-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 23 Apr 2021 17:07:11 +0200 Source: libspring-java Binary: libspring-core-java libspring-beans-java libspring-aop-java libspring-context-java libspring-context-support-java libspring-web-java libspring-web-servlet-java libspring-web-portlet-java libspring-test-java libspring-transaction-java libspring-jdbc-java libspring-messaging-java libspring-jms-java libspring-orm-java libspring-expression-java libspring-oxm-java libspring-instrument-java Architecture: source Version: 4.3.5-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Sylvain Beucler <beuc@debian.org> Description: libspring-aop-java - modular Java/J2EE application framework - AOP libspring-beans-java - modular Java/J2EE application framework - Beans libspring-context-java - modular Java/J2EE application framework - Context libspring-context-support-java - modular Java/J2EE application framework - Context Support libspring-core-java - modular Java/J2EE application framework - Core libspring-expression-java - modular Java/J2EE application framework - Expression language libspring-instrument-java - modular Java/J2EE application framework - Instrumentation libspring-jdbc-java - modular Java/J2EE application framework - JDBC tools libspring-jms-java - modular Java/J2EE application framework - JMS tools libspring-messaging-java - modular Java/J2EE application framework - Messaging tools libspring-orm-java - modular Java/J2EE application framework - ORM tools libspring-oxm-java - modular Java/J2EE application framework - Object/XML Mapping libspring-test-java - modular Java/J2EE application framework - Test helpers libspring-transaction-java - modular Java/J2EE application framework - transaction libspring-web-java - modular Java/J2EE application framework - Web libspring-web-portlet-java - modular Java/J2EE application framework - Portlet MVC libspring-web-servlet-java - modular Java/J2EE application framework - Web Portlet Changes: libspring-java (4.3.5-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the ELTS Security Team. * CVE-2018-1270/CVE-2018-1275: Spring Framework allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. * CVE-2018-11039: Spring Framework allows web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack. * CVE-2018-11040: Spring Framework allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests. * CVE-2018-15756: Spring Framework provides support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. Checksums-Sha1: 2366735adb185a8ad8ebb0a182e0a88fa1c35a19 5249 libspring-java_4.3.5-1+deb9u1.dsc 1fe50d2dfae0e92c74844d8695be170f6275fdcc 7051404 libspring-java_4.3.5.orig.tar.xz ddbbcab10ac6d35ae37a78a25e5f9efaacfad42a 31644 libspring-java_4.3.5-1+deb9u1.debian.tar.xz ca71b34149f10a1285a199d3bb033c5a924bb6c0 25707 libspring-java_4.3.5-1+deb9u1_all.buildinfo Checksums-Sha256: 63605b864d2e9713405885b0042684c62105b8b8b5e4be992b7d754e30bbcc85 5249 libspring-java_4.3.5-1+deb9u1.dsc 6d20eeb070c65dce58dab9a63c8eeb23aab6d6cd644b74b634ae1ac26c3ce771 7051404 libspring-java_4.3.5.orig.tar.xz 5bd691557b7fb5cc3916332e7f88eff6ddd934c708465c89117eec9d386dd820 31644 libspring-java_4.3.5-1+deb9u1.debian.tar.xz 7a4428aed7b0296df5780397357a12879c23ee1ae709a738b82b27300c8970ac 25707 libspring-java_4.3.5-1+deb9u1_all.buildinfo Files: b8c4e0f94581af1cacdd13835de885ef 5249 java optional libspring-java_4.3.5-1+deb9u1.dsc 72eb85a748f151468bcacb4cf94fc58e 7051404 java optional libspring-java_4.3.5.orig.tar.xz 6b7fd860995ccb67490883f6bc50e14b 31644 java optional libspring-java_4.3.5-1+deb9u1.debian.tar.xz b01ec1a8e3adfa357ca7bd02ad8e2343 25707 java optional libspring-java_4.3.5-1+deb9u1_all.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmCDCOQACgkQDTl9HeUl XjB3lA/+LjEr4F6YEdIBv9eKHUbu+RCVXnkzpXKJjTR5/cv1OpycKZjscEJ7296B ESlmdyyhDQ4xS0HJOrXIAW/UjtXZW5oEIfpcOV8MwmFcyiLGM9vsNomMBTbZtZMt v1LWfEh2NtDE4aT3z38U31AmuQ15NTLtFZTpXwIJo+AsP8da5Xvxay+A09eEQ1hH E47Bu3RP7XdfivHLuDPLVSL819b/6zwQiM9SwqFX8ygiRQDIntGmgSqJh06gTNpi kInkm31UYMHT43+T4vt/PEZecMMnT/ZlqDYCG46Co6wboRfFMjcoPxFJr8Ep3Fay 9GmmMgrsLLov1X5bs2QBg/7Tj5Blrs4TV4OLvo5bzbqZHssM9BxeEyjqOoClsKUp 5qGA/vJyXslRQrAfNMPuWdGbt7wkQGC+H6So2hqDcRPGExFQsC2UpQhtWAfw4PTn 1fVTYiycOr0Vgx5S3eYWynoMdrOqGpvS73cMlB1JglYUL4XOpsLkfU1fiVmWjRW3 1bDbFySMNn5Oghtn/iA5N8MouGrurxRLmfZG/To4qp63rob7oALpXzCdKF/nXfC/ fNXY3LkY65CYz0gDXMhFH1D8Cn5hqSo2cZyXjnsMsvtEWoPxbDOsI0piu96qrldw +r31bi6Kw+RXH6/We2UHwpC5WbxXg7EOnX5FCd7DjdeRs/N3LY0= =l1AV -----END PGP SIGNATURE-----
