Debian Security Advisory

DSA-2504-1 libspring-2.5-java -- information disclosure

Date Reported:
28 Jun 2012
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 677814.
In Mitre's CVE dictionary: CVE-2011-2730.
More information:

It was discovered that the Spring Framework contains an information disclosure vulnerability in the processing of certain Expression Language (EL) patterns, allowing attackers to access sensitive information using HTTP requests.

NOTE: This update adds a springJspExpressionSupport context parameter which must be manually set to false when the Spring Framework runs under a container which provides EL support itself.

For the stable distribution (squeeze), this problem has been fixed in version 2.5.6.SEC02-2+squeeze1.

We recommend that you upgrade your libspring-2.5-java packages.