| Summary: | springframework new security issue CVE-2015-5211 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | geiger.david68210, sysadmin-bugs, tmb, wilcal.int |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/662788/ | ||
| Whiteboard: | MGA5-32-OK MGA5-64-OK advisory | ||
| Source RPM: | springframework-3.2.14-1.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-11-02 21:14:40 CET
Done for Cauldron and mga5 updating to 3.2.15 release. Note that two new packages had to be imported for mga5 and Cauldron: - json-path - json-smart Thanks David! Advisory: ======================== Updated springframework packages fix security vulnerability: Under some situations, the Spring Framework is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response (CVE-2015-5211). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5211 https://lists.fedoraproject.org/pipermail/package-announce/2015-November/170543.html ======================== Updated packages in core/updates_testing: ======================== json-smart-1.3-0.20140820.1.mga5 json-smart-javadoc-1.3-0.20140820.1.mga5 json-path-0.9.1-1.mga5 json-path-javadoc-0.9.1-1.mga5 springframework-3.2.15-1.mga5 springframework-javadoc-3.2.15-1.mga5 springframework-aop-3.2.15-1.mga5 springframework-beans-3.2.15-1.mga5 springframework-context-3.2.15-1.mga5 springframework-context-support-3.2.15-1.mga5 springframework-expression-3.2.15-1.mga5 springframework-instrument-3.2.15-1.mga5 springframework-instrument-tomcat-3.2.15-1.mga5 springframework-jdbc-3.2.15-1.mga5 springframework-jms-3.2.15-1.mga5 springframework-orm-3.2.15-1.mga5 springframework-oxm-3.2.15-1.mga5 springframework-struts-3.2.15-1.mga5 springframework-test-3.2.15-1.mga5 springframework-test-mvc-3.2.15-1.mga5 springframework-tx-3.2.15-1.mga5 springframework-web-3.2.15-1.mga5 springframework-webmvc-3.2.15-1.mga5 springframework-webmvc-portlet-3.2.15-1.mga5 from SRPMS: json-smart-1.3-0.20140820.1.mga5.src.rpm json-path-0.9.1-1.mga5.src.rpm springframework-3.2.15-1.mga5.src.rpm CC:
(none) =>
geiger.david68210 In VirtualBox, M5, KDE, 32-bit Sample of package(s) under test: springframework springframework-javadoc springframework-javadoc springframework-aop springframework-beans springframework-context springframework-instrument springframework-test springframework-web springframework-webmvc Default install of some springframework packages ( over 325 ) Just a sampling: [root@localhost wilcal]# urpmi springframework Package springframework-3.2.14-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-javadoc Package springframework-javadoc-3.2.14-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-aop Package springframework-aop-3.2.14-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-beans Package springframework-beans-3.2.14-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-context Package springframework-context-3.2.14-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-instrument Package springframework-instrument-3.2.14-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-test Package springframework-test-3.2.14-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-web Package springframework-web-3.2.14-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-webmvc Package springframework-webmvc-3.2.14-1.mga5.noarch is already installed All installed without error. Install springframework packages from updates_testing [root@localhost wilcal]# urpmi springframework Package springframework-3.2.15-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-javadoc Package springframework-javadoc-3.2.15-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-aop Package springframework-aop-3.2.15-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-beans Package springframework-beans-3.2.15-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-context Package springframework-context-3.2.15-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-instrument Package springframework-instrument-3.2.15-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-test Package springframework-test-3.2.15-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-web Package springframework-web-3.2.15-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-webmvc Package springframework-webmvc-3.2.15-1.mga5.noarch is already installed All package updates installed without error. CC:
(none) =>
wilcal.int
William Kenney
2015-11-03 17:46:38 CET
Whiteboard:
(none) =>
MGA5-32-OK This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks Keywords:
(none) =>
validated_update advisory added CC:
(none) =>
tmb An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0426.html Status:
NEW =>
RESOLVED |