Package : libspring-java Version : 3.0.6.RELEASE-17+deb8u1 CVE ID : CVE-2014-3578 CVE-2014-3625 CVE-2015-3192 CVE-2015-5211 CVE-2016-9878 Debian Bug : 760733 769698 796137 849167 Vulnerabilities have been identified in libspring-java, a modular Java/J2EE application framework. CVE-2014-3578 A directory traversal vulnerability that allows remote attackers to read arbitrary files via a crafted URL. CVE-2014-3625 A directory traversal vulnerability that allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling. CVE-2015-3192 Improper processing of inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file. CVE-2015-5211 Reflected File Download (RFD) attack vulnerability, which allows a malicious user to craft a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response. CVE-2016-9878 Improper path sanitization in ResourceServlet, which allows directory traversal attacks. For Debian 8 "Jessie", these problems have been fixed in version 3.0.6.RELEASE-17+deb8u1. We recommend that you upgrade your libspring-java packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature