Debian LTS Advisory ([SECURITY] [DLA 1853-1] libspring-java security update)

The remote host is missing an update for the 'libspring-java' package(s) announced via the DSA-1853-1 advisory.

Vulnerabilities have been identified in libspring-java, a modular Java/J2EE application framework. CVE-2014-3578 A directory traversal vulnerability that allows remote attackers to read arbitrary files via a crafted URL. CVE-2014-3625 A directory traversal vulnerability that allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling. CVE-2015-3192 Improper processing of inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file. CVE-2015-5211 Reflected File Download (RFD) attack vulnerability, which allows a malicious user to craft a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response. CVE-2016-9878 Improper path sanitization in ResourceServlet, which allows directory traversal attacks.

'libspring-java' package(s) on Debian Linux.

Checks if a vulnerable package version is present on the target host.

For Debian 8 'Jessie', these problems have been fixed in version 3.0.6.RELEASE-17+deb8u1. We recommend that you upgrade your libspring-java packages.