-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2890-1 security@xxxxxxxxxx http://www.debian.org/security/ Florian Weimer March 29, 2014 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libspring-java CVE ID : CVE-2014-0054 CVE-2014-1904 Debian Bug : 741604 Two vulnerabilities were discovered in libspring-java, the Debian package for the Java Spring framework. CVE-2014-0054 Jaxb2RootElementHttpMessageConverter in Spring MVC processes external XML entities. CVE-2014-1904 Spring MVC introduces a cross-site scripting vulnerability if the action on a Spring form is not specified. For the stable distribution (wheezy), these problems have been fixed in version 3.0.6.RELEASE-6+deb7u3. For the testing distribution (jessie) and the unstable distribution (sid), these problems have been fixed in version 3.0.6.RELEASE-13. We recommend that you upgrade your libspring-java packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJTNyPJAAoJEL97/wQC1SS+IacH/3RNJ8+t08lYcFNK19w9gaxK XZPRhwnnQ5A8dCXSBra0476s1v9j+wZY6BQsJfTHtx1OJuQoifTwO2snjR9JQ7Tk V/KRzFSev3o35ISqc3XEUSq8klo1GPTpL0PqGThdxz5HFv20zm3V+jnCgKSSN4N3 Eu0VQybqj05aOgAsR6ldbTTI4CCQzC5XVZYNS5nZh/8eO3oAYhwi1iKxjEWrldUR G/kYvHvoKGBjBfTgp51bG/0BogAljJ4G+E3QwANERKdqFccfpJ+5vDtWoLKjTf2r 1OjYcjXp3JZxiIE5H4W5nQfMCcmbOslrOPu46MBrOYvDw7CDmw03XKvEiC36q7w= =mqxj -----END PGP SIGNATURE-----
