Bug 13126

Summary: springframework new security issues CVE-2014-0054 and CVE-2014-1904
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: dmorganec, mageia, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/592582/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Source RPM: springframework-3.1.4-2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-03-31 18:38:30 CEST 
Debian has issued an advisory on March 29:
http://www.debian.org/security/2014/dsa-2890

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-03-31 18:38:36 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-03-31 23:54:26 CEST 
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Note to QA: just testing that these install should be sufficient.

Advisory:
========================

Updated springframework packages fix security vulnerabilities:

Jaxb2RootElementHttpMessageConverter in Spring MVC processes external XML
entities (CVE-2014-0054).

Spring MVC introduces a cross-site scripting vulnerability if the action on a
Spring form is not specified (CVE-2014-1904).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0054
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1904
http://www.gopivotal.com/security/cve-2014-0054
http://www.gopivotal.com/security/cve-2014-1904
http://www.debian.org/security/2014/dsa-2890
========================

Updated packages in core/updates_testing:
========================
springframework-3.1.1-21.3.mga3
springframework-javadoc-3.1.1-21.3.mga3
springframework-aop-3.1.1-21.3.mga3
springframework-beans-3.1.1-21.3.mga3
springframework-context-3.1.1-21.3.mga3
springframework-context-support-3.1.1-21.3.mga3
springframework-expression-3.1.1-21.3.mga3
springframework-instrument-3.1.1-21.3.mga3
springframework-jdbc-3.1.1-21.3.mga3
springframework-jms-3.1.1-21.3.mga3
springframework-orm-3.1.1-21.3.mga3
springframework-oxm-3.1.1-21.3.mga3
springframework-struts-3.1.1-21.3.mga3
springframework-tx-3.1.1-21.3.mga3
springframework-web-3.1.1-21.3.mga3
springframework-webmvc-3.1.1-21.3.mga3
springframework-webmvc-portlet-3.1.1-21.3.mga3
springframework-3.1.4-2.2.mga4
springframework-javadoc-3.1.4-2.2.mga4
springframework-aop-3.1.4-2.2.mga4
springframework-beans-3.1.4-2.2.mga4
springframework-context-3.1.4-2.2.mga4
springframework-context-support-3.1.4-2.2.mga4
springframework-expression-3.1.4-2.2.mga4
springframework-instrument-3.1.4-2.2.mga4
springframework-instrument-tomcat-3.1.4-2.2.mga4
springframework-jdbc-3.1.4-2.2.mga4
springframework-jms-3.1.4-2.2.mga4
springframework-orm-3.1.4-2.2.mga4
springframework-oxm-3.1.4-2.2.mga4
springframework-struts-3.1.4-2.2.mga4
springframework-test-3.1.4-2.2.mga4
springframework-tx-3.1.4-2.2.mga4
springframework-web-3.1.4-2.2.mga4
springframework-webmvc-3.1.4-2.2.mga4
springframework-webmvc-portlet-3.1.4-2.2.mga4

from SRPMS:
springframework-3.1.1-21.3.mga3.src.rpm
springframework-3.1.4-2.2.mga4.src.rpm

CC: (none) => dmorganec
Version: Cauldron => 4
Assignee: dmorganec => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 2 claire robinson 2014-04-01 18:37:51 CEST 
Testing complete mga3 32 & 64 and mga4 32 & 64

Just checked they update cleanly.

Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates.

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 3 Damien Lallement 2014-04-03 03:09:33 CEST 
http://advisories.mageia.org/MGASA-2014-0155.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED