Debian Bug report logs - #677814
CVE-2011-2730

version graph

Package: libspring-2.5-java; Maintainer for libspring-2.5-java is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>

Date: Mon, 30 Apr 2012 07:57:05 UTC

Severity: grave

Tags: security, squeeze

Found in version 2.5.6.SEC02-2

Fixed in version libspring-2.5-java/2.5.6.SEC02-2+squeeze1

Done: Damien Raude-Morvan <drazzib@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#670901; Package libspring-security-2.0-java. (Mon, 30 Apr 2012 07:57:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Mon, 30 Apr 2012 07:57:08 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Spring: Multiple security issues
Date: Mon, 30 Apr 2012 09:55:39 +0200
Package: libspring-security-2.0-java
Severity: grave
Tags: security

Please see 
http://www.securityfocus.com/archive/1/519593/30/0/threaded
http://www.springsource.com/security/cve-2011-2731
http://www.springsource.com/security/cve-2011-2732
http://www.springsource.com/security/cve-2011-2894

CVE-2011-2894 seems to affect libspring-java? If so, please clone or 
reassign as needed.

CVE-2011-2730 seems to affect libspring-2.5-java? If so, please clone or 
reassign as needed.

Cheers,
        Moritz




Bug 670901 cloned as bugs 677679, 677680, 677681 Request was from Miguel Landaeta <miguel@miguel.cc> to control@bugs.debian.org. (Sat, 16 Jun 2012 02:33:03 GMT) Full text and rfc822 format available.

Reply sent to Miguel Landaeta <miguel@miguel.cc>:
You have taken responsibility. (Sat, 16 Jun 2012 04:00:09 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Sat, 16 Jun 2012 04:00:09 GMT) Full text and rfc822 format available.

Message #12 received at 670901-close@bugs.debian.org (full text, mbox):

From: Miguel Landaeta <miguel@miguel.cc>
To: 670901-close@bugs.debian.org
Subject: Bug#670901: fixed in libspring-security-2.0-java 2.0.7.RELEASE-1
Date: Sat, 16 Jun 2012 03:54:44 +0000
Source: libspring-security-2.0-java
Source-Version: 2.0.7.RELEASE-1

We believe that the bug you reported is fixed in the latest version of
libspring-security-2.0-java, which is due to be installed in the Debian FTP archive:

libspring-security-2.0-java-doc_2.0.7.RELEASE-1_all.deb
  to main/libs/libspring-security-2.0-java/libspring-security-2.0-java-doc_2.0.7.RELEASE-1_all.deb
libspring-security-2.0-java_2.0.7.RELEASE-1.debian.tar.gz
  to main/libs/libspring-security-2.0-java/libspring-security-2.0-java_2.0.7.RELEASE-1.debian.tar.gz
libspring-security-2.0-java_2.0.7.RELEASE-1.dsc
  to main/libs/libspring-security-2.0-java/libspring-security-2.0-java_2.0.7.RELEASE-1.dsc
libspring-security-2.0-java_2.0.7.RELEASE.orig.tar.gz
  to main/libs/libspring-security-2.0-java/libspring-security-2.0-java_2.0.7.RELEASE.orig.tar.gz
libspring-security-acl-2.0-java_2.0.7.RELEASE-1_all.deb
  to main/libs/libspring-security-2.0-java/libspring-security-acl-2.0-java_2.0.7.RELEASE-1_all.deb
libspring-security-core-2.0-java_2.0.7.RELEASE-1_all.deb
  to main/libs/libspring-security-2.0-java/libspring-security-core-2.0-java_2.0.7.RELEASE-1_all.deb
libspring-security-ntlm-2.0-java_2.0.7.RELEASE-1_all.deb
  to main/libs/libspring-security-2.0-java/libspring-security-ntlm-2.0-java_2.0.7.RELEASE-1_all.deb
libspring-security-portlet-2.0-java_2.0.7.RELEASE-1_all.deb
  to main/libs/libspring-security-2.0-java/libspring-security-portlet-2.0-java_2.0.7.RELEASE-1_all.deb
libspring-security-taglibs-2.0-java_2.0.7.RELEASE-1_all.deb
  to main/libs/libspring-security-2.0-java/libspring-security-taglibs-2.0-java_2.0.7.RELEASE-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 670901@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Miguel Landaeta <miguel@miguel.cc> (supplier of updated libspring-security-2.0-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 15 Jun 2012 21:43:49 -0430
Source: libspring-security-2.0-java
Binary: libspring-security-core-2.0-java libspring-security-acl-2.0-java libspring-security-ntlm-2.0-java libspring-security-portlet-2.0-java libspring-security-taglibs-2.0-java libspring-security-2.0-java-doc
Architecture: source all
Version: 2.0.7.RELEASE-1
Distribution: unstable
Urgency: low
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Miguel Landaeta <miguel@miguel.cc>
Description: 
 libspring-security-2.0-java-doc - documentation for Spring Security 2.0
 libspring-security-acl-2.0-java - modular Java/J2EE application security framework - ACL
 libspring-security-core-2.0-java - modular Java/J2EE application security framework - Core
 libspring-security-ntlm-2.0-java - modular Java/J2EE application security framework - NTLM
 libspring-security-portlet-2.0-java - modular Java/J2EE application security framework - Portlet
 libspring-security-taglibs-2.0-java - modular Java/J2EE application security framework - Taglibs
Closes: 670901
Changes: 
 libspring-security-2.0-java (2.0.7.RELEASE-1) unstable; urgency=low
 .
   * New upstream release. (Closes: #670901).
   * Bump Standards-Version to 3.9.3. No changes were required.
Checksums-Sha1: 
 9e9b1c1229c40649c723b1045fa1b8f66b50e7cc 3164 libspring-security-2.0-java_2.0.7.RELEASE-1.dsc
 5f029e7d4f6847da52ebea9f86b9882774173f00 766860 libspring-security-2.0-java_2.0.7.RELEASE.orig.tar.gz
 1a1d85c904b7ac3014db63937e779bac869842f4 8767 libspring-security-2.0-java_2.0.7.RELEASE-1.debian.tar.gz
 5cd57eeaa5584a23305946d701fe3135644137c2 662256 libspring-security-core-2.0-java_2.0.7.RELEASE-1_all.deb
 00c99577d836ceb01883b3ed7e101a3a254a8868 59158 libspring-security-acl-2.0-java_2.0.7.RELEASE-1_all.deb
 ea3881eaa999f07d33a7a0bcefc9d96289104cfe 14080 libspring-security-ntlm-2.0-java_2.0.7.RELEASE-1_all.deb
 4c552b715dedef60bef43e5ece2cdda1ff89c3f8 13792 libspring-security-portlet-2.0-java_2.0.7.RELEASE-1_all.deb
 00033712ba1eade98525bc7309d065ae097f66e0 16838 libspring-security-taglibs-2.0-java_2.0.7.RELEASE-1_all.deb
 9bc42a8a1aa3363318e04bccf0e98a30877e27c0 1454468 libspring-security-2.0-java-doc_2.0.7.RELEASE-1_all.deb
Checksums-Sha256: 
 32d14616ca057e284fb2a59ab6b7ea51d22b1698d1d49f646d9ae4da2f4b9e2d 3164 libspring-security-2.0-java_2.0.7.RELEASE-1.dsc
 fb3d3a064db8cfb440d1a36354a64c49c1b5abba007c8dd4ab492cbf41947be9 766860 libspring-security-2.0-java_2.0.7.RELEASE.orig.tar.gz
 84f7498c3a38f416d2e10a7c863c9a1c26a9e4506e10a5b76dab81d45c7bc0d6 8767 libspring-security-2.0-java_2.0.7.RELEASE-1.debian.tar.gz
 6aa3c8b3e89376b8f0dbe91d707f3741d17008f5fd10584f4561d14079d1d1da 662256 libspring-security-core-2.0-java_2.0.7.RELEASE-1_all.deb
 c69fef07dd0e8666379b7f0db4c1e7abb14425ea494d5aa6c8bbc56eea6176cf 59158 libspring-security-acl-2.0-java_2.0.7.RELEASE-1_all.deb
 c2ac46eb192adc17640ce6962b8dcec8c825b61e0d4823d647e57efc06cc98ce 14080 libspring-security-ntlm-2.0-java_2.0.7.RELEASE-1_all.deb
 5fdf529daa5caec890784eb26b80b5d53b50c652239fb7185b8dc0efbe215b06 13792 libspring-security-portlet-2.0-java_2.0.7.RELEASE-1_all.deb
 f48200911867aa549f762b333a3062961b97685779c9f2da9f7af6f661551afd 16838 libspring-security-taglibs-2.0-java_2.0.7.RELEASE-1_all.deb
 8c4febc5852bf8b3fc81ec009aa157886f30714a94c062df02c73b8f2f9e23da 1454468 libspring-security-2.0-java-doc_2.0.7.RELEASE-1_all.deb
Files: 
 690338e6b920cb3673a48a01309f0b12 3164 java optional libspring-security-2.0-java_2.0.7.RELEASE-1.dsc
 65630bf2d2556d7d82b2a41d393b1def 766860 java optional libspring-security-2.0-java_2.0.7.RELEASE.orig.tar.gz
 d5350f0ed794b393837c8622e044562d 8767 java optional libspring-security-2.0-java_2.0.7.RELEASE-1.debian.tar.gz
 93cfabb4c0ed62ea57ac334b786acd9b 662256 java optional libspring-security-core-2.0-java_2.0.7.RELEASE-1_all.deb
 22aa7849f05ad97fc70317219d59296b 59158 java optional libspring-security-acl-2.0-java_2.0.7.RELEASE-1_all.deb
 ded1f8801c1e0817c55739e4cd76f5b5 14080 java optional libspring-security-ntlm-2.0-java_2.0.7.RELEASE-1_all.deb
 28c0b4970608ad222fc8042f67dc9ee2 13792 java optional libspring-security-portlet-2.0-java_2.0.7.RELEASE-1_all.deb
 e196aa9471b23dd7765d02fa51e9c478 16838 java optional libspring-security-taglibs-2.0-java_2.0.7.RELEASE-1_all.deb
 ca54bc822c75a7fb6b3de33f36af49c3 1454468 doc optional libspring-security-2.0-java-doc_2.0.7.RELEASE-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJP2/RvAAoJEG5gi2N9iWfpIaoP/0cME7z4uKn07VcSFL6xKb+P
T9WwLrSFsFqUw29F1R3HzmxnAJlb/ynuguS9hhCQrecUqhbUX6rCEGXovJYxkT5r
fjssFrsC8GfBJpmnT3+jCJ0LAC4iy9lnyPlxOJTIyD2zfiEOqGeQ4tL5WKs4FT5A
0aa4eHMhVpfSdaaNJm61seBITcF1Yq8mEmS+yeocJ1bjn8wqprkjtCg7T5ANuPON
9A1eHPl1y5bXCLfICLi6MS7QzWORuHW22Qxmookxp19qgcV90F3Mcl5e3FLiNf07
tqELg1XP0FvACbz1TPdOUxZzQRdO+2/oaP21nLWd5yw2ktCRL+QGmTH1qP4DEuKq
gj/GAMmYYfOm16M0T+fN29yyVL5+jYD/z2k1Apc/r/GTRv6TJZHps1jW5urff1i1
e656Y9J9r7cthQMcackxHW86akaQv/u47x/kHCpUfU7MOGddwyrDew2nZLd0frMg
IP8NnBX8MwtIQQYskxjkkBxEQbkoAAjX4IaOjMSrZcv6KfEP7YMYRG68aki+bhrZ
a+kQ7eft7wkXtvsiPjubl080bXySJRK4zvjMDIUlOXk8iV/ElzalkoSdieze4lsm
Q5BdU8XLyR1JvpajC68wmMXkSEXAiOl/cGNZ/bXf/RHvD/13bWGHJEE1ZNlY3FeL
f6esmSsOor9aqNaZt377
=0Nsn
-----END PGP SIGNATURE-----





Bug 670901 cloned as bug 677814 Request was from "Damien Raude-Morvan" <drazzib@debian.org> to control@bugs.debian.org. (Sat, 16 Jun 2012 22:15:11 GMT) Full text and rfc822 format available.

Bug reassigned from package 'libspring-security-2.0-java' to 'libspring-2.5-java'. Request was from "Damien Raude-Morvan" <drazzib@debian.org> to control@bugs.debian.org. (Sat, 16 Jun 2012 22:15:12 GMT) Full text and rfc822 format available.

No longer marked as fixed in versions libspring-security-2.0-java/2.0.7.RELEASE-1. Request was from "Damien Raude-Morvan" <drazzib@debian.org> to control@bugs.debian.org. (Sat, 16 Jun 2012 22:15:12 GMT) Full text and rfc822 format available.

Changed Bug title to 'CVE-2011-2730' from 'Spring: Multiple security issues' Request was from "Damien Raude-Morvan" <drazzib@debian.org> to control@bugs.debian.org. (Sat, 16 Jun 2012 22:15:13 GMT) Full text and rfc822 format available.

Added tag(s) squeeze. Request was from "Damien Raude-Morvan" <drazzib@debian.org> to control@bugs.debian.org. (Sat, 16 Jun 2012 22:15:14 GMT) Full text and rfc822 format available.

Marked as found in versions 2.5.6.SEC02-2 and reopened. Request was from "Damien Raude-Morvan" <drazzib@debian.org> to control@bugs.debian.org. (Sat, 16 Jun 2012 22:15:15 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#677814; Package libspring-2.5-java. (Sat, 16 Jun 2012 23:30:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Damien Raude-Morvan" <drazzib@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sat, 16 Jun 2012 23:30:02 GMT) Full text and rfc822 format available.

Message #29 received at 677814@bugs.debian.org (full text, mbox):

From: "Damien Raude-Morvan" <drazzib@debian.org>
To: Moritz Muehlenhoff <muehlenhoff@univention.de>, 677814@bugs.debian.org
Subject: Re: Bug#670901: Spring: Multiple security issues
Date: Sun, 17 Jun 2012 01:27:14 +0200
[Message part 1 (text/plain, inline)]
Hi Moritz,

Le lundi 30 avril 2012 09:55:39, Moritz Muehlenhoff a écrit :
> CVE-2011-2730 seems to affect libspring-2.5-java? If so, please clone or
> reassign as needed.

I've prepared an upload of libspring-2.5-java  for squeeze to fix 
CVE-2011-2730. You can find it on http://people.debian.org/~drazzib/security/

Could you please review it ?

Cheers,
-- 
Damien - Debian Developper
http://wiki.debian.org/DamienRaudeMorvan
[signature.asc (application/pgp-signature, inline)]

Added tag(s) pending. Request was from Damien Raude-Morvan <drazzib@debian.org> to control@bugs.debian.org. (Sat, 16 Jun 2012 23:30:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#677814; Package libspring-2.5-java. (Thu, 21 Jun 2012 14:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <muehlenhoff@univention.de>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Thu, 21 Jun 2012 14:57:05 GMT) Full text and rfc822 format available.

Message #36 received at 677814@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <muehlenhoff@univention.de>
To: "Damien Raude-Morvan" <drazzib@debian.org>
Cc: 677814@bugs.debian.org
Subject: Re: Bug#670901: Spring: Multiple security issues
Date: Thu, 21 Jun 2012 16:54:32 +0200
On Sonntag, 17. Juni 2012 01:27:14 Damien Raude-Morvan wrote:
> Hi Moritz,
> 
> Le lundi 30 avril 2012 09:55:39, Moritz Muehlenhoff a écrit :
> > CVE-2011-2730 seems to affect libspring-2.5-java? If so, please clone or
> > reassign as needed.
> 
> I've prepared an upload of libspring-2.5-java  for squeeze to fix
> CVE-2011-2730. You can find it on
> http://people.debian.org/~drazzib/security/
> 
> Could you please review it ?

Please direct this to team@security.debian.org

Thanks!

Cheers,
Moritz
-- 
Moritz Mühlenhoff                         muehlenhoff@univention.de
Open Source Software Engineer
Univention GmbH  be open.                        fon: +49 421 22 232- 0
Mary-Somerville-Str.1  28359 Bremen          fax: +49 421 22 232-99
http://www.univention.de




Reply sent to Damien Raude-Morvan <drazzib@debian.org>:
You have taken responsibility. (Sat, 30 Jun 2012 09:49:03 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Sat, 30 Jun 2012 09:49:15 GMT) Full text and rfc822 format available.

Message #41 received at 677814-close@bugs.debian.org (full text, mbox):

From: Damien Raude-Morvan <drazzib@debian.org>
To: 677814-close@bugs.debian.org
Subject: Bug#677814: fixed in libspring-2.5-java 2.5.6.SEC02-2+squeeze1
Date: Sat, 30 Jun 2012 09:48:00 +0000
Source: libspring-2.5-java
Source-Version: 2.5.6.SEC02-2+squeeze1

We believe that the bug you reported is fixed in the latest version of
libspring-2.5-java, which is due to be installed in the Debian FTP archive:

libspring-2.5-java_2.5.6.SEC02-2+squeeze1.debian.tar.gz
  to main/libs/libspring-2.5-java/libspring-2.5-java_2.5.6.SEC02-2+squeeze1.debian.tar.gz
libspring-2.5-java_2.5.6.SEC02-2+squeeze1.dsc
  to main/libs/libspring-2.5-java/libspring-2.5-java_2.5.6.SEC02-2+squeeze1.dsc
libspring-aop-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
  to main/libs/libspring-2.5-java/libspring-aop-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
libspring-aspects-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
  to main/libs/libspring-2.5-java/libspring-aspects-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
libspring-beans-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
  to main/libs/libspring-2.5-java/libspring-beans-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
libspring-context-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
  to main/libs/libspring-2.5-java/libspring-context-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
libspring-context-support-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
  to main/libs/libspring-2.5-java/libspring-context-support-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
libspring-core-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
  to main/libs/libspring-2.5-java/libspring-core-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
libspring-jdbc-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
  to main/libs/libspring-2.5-java/libspring-jdbc-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
libspring-jms-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
  to main/libs/libspring-2.5-java/libspring-jms-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
libspring-orm-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
  to main/libs/libspring-2.5-java/libspring-orm-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
libspring-test-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
  to main/libs/libspring-2.5-java/libspring-test-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
libspring-tx-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
  to main/libs/libspring-2.5-java/libspring-tx-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
libspring-web-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
  to main/libs/libspring-2.5-java/libspring-web-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
libspring-webmvc-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
  to main/libs/libspring-2.5-java/libspring-webmvc-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
libspring-webmvc-portlet-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
  to main/libs/libspring-2.5-java/libspring-webmvc-portlet-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
libspring-webmvc-struts-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
  to main/libs/libspring-2.5-java/libspring-webmvc-struts-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 677814@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Damien Raude-Morvan <drazzib@debian.org> (supplier of updated libspring-2.5-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 17 Jun 2012 00:13:30 +0200
Source: libspring-2.5-java
Binary: libspring-core-2.5-java libspring-beans-2.5-java libspring-aop-2.5-java libspring-context-2.5-java libspring-context-support-2.5-java libspring-web-2.5-java libspring-webmvc-2.5-java libspring-webmvc-struts-2.5-java libspring-webmvc-portlet-2.5-java libspring-test-2.5-java libspring-tx-2.5-java libspring-jdbc-2.5-java libspring-jms-2.5-java libspring-orm-2.5-java libspring-aspects-2.5-java
Architecture: source all
Version: 2.5.6.SEC02-2+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Damien Raude-Morvan <drazzib@debian.org>
Description: 
 libspring-aop-2.5-java - modular Java/J2EE application framework - AOP
 libspring-aspects-2.5-java - modular Java/J2EE application framework - Bundled aspects
 libspring-beans-2.5-java - modular Java/J2EE application framework - Beans
 libspring-context-2.5-java - modular Java/J2EE application framework - Context
 libspring-context-support-2.5-java - modular Java/J2EE application framework - Context Support
 libspring-core-2.5-java - modular Java/J2EE application framework - Core
 libspring-jdbc-2.5-java - modular Java/J2EE application framework - JDBC tools
 libspring-jms-2.5-java - modular Java/J2EE application framework - JMS tools
 libspring-orm-2.5-java - modular Java/J2EE application framework - ORM tools
 libspring-test-2.5-java - modular Java/J2EE application framework - Test helpers
 libspring-tx-2.5-java - modular Java/J2EE application framework - transaction
 libspring-web-2.5-java - modular Java/J2EE application framework - Web
 libspring-webmvc-2.5-java - modular Java/J2EE application framework - MVC
 libspring-webmvc-portlet-2.5-java - modular Java/J2EE application framework - Portlet MVC
 libspring-webmvc-struts-2.5-java - modular Java/J2EE application framework - Struts MVC
Closes: 677814
Changes: 
 libspring-2.5-java (2.5.6.SEC02-2+squeeze1) stable-security; urgency=high
 .
   * Backport fix for CVE-2011-2730: Spring Framework information disclosure
     from 2.5.6.SEC03 on upstream maintainance repository (Closes: #677814):
     - d/patches/CVE-2011-2730.diff: A new context parameter has been added
       called springJspExpressionSupport. When true (the default) the existing
       behaviour of evaluating EL within the tag will be performed. When running
       in an environment where EL support is provided by the container, it is
       strongly recommended that this is set to false
Checksums-Sha1: 
 523ef5f79c189ec83bd3a68e9e13aa50b5dd3aab 3549 libspring-2.5-java_2.5.6.SEC02-2+squeeze1.dsc
 dd5a0e983f645a0f391ae625536da9df58943e70 3799233 libspring-2.5-java_2.5.6.SEC02.orig.tar.gz
 abdbc17fee41ac9b427c56e34bf00dd06342de69 26231 libspring-2.5-java_2.5.6.SEC02-2+squeeze1.debian.tar.gz
 28957e3eeb5288fb1de489a137e2cc00bec1f26a 395842 libspring-core-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 386cb0f6385d6a4b936f44501a6ce1f044f638ed 528006 libspring-beans-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 71a1c8efb1b2b414217f69614cd8e0b2bfd14d87 375454 libspring-aop-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 86937964c043237beafc1832be474da1b4d090a7 495402 libspring-context-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 a8a340cadb1fb0171d4ee6842de96da2732c01a0 181304 libspring-context-support-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 25d39c39d4000243adb8a2f29131fe6153d675d3 264900 libspring-web-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 cac77b4c1bdecc46de35f69dff45d07fd4a1b9f3 450174 libspring-webmvc-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 5a66be71de266c503604548d360ceedb62d878b2 127812 libspring-webmvc-struts-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 b0529f235dc9f86690341b838216142ce2d72c92 227864 libspring-webmvc-portlet-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 d2502953d3b6f45f618f3c1c7c64d6762bfffcff 257226 libspring-test-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 5d13bfa6319c19d167361078f3c600dfd071a50b 282680 libspring-tx-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 5beed2518636a9f3a447815d7687d38af48cd9d7 386192 libspring-jdbc-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 d18efbc4beaf68f609deee38679176e34ef842fa 263874 libspring-jms-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 ec2415f379ad3744614142874f3f26d0aa3d2f05 417856 libspring-orm-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 ff246ead12fc45bb0342e4569f9e0be2b33db33d 99656 libspring-aspects-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
Checksums-Sha256: 
 2fc3adee48d18e4bc81e7378b1b607c4e4cdea8e8c998a4c9a9a2ebd5deb6b44 3549 libspring-2.5-java_2.5.6.SEC02-2+squeeze1.dsc
 ab7c417fad156d58857d2968395d04ab8fb699f7f19746886043c2f5d4e1681c 3799233 libspring-2.5-java_2.5.6.SEC02.orig.tar.gz
 cfcc80dfffb49ae920d82abf552cce4b2184121f8398d46dd080c94a900f0112 26231 libspring-2.5-java_2.5.6.SEC02-2+squeeze1.debian.tar.gz
 39b4a15f6d7aac0dce26ec04a5d4348656fc4bee0989b5c2d809eb505e800e2d 395842 libspring-core-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 41a23abae3a33024fe00a102bc5bb0dbc127ff81c6879c0f5df3a51d1cfb9f32 528006 libspring-beans-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 70a713150e0b575b8bd5e2ab67e68b181402899020fa458e11b35c8bc7b634c4 375454 libspring-aop-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 5c3fab2e3fc4b40175ed7815dd7e023851e660e86085d4594c8afdf49a4fff8e 495402 libspring-context-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 e03f71d1a6b6941c461f2fed1a4a8633cac67c4aa019df2ec501668e3dfaa5ea 181304 libspring-context-support-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 d366bee5ffb159538c83b0bda91827505792bf88fdc24c1e40a2de40e2795f36 264900 libspring-web-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 cf6a44f2fbb23bbb510893824abc8faed6374e868fc3b80f965db7b2a140c2f2 450174 libspring-webmvc-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 da1a4c1c3dc08d46753a3ec9770ba015c7ee55c47173488ae445919bdf5fde52 127812 libspring-webmvc-struts-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 a874ae9b5b589b3b345ce1c0678f457e049feb53c9e7c69694c68324ff7cac7c 227864 libspring-webmvc-portlet-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 6d5cfb48b5eb425403ce8b8c39f11fc4fd771870c450ae6847c9cd8b02b7564c 257226 libspring-test-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 6b49bc697c5de8878a740f278997599dc685ae1db80445c6df58d5f3f6f5bb38 282680 libspring-tx-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 6e4909d6276ddd0451172023572b298486dfd419fd4961cff7ff58faddc9a0bb 386192 libspring-jdbc-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 36a41395a1e27856684f76922066f80e4d174d91c7fb4f1e994431bb829725c3 263874 libspring-jms-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 9dbd94bd46385bda2e26eaf4226fc4a2df8c961c3f3a592640dda628a8935c13 417856 libspring-orm-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 382fc748ad13c31c104d587b8a54fc84e45b2fd12f306f6926e1f3ab06f42280 99656 libspring-aspects-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
Files: 
 437687f99cb7a2dfdb0e449da6630f7d 3549 java extra libspring-2.5-java_2.5.6.SEC02-2+squeeze1.dsc
 15f77cf388dd4f23d3b966115afabea3 3799233 java extra libspring-2.5-java_2.5.6.SEC02.orig.tar.gz
 a1426f1195ecb4bff6d8745e80c5a799 26231 java extra libspring-2.5-java_2.5.6.SEC02-2+squeeze1.debian.tar.gz
 6f8f407483fdd5e9b19d3c5851997de8 395842 java extra libspring-core-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 322bcc38c0918407f3f3fcff021debe6 528006 java extra libspring-beans-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 9c228f5592de205f0bb949a33a5f84cb 375454 java extra libspring-aop-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 751764c6491fabac751abc33f8ce00e3 495402 java extra libspring-context-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 bf00699aed5786f3ca43f1d6aba663e3 181304 java extra libspring-context-support-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 64cf3c2c853b768cd23c380b92e487e2 264900 java extra libspring-web-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 b0ffaeb038a1e9d06f08c225af807404 450174 java extra libspring-webmvc-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 71ee278b1a7659536458d5af109da0ba 127812 java extra libspring-webmvc-struts-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 23f185c7090f7f3e844f3120fcd5e248 227864 java extra libspring-webmvc-portlet-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 ce35f9b13736f3a6737f83dad9fce5a9 257226 java extra libspring-test-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 3e61f92408e04cff13113039976c9612 282680 java extra libspring-tx-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 cfe5ad94a6abecbe087a6ec046962a3c 386192 java extra libspring-jdbc-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 bf73d30770c80076093355bd9ae497fc 263874 java extra libspring-jms-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 3c899c57a1d8fded6abd1b7f2139f676 417856 java extra libspring-orm-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb
 f7bc2567064ea975100c08476f038304 99656 java extra libspring-aspects-2.5-java_2.5.6.SEC02-2+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJP6hmSAAoJEHXiDM0z50n8+xsP/2RQSca/MicFu7DmyX6gQ76U
TI6WRzrOiaAtW1lyuDpUF99coOkYxxZsLXOS3PXOb8BnXupCcsCdVoLrVILs0P3b
uRSIM3FbFtvVZ3yWvhyDVQGEBpCmNcjg29b4dkTpU7COvsgm1pPns3bQoRRV5VmW
p+bi+ZeJQq3jkt/sEM0NiLJRl16DMpKItO4v2uLWJi22MQMoEWxdqml/KSQOlvVl
NCAMQqcJ37ee0JAFEQFJv9zYzkvWsuYdKS3k2rXfgConpn/pdYiUt/V0Kp7Zniu9
Rg0iTUKdmIPbJidCTFq1aufvagVXQP6h75/Pslsmt/PC4JsOB73NF2QP0sm1mnKE
6rx6CteUXKafftXdF6fXbeUf8UABCRTdGWfldrGl1QNxJLaKKQWVe0qw/1Yp4IkT
7jIynlHF4nLfBMvDAp/CDKQ8CTFXpfILsRQbCBJ2vO0hBjMM/bnyu5EeFcsyXc8l
L8LHDX1iOByReCD7gboqxs80nA6XunrcZWygryBWgIGjkkQp18HYxg16m3aUEcee
QcRsqOoaQDbK7Lbh8R7O66tuZJtO4wZTfU/ZddmZI5mxcGsnnJydxlGQX1CZ++9i
ETpYMX1ZlKRBvscY7mfycuw1Ygf+Nxnr8OQr8w/BEJdMDnKZOzvGy7aeLz7w0kIM
nOsGmiX04UrSZiLOOCbH
=I/zR
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 28 Oct 2012 07:26:20 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 20:15:44 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.