Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2513 [SECURITY] [DLA 1848-1] libspring-security-2.0-java security update 10 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libspring-security-2.0-java Publisher: Debian Operating System: Debian GNU/Linux 8 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-11272 Original Bulletin: https://lists.debian.org/debian-lts-announce/2019/07/msg00008.html Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running libspring-security-2.0-java check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : libspring-security-2.0-java Version : 2.0.7.RELEASE-3+deb8u2 CVE ID : CVE-2019-11272 Spring Security support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".D For Debian 8 "Jessie", this problem has been fixed in version 2.0.7.RELEASE-3+deb8u2. We recommend that you upgrade your libspring-security-2.0-java packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl0kM0gACgkQhj1N8u2c KO9Wlw//c6ten14dAo6YlIUFoHLr22kdke1d7nknu6qCBpe/S3Fcs1R/qhmo03lY m4RE17i0KJOarZdZSMDfhh1V/0B1rMWEarZcxwYgc98xJE6TO26eaTzgg2iDO4so ws298L/djmRbkBSFmTQxiYDuF+7tcfDCkIzwiqAszaaz+lXtpVIVGPPxrJdsbNWG n5JE/y0/W9lWMccKKRcMp9Cz4htrkV9iB8bVo28LPKAR6rrqhtVXJFOUWElyal+/ pGt/o4zUBPbUddjMJzjDzFn31owBkL7fZOBEbJh5eoJZo5pgY638AMxHM4bviShz YdjuEkcXjSZODzFZNcMMsu31mxYp6TeSkdyAiYoPmQnfNYEbiAVaWd/vZZgAzKeu MYME8oJJT9LbHaF5AwMp9dFQy5Smd2h9prpxsx1qd8OLpV+pNhmrFwLfZ2i61tQy cyOd2pFIMMs+gHDTM/ixWet9LCZ+HNgsH/iiGYX6PU5gIkVGrP+RVdyGTh2b/IdG 0043PLHEMHvNofGToDX4ed3wEfs/Zvn2k4QpykrTYQ0d3LcN8cGrLO7vpfbt1WTw /qwxSTlFCrNwlIk3zvX61sOazIO7d9stYWQ+TOtWPNCrr8hhOdnVWq7zITCMf84C GLKALMDx4SQJ0+u+RGwSR3zSyXKFFKkIltcw+o1dVC2hMS07aq4= =aFJb - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXSUzjWaOgq3Tt24GAQgVPxAAqq5F7wwsm7S6Z563AxYh4uUNUSZuwgcu X5gSMygxea6m58bjynD8eTfl4ZA8UKFbjrF5rqvdSWJix1cmNbTPoEhApLKKZRiI 4v44XZF2hEmNhNTFyAVJDRP86L2mJRuTLo0tQNJqW4UzO6Tx8lTCtcdgtmdesg0H ycm5VSEtgjYYcuZfyW1zZRMsnMug5UBIg3XAV7ps5W3feF945pQ9Sz5ubvcq7802 npo0XCavP/2daBYyeVUei0CyULCV3ncfCqanWOqwr9T5z58jTJaa6fK2K70hLd1j ZC5tAqwX105ni3kWnwayiU0rx2Eg15Ic/13IXrOgPrACGWS8d+/hT94MTGb26esN ew/HIcGnUpf9RvCXXL0zTp77zDHP7aAB/z+RuWHBM+Xk7hO8kYA0nZBWFZPfuwKx wjHuW5zqWRseR0NJs+uxX/Mj4mwxZa1up5yN6XZGZXaNNwL2pv/Q5nlDzuCkOfH7 TJwtVB1S3cZhFj37pdOiXZc/srP/50ADUxq4fErihCyU3SguGO71vy+LPeU/GF8b lXwHhtnxI9D6//duZ+rA7dClbAEhEQ9rH/XmnaKxhdI0fpK34WjAE8kqcv7mqvO0 K93NcAzGt8jkfra+pOb0lZJ9SWcKF4dJ+6x1Lo5Zuun54L3WO54hVUbRR0e2Co2e UN4L2Phq7Ag= =UTnE -----END PGP SIGNATURE-----