J2EE application framework - Context Support libspring-core-java - modular Java/J2EE application framework - Core libspring-expression-java - modular Java/J2EE application framework - Expression language libspring-instrument-java - modular Java/J2EE application framework - Instrumentation libspring-jdbc-java - modular Java/J2EE application framework - JDBC tools libspring-jms-java - modular Java/J2EE application framework - JMS tools libspring-orm-java - modular Java/J2EE application framework - ORM tools libspring-oxm-java - modular Java/J2EE application framework - Object/XML Mapping libspring-test-java - modular Java/J2EE application framework - Test helpers libspring-transaction-java - modular Java/J2EE application framework - transaction libspring-web-java - modular Java/J2EE application framework - Web libspring-web-portlet-java - modular Java/J2EE application framework - Portlet MVC libspring-web-servlet-java - modular Java/J2EE application framework - Web Portlet libspring-web-struts-java - modular Java/J2EE application framework - Struts MVC Closes: 735420 Changes: libspring-java (3.0.6.RELEASE-6+deb7u2) wheezy-security; urgency=high . * Team upload. * Fix CVE-2013-6429 and CVE-2013-6430. (Closes: #735420) - New patches: CVE-2013-6429.patch and CVE-2013-6430.patch. - Spring MVC's SourceHttpMessageConverter also processed user provided XML and neither disabled XML external entities nor provided an option to disable them. SourceHttpMessageConverter has been modified to provide an option to control the processing of XML external entities and that processing is now disabled by default. - The JavaScriptUtils.javaScriptEscape() method did not escape all characters that are sensitive within either a JS single quoted string, JS double quoted string, or HTML script data context. In most cases this will result in an unexploitable parse error but in some cases it could result in an XSS vulnerability. Checksums-Sha1: 1b86102ae182ecd0011fa2412281026949c5d200 3912 libspring-java_3.0.6.RELEASE-6+deb7u2.dsc 81885fee9
Bug#735420: marked as done (libspring-java: CVE-2013-6429 CVE-2013-6430)
Your message dated Sun, 26 Jan 2014 23:49:00 + with message-id and subject line Bug#735420: fixed in libspring-java 3.0.6.RELEASE-11 has caused the Debian Bug report #735420, regarding libspring-java: CVE-2013-6429 CVE-2013-6430 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 735420: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=735420 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: libspring-java Severity: grave Tags: security Justification: user security hole Please see http://www.gopivotal.com/security/cve-2013-6429 http://www.gopivotal.com/security/cve-2013-6430 Cheers, Moritz --- End Message --- --- Begin Message --- Source: libspring-java Source-Version: 3.0.6.RELEASE-11 We believe that the bug you reported is fixed in the latest version of libspring-java, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 735...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany (supplier of updated libspring-java package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Fri, 24 Jan 2014 19:22:14 +0100 Source: libspring-java Binary: libspring-core-java libspring-beans-java libspring-aop-java libspring-context-java libspring-context-support-java libspring-web-java libspring-web-servlet-java libspring-web-struts-java libspring-web-portlet-java libspring-test-java libspring-transaction-java libspring-jdbc-java libspring-jms-java libspring-orm-java libspring-expression-java libspring-oxm-java libspring-instrument-java Architecture: source all Version: 3.0.6.RELEASE-11 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers Changed-By: Markus Koschany Description: libspring-aop-java - modular Java/J2EE application framework - AOP libspring-beans-java - modular Java/J2EE application framework - Beans libspring-context-java - modular Java/J2EE application framework - Context libspring-context-support-java - modular Java/J2EE application framework - Context Support libspring-core-java - modular Java/J2EE application framework - Core libspring-expression-java - modular Java/J2EE application framework - Expression language libspring-instrument-java - modular Java/J2EE application framework - Instrumentation libspring-jdbc-java - modular Java/J2EE application framework - JDBC tools libspring-jms-java - modular Java/J2EE application framework - JMS tools libspring-orm-java - modular Java/J2EE application framework - ORM tools libspring-oxm-java - modular Java/J2EE application framework - Object/XML Mapping libspring-test-java - modular Java/J2EE application framework - Test helpers libspring-transaction-java - modular Java/J2EE application framework - transaction libspring-web-java - modular Java/J2EE application framework - Web libspring-web-portlet-java - modular Java/J2EE application framework - Portlet MVC libspring-web-servlet-java - modular Java/J2EE application framework - Web Portlet libspring-web-struts-java - modular Java/J2EE application framework - Struts MVC Closes: 735420 Changes: libspring-java (3.0.6.RELEASE-11) unstable; urgency=high . * Team upload. * Fix CVE-2013-6429 and CVE-2013-6430. (Closes: #735420) - New patches: CVE-2013-6429.patch and CVE-2013-6430.patch. - Spring MVC's SourceHttpMessageConverter also processed user provided XML and neither disabled XML external entities nor provided an option to disable them. SourceHttpMessageConverter has been modified to provide an option to control the processing of XML external entities and that processing is now disabled by default. - The JavaScriptUtils.javaScriptEscape() method did not escape all characters that are sensitive within either a JS single quoted string, JS double quoted string, or HTML script data context. In most cases this will result in an unexploitable parse error but in some cases it could result in an XSS vulnerability. Checksums-Sha1: adb2b4e82b68610f1db58068dbefe38cf26d5a32 4484 libspring-java_3.0.6.RELEASE-11.dsc 6bb8eee848166eb2fa5d1239e573cd4581faf6fa 24152 libsp