CVE-2018-1199 CVE-2018-1257 CVE-2018-1272 CVE-2020-5421 commits

[Beuc]

Hi,

(Apologizes if this isn't the right channel, I checked https://spring.io/security-policy but that appears to be reserved for new vulnerabilities.)

I'm part of the Debian LTS (Long Term Support) Team and I'm reviewing the security issues that affect the versions of Spring Framework shipped by Debian, so as to determine if they are vulnerable, and fix them for Debian users.

I could not find the patches/commits related to CVE-2018-1199, CVE-2018-1257, CVE-2018-1272 and CVE-2020-5421 (including through perusing the Git history).

Would it be possible to share this information?
If this is not meant to be public, could you send it privately at beuc@debian.org?

Regards,

[rstoyanchev]

@Beuc it is not feasible to share such information for fixes that were applied several years ago, distributed across multiple branches, and evolved subsequently. You will need to work with the provided fix versions.

[Beuc]

Hi,

Thanks for your fast answer.

As you probably know, GNU/Linux distros like Debian or RedHat work with a freeze (no changes) policy that prevents from upgrading to a provided fix version (all the more if that's a different release branch).

What I'm looking for is simple commit information such as:

• CVE-2018-11039: 323ccf9
• CVE-2018-11040: 8748594
• CVE-2018-15756: 0447726

or failing that the SPR that tracked the change.

If such information was lost for 2018 CVEs, I'm still interested in identifying the CVE-2020-5421 fix.