Bug 15886

Summary: springframework new security issue CVE-2014-0225
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: mageia, shlomif, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/643699/
Whiteboard: has_procedure advisory mga4-32-ok MGA4-64-OK
Source RPM: springframework-3.1.4-2.2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-05-08 18:54:39 CEST 
Fedora has issued an advisory on April 26:
https://lists.fedoraproject.org/pipermail/package-announce/2015-May/157348.html

The patch they added doesn't work for us because it conflicts with a few patches that we added for other security issues that they never got around to fixing.  It appears that their patch partially supercedes two of them.  The upstream commit for this CVE doesn't appear to be backportable.  I don't see how to fix this without possibly losing some of the other fixes we've already added.

Reproducible: 

Steps to Reproduce:
Comment 1 Nicolas Lécureuil 2015-05-10 23:39:34 CEST 
i tested to backport debian patch

CC: (none) => mageia

Comment 2 David Walser 2015-05-11 00:11:38 CEST 
Nicolas saw that Debian had a patch after all.  I had looked there, but I missed it.  Thanks!

Advisory:
========================

Updated springframework packages fix security vulnerabilities:

When processing user provided XML documents, the Spring Framework did not
disable by default the resolution of URI references in a DTD declaration. By
observing differences in response times, an attacker could then identify
valid IP addresses on the internal network with functioning web servers
(CVE-2014-0225).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0225
https://lists.fedoraproject.org/pipermail/package-announce/2015-May/157348.html
========================

Updated packages in core/updates_testing:
========================
springframework-3.1.4-2.3.mga4
springframework-javadoc-3.1.4-2.3.mga4
springframework-aop-3.1.4-2.3.mga4
springframework-beans-3.1.4-2.3.mga4
springframework-context-3.1.4-2.3.mga4
springframework-context-support-3.1.4-2.3.mga4
springframework-expression-3.1.4-2.3.mga4
springframework-instrument-3.1.4-2.3.mga4
springframework-instrument-tomcat-3.1.4-2.3.mga4
springframework-jdbc-3.1.4-2.3.mga4
springframework-jms-3.1.4-2.3.mga4
springframework-orm-3.1.4-2.3.mga4
springframework-oxm-3.1.4-2.3.mga4
springframework-struts-3.1.4-2.3.mga4
springframework-test-3.1.4-2.3.mga4
springframework-tx-3.1.4-2.3.mga4
springframework-web-3.1.4-2.3.mga4
springframework-webmvc-3.1.4-2.3.mga4
springframework-webmvc-portlet-3.1.4-2.3.mga4

from springframework-3.1.4-2.3.mga4.src.rpm

Assignee: dmorganec => qa-bugs

Comment 3 David Walser 2015-05-11 15:06:36 CEST 
Please just verify that the updated packages install cleanly.

Whiteboard: (none) => has_procedure

claire robinson 2015-05-11 15:13:56 CEST

Whiteboard: has_procedure => has_procedure mga4-32-ok

Comment 4 Shlomi Fish 2015-05-11 17:02:19 CEST 
(In reply to David Walser from comment #3)
> Please just verify that the updated packages install cleanly.

updated packages install cleanly on MGA4-64-OK on VBox.

CC: (none) => shlomif
Whiteboard: has_procedure mga4-32-ok => has_procedure mga4-32-ok MGA4-64-OK

Comment 5 claire robinson 2015-05-11 17:32:10 CEST 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-32-ok MGA4-64-OK => has_procedure advisory mga4-32-ok MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-05-11 22:11:45 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0211.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED