Security Information / 2012 / Security Information -- DSA-2504-1 libspring-2.5-java

Debian Security Advisory

DSA-2504-1 libspring-2.5-java -- information disclosure

Date Reported:

28 Jun 2012

Affected Packages:

libspring-2.5-java

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 677814.
In Mitre's CVE dictionary: CVE-2011-2730.

More information:

It was discovered that the Spring Framework contains an information disclosure vulnerability in the processing of certain Expression Language (EL) patterns, allowing attackers to access sensitive information using HTTP requests.

NOTE: This update adds a springJspExpressionSupport context parameter which must be manually set to false when the Spring Framework runs under a container which provides EL support itself.

For the stable distribution (squeeze), this problem has been fixed in version 2.5.6.SEC02-2+squeeze1.

We recommend that you upgrade your libspring-2.5-java packages.