Bug 12295

Summary: springframework new security issue CVE-2013-4152
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: dmorganec, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/580181/
Whiteboard: has_procedure advisory mga3-32-ok mga3-64-ok
Source RPM: springframework-3.1.1-21.mga3.src.rpm CVE:
Status comment:

Description David Walser 2014-01-13 22:18:40 CET 
Debian has issued an advisory today (January 13):
https://lists.debian.org/debian-security-announce/2014/msg00010.html

More info is on the Debian and RedHat bugs:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720902
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4152

Mageia 3 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-01-13 22:18:55 CET

Whiteboard: (none) => MGA3TOO

David Walser 2014-01-17 17:26:19 CET

Blocks: (none) => 11726

Comment 1 David Walser 2014-01-23 23:28:56 CET 
D Morgan directed me to this commit:
https://github.com/poutsma/spring-framework/commit/2843b7d2ee12e3f9c458f6f816befd21b402e3b9

which I've re-diffed and added in SVN for Mageia 3 and Cauldron.
Comment 2 David Walser 2014-01-23 23:57:11 CET 
Patched packages uploaded for Mageia 3 and Cauldron.

Advisory:
========================

Updated springframework packages fix security vulnerability:

Alvaro Munoz discovered a XML External Entity (XXE) injection in the Spring
Framework which can be used for conducting CSRF and DoS attacks on other sites
(CVE-2013-4152).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4152
http://www.debian.org/security/2014/dsa-2842
========================

Updated packages in core/updates_testing:
========================
springframework-3.1.1-21.1.mga3
springframework-javadoc-3.1.1-21.1.mga3
springframework-aop-3.1.1-21.1.mga3
springframework-beans-3.1.1-21.1.mga3
springframework-context-3.1.1-21.1.mga3
springframework-context-support-3.1.1-21.1.mga3
springframework-expression-3.1.1-21.1.mga3
springframework-instrument-3.1.1-21.1.mga3
springframework-jdbc-3.1.1-21.1.mga3
springframework-jms-3.1.1-21.1.mga3
springframework-orm-3.1.1-21.1.mga3
springframework-oxm-3.1.1-21.1.mga3
springframework-struts-3.1.1-21.1.mga3
springframework-tx-3.1.1-21.1.mga3
springframework-web-3.1.1-21.1.mga3
springframework-webmvc-3.1.1-21.1.mga3
springframework-webmvc-portlet-3.1.1-21.1.mga3

from springframework-3.1.1-21.1.mga3.src.rpm

CC: (none) => dmorganec
Version: Cauldron => 3
Blocks: 11726 => (none)
Assignee: dmorganec => qa-bugs
Whiteboard: MGA3TOO => (none)

Comment 3 claire robinson 2014-02-10 17:56:31 CET 
Just testing it installs & updates cleanly (and the 441 dependencies!)

Whiteboard: (none) => has_procedure

Comment 4 claire robinson 2014-02-10 18:29:48 CET 
Testing complete mga3 32 & 64

Whiteboard: has_procedure => has_procedure mga3-32-ok mga3-64-ok

Comment 5 claire robinson 2014-02-10 18:33:42 CET 
Advisory uploaded. Validating.

Could sysadmin please push to 3 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga3-32-ok mga3-64-ok => has_procedure advisory mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 6 Thomas Backlund 2014-02-10 21:24:39 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0042.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED