Hi,
I'm part of the Debian LTS (Long Term Support) Team and I'm reviewing the security issues that affect the versions of Spring Framework shipped by Debian, so as to determine if they are vulnerable, and fix them for Debian users.
I could not identify the patches/commits related to CVE-2021-22096 (including through checking the official vulnerability report and the Git 5.2/5.3 history), would you mind pointing me to them?
Regards,
Comment From: bclozel
Hello @Beuc
The Spring Framework team does not discuss CVE details publicly on our issue tracker. Please reach out through the proper channels using your official debian credentials.
Thanks!
Comment From: bennypi
Hello @bclozel ,
I'm in a similar situation as @Beuc as I want to determine if our application is at risk and what the potential damage is (although I am not part of the Debian team, just a regular spring user). The page you have linked does not contain any information on how to get more information for this CVE. It tells me what to do when I want to report a vulnerability, and where fixed vulnerabilities are published. But the security advisories show no results for this CVE, and the KB article is as vague as it gets.
What are my options to get more information on this CVE? Is there some paid subscription necessary to get more information?
Thanks Benny
Comment From: bclozel
Hello @bennypi
We do our best to communicate how and when applications can be vulnerable in the official security report. In this case, we can't give more details without because: 1. it could help people to build exploits for it 2. our description might not be 100% complete and misguide developers
In this case there is no easy to find configuration or dependency that signals if your application is vulnerable or not (otherwise we would have written that in the report). Upgrading is the safest choice here.
A support subscription doesn't give you more access, but we can help you determine if your applications are vulnerable.
Comment From: Beuc
Hi. For the record, I contacted security@vmware.com who answered they didn't have the time to provide further details. Given this and #26821, it seems Debian does not have the means to assess nor fix security issues in its libspring-java package, and may have to drop security support for it, this is currently under discussion.
Comment From: bclozel
Hi. For the record, I contacted security@vmware.com who answered they didn't have the time to provide further details.
@Beuc that is inaccurate. The team pointed you to a particular place in the codebase that holds the relevant changes over several commits.
Given this and #26821, it seems Debian does not have the means to assess nor fix security issues in its libspring-java package, and may have to drop security support for it, this is currently under discussion.
Looking at #26821 in particular, providing such details on a regular basis - especially when they're applied on a different baseline because of Debian constraints - also represents a significant amount of work for our team.
Maybe this arrangement wasn't ideal in the first place, shipping forks of Spring Framework that are not used by the broader community nor covered by our OSS support policy.
Comment From: Beuc
Indeed, the team also wrote In this case it's relatively easy to point to changes related to and surrounding the use of [class name], but you'll have to track down its history and usages.
More generally the information a packager is looking for, is the impacted code (to assess if the shipped version is vulnerable) and reasonable certainty about the fix (to ensure we don't ship an unrelated fix and leave the "fixed" version vulnerable).
To further clarify, we rarely need direct interaction with the developers of projects packaged in Debian, usually CVE fixes are reasonably identified and/or independent. Note that we didn't request fixes for a different baseline, just to identify the fix for the current release - we usually handle the backport on our side.
Anyway, this probably isn't the place to discuss full security strategies, but I'd be happy to provide contact points and time to help enhance Spring in Debian.