Debian Security Advisory DSA 2890-1 (libspring-java - Security Update) Network Vulnerability

Summary

Two vulnerabilities were discovered in libspring-java, the Debian package for the Java Spring framework. CVE-2014-0054 Jaxb2RootElementHttpMessageConverter in Spring MVC processes external XML entities. CVE-2014-1904 Spring MVC introduces a cross-site scripting vulnerability if the action on a Spring form is not specified.

Solution

For the stable distribution (wheezy), these problems have been fixed in version 3.0.6.RELEASE-6+deb7u3. For the testing distribution (jessie) and the unstable distribution (sid), these problems have been fixed in version 3.0.6.RELEASE-13. We recommend that you upgrade your libspring-java packages.

Affected

libspring-java on Debian Linux

Detection

This check tests the installed software version using the apt package manager.

References

http://www.debian.org/security/2014/dsa-2890.html

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-0054, CVE-2014-1904

CVSS	Base Score: 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Debian Security Advisory DSA 023-1 (inn2)
Debian Security Advisory DSA 001-1 (ed)
Debian Security Advisory DSA 006-1 (zope)
Debian Security Advisory DSA 007-1 (zope)
Debian Security Advisory DSA 1075-1 (awstats)

Debian Security Advisory DSA 2890-1 (libspring-java - security update)

Take action and discover your vulnerabilities