Debian Security Advisory
DSA-2890-1 libspring-java -- security update
- Date Reported:
- 29 Mar 2014
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 741604.
In Mitre's CVE dictionary: CVE-2014-0054, CVE-2014-1904.
- More information:
Two vulnerabilities were discovered in libspring-java, the Debian package for the Java Spring framework.
Jaxb2RootElementHttpMessageConverter in Spring MVC processes external XML entities.
Spring MVC introduces a cross-site scripting vulnerability if the action on a Spring form is not specified.
For the stable distribution (wheezy), these problems have been fixed in version 3.0.6.RELEASE-6+deb7u3.
For the testing distribution (jessie) and the unstable distribution (sid), these problems have been fixed in version 3.0.6.RELEASE-13.
We recommend that you upgrade your libspring-java packages.