It was discovered that the Spring Framework contains an information
disclosure vulnerability in the processing of certain Expression
Language (EL) patterns, allowing attackers to access sensitive
information using HTTP requests.
NOTE: This update adds a springJspExpressionSupport context parameter
which must be manually set to false when the Spring Framework runs
under a container which provides EL support itself.
For the stable distribution (squeeze), this problem has been fixed in
version 2.5.6.SEC02-2+squeeze1.
We recommend that you upgrade your libspring-2.5-java packages.
CPE | Name | Operator | Version |
---|---|---|---|
libspring-2.5-java | eq | 2.5.6.SEC02-2 |