Bug 16394

David Geiger uploaded a fixed build for Mageia 5, but I guess it hasn't been buildable yet in Cauldron.  Nothing is done for Mageia 4 yet.

springframework-3.2.14-1.mga5
springframework-aop-3.2.14-1.mga5
springframework-beans-3.2.14-1.mga5
springframework-context-3.2.14-1.mga5
springframework-context-support-3.2.14-1.mga5
springframework-expression-3.2.14-1.mga5
springframework-instrument-3.2.14-1.mga5
springframework-instrument-tomcat-3.2.14-1.mga5
springframework-javadoc-3.2.14-1.mga5
springframework-jdbc-3.2.14-1.mga5
springframework-jms-3.2.14-1.mga5
springframework-orm-3.2.14-1.mga5
springframework-oxm-3.2.14-1.mga5
springframework-struts-3.2.14-1.mga5
springframework-test-3.2.14-1.mga5
springframework-tx-3.2.14-1.mga5
springframework-web-3.2.14-1.mga5
springframework-webmvc-3.2.14-1.mga5
springframework-webmvc-portlet-3.2.14-1.mga5

from springframework-3.2.14-1.mga5.src.rpm

CC: (none) => geiger.david68210

springframework-3.2.14-1.mga6 uploaded for Cauldron by David.

Version: Cauldron => 5
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

@ David Walser:

I think it is impossible to update sringframework to 3.2.14 version for mga4 due to missing dependencies on "options', "jffi-native", "jdo-api" and maybe yet others. :(

I tried to build locally on my mga4, but unsuccessful.

We have patched springframework in the past, so that's an option, but this time I can't find any references to the upstream commit(s) to fix it.  We could look at a diff between 3.2.13 and 3.2.14 and see how much of it is backportable.  It sounds like this security issue is more impactful for >= 3.2, though the "other unsupported versions" being affected suggests 3.1 is affected somewhat:
http://pivotal.io/security/cve-2015-3192

If we decide we can't fix this for Mageia 4, I think we can live with that.

mga4 is on 3.1.4 version and I think it is very very too old for fix this security.

I think also we can live without this fix for mga4.

Commits:
https://github.com/spring-projects/spring-framework/commit/5a711c05ec750f069235597173084c2ee7962424
https://github.com/spring-projects/spring-framework/commit/0d394a02f3b7a0e7fcd36f2eff7682949c38b1b2
https://github.com/spring-projects/spring-framework/commit/d875772103132a448818568259346898524467e4

It looks like it would take significant effort to backport.  Not worth it.  We can't support this package on Mageia 4 anymore (and upstream isn't supporting 3.1 anyway).  WONTFIX for Mageia 4.

Whiteboard: MGA4TOO => (none)

Package list in Comment 1.

Advisory:
========================

Updated springframework packages fixes security vulnerability:

In Spring Framework before 3.2.14, if DTD is not entirely disabled, inline DTD
declarations can be used to perform denial of service attacks known as XML
bombs. Such declarations are both well-formed and valid according to XML
schema rules but when parsed can cause out of memory errors. To protect
against this kind of attack DTD support must be disabled by setting the
disallow-doctype-dec feature in the DOM and SAX APIs to true and by setting
the supportDTD property in the StAX API to false (CVE-2015-3192).

This package is no longer supported for Mageia 4.  Users of this package are
advised to upgrade to Mageia 5.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3192
http://pivotal.io/security/cve-2015-3192
https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162017.html

Assignee: bugsquad => qa-bugs

For this package we usually just check that it installs and updates cleanly. If someone has some knownledge about more relevant tests, just add them in a comment.

Whiteboard: (none) => has_procedure

Testing Mageia 5 64 complete.

*** Testing upgrade ***

# urpmi springframework springframework-aop springframework-beans springframework-context springframework-context-support springframework-expression springframework-instrument springframework-instrument springframework-javadoc springframework-jdbc springframework-jms springframework-orm springframework-oxm springframework-struts springframework-test springframework-tx springframework-web springframework-webmvc springframework-webmvc-portlet

then 

# urpmi springframework springframework-aop springframework-beans springframework-context springframework-context-support springframework-expression springframework-instrument springframework-instrument springframework-javadoc springframework-jdbc springframework-jms springframework-orm springframework-oxm springframework-struts springframework-test springframework-tx springframework-web springframework-webmvc springframework-webmvc-portlet --search-media "Updates Testing"

all went well.


*** Testing installation ***

# urpme springframework springframework-aop springframework-beans springframework-context springframework-context-support springframework-expression springframework-instrument springframework-instrument springframework-javadoc springframework-jdbc springframework-jms springframework-orm springframework-oxm springframework-struts springframework-test springframework-tx springframework-web springframework-webmvc springframework-webmvc-portlet

then

# urpmi springframework springframework-aop springframework-beans springframework-context springframework-context-support springframework-expression springframework-instrument springframework-instrument springframework-javadoc springframework-jdbc springframework-jms springframework-orm springframework-oxm springframework-struts springframework-test springframework-tx springframework-web springframework-webmvc springframework-webmvc-portlet --search-media "Updates Testing"

Whiteboard: has_procedure => has_procedure MGA5-64-OK

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0294.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED