Debian Security Advisory
DSA-2504-1 libspring-2.5-java -- information disclosure
- Date Reported:
- 28 Jun 2012
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 677814.
In Mitre's CVE dictionary: CVE-2011-2730.
- More information:
It was discovered that the Spring Framework contains an information disclosure vulnerability in the processing of certain Expression Language (EL) patterns, allowing attackers to access sensitive information using HTTP requests.
NOTE: This update adds a springJspExpressionSupport context parameter which must be manually set to false when the Spring Framework runs under a container which provides EL support itself.
For the stable distribution (squeeze), this problem has been fixed in version 2.5.6.SEC02-2+squeeze1.
We recommend that you upgrade your libspring-2.5-java packages.