Debian Security Advisory
DLA-1853-1 libspring-java -- LTS security update
- Date Reported:
- 13 Jul 2019
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 760733, Bug 769698, Bug 796137, Bug 849167.
In Mitre's CVE dictionary: CVE-2014-3578, CVE-2014-3625, CVE-2015-3192, CVE-2015-5211, CVE-2016-9878.
- More information:
Vulnerabilities have been identified in libspring-java, a modular Java/J2EE application framework.
A directory traversal vulnerability that allows remote attackers to read arbitrary files via a crafted URL.
A directory traversal vulnerability that allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.
Improper processing of inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
Reflected File Download (RFD) attack vulnerability, which allows a malicious user to craft a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.
Improper path sanitization in ResourceServlet, which allows directory traversal attacks.
For Debian 8
Jessie, these problems have been fixed in version 3.0.6.RELEASE-17+deb8u1.
We recommend that you upgrade your libspring-java packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS