| Summary: | spring-ldap new security issue CVE-2017-8028 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | geiger.david68210, mhrambo3501, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK | ||
| Source RPM: | spring-ldap-1.3.1-14.mga6.src.rpm | CVE: | |
| Status comment: | Patch available from Debian | ||
|
Description
David Walser
2017-11-26 19:24:22 CET
David Walser
2017-11-26 19:24:34 CET
CC:
(none) =>
geiger.david68210
David Walser
2018-02-02 18:23:12 CET
Status comment:
(none) =>
Patch available from Debian Updated package uploaded for cauldron and Mageia 6. Advisory: ======================== Updated spring-ldap package fixes security vulnerability: It was discovered that spring-ldap would under some circumstances allow authentication with a correct username but an arbitrary password (CVE-2017-8028). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8028 https://www.debian.org/security/2017/dsa-4046 ======================== Updated packages in core/updates_testing: ======================== spring-ldap-1.3.1-14.1.mga6.noarch.rpm spring-ldap-javadoc-1.3.1-14.1.mga6.noarch.rpm from spring-ldap-1.3.1-14.1.mga6.src.rpm Assignee:
mageia =>
qa-bugs Testing M6/64 These packages have no previous updates. Summary : Java library for simplifying LDAP operations Description : Spring LDAP is a Java library for simplifying LDAP operations, based on the pattern of Spring's JdbcTemplate. The framework relieves the user of common chores, such as looking up and closing contexts, looping through results, etc etc etc $ urpmq --whatrequires-recursive spring-ldap | sort -u springframework-security spring-ldap ----------- Fortunately no sign of a test case (POC). Going for clean update only. Installing from issued repos: # urpmi spring-ldap spring-ldap-javadoc I fodloni dibyniaethau, gosodir y pecynnau canlynol: Pecyn Fersiwn Rhifyn Arch (cyfrwng "Core Release2") aopalliance 1.0 15.mga6 noarch apache-commons-io 2.4 11.mga6 noarch apache-commons-lang 2.6 20.mga6 noarch bea-stax-api 1.2.0 13.mga6 noarch bytelist 1.0.8 12.mga6 noarch cglib 3.2.4 2.mga6 noarch freemarker 2.3.23 3.mga6 noarch geronimo-interceptor 1.0.1 16.mga6 noarch geronimo-validation 1.1 16.mga6 noarch hibernate-jpa-2.0-api 1.0.1 19.mga6 noarch hsqldb1 1.8.1.3 11.mga6 noarch jboss-connector-1.7-api 1.0.0 6.mga6 noarch jcodings 1.0.9 11.mga6 noarch jettison 1.3.7 3.mga6 noarch log4j 2.5 8.mga6 noarch spring-ldap 1.3.1 14.mga6 noarch spring-ldap-javadoc 1.3.1 14.mga6 noarch springframework 3.2.18 1.mga6 noarch springframework-aop 3.2.18 1.mga6 noarch springframework-batch 2.2.7 3.mga6 noarch springframework-beans 3.2.18 1.mga6 noarch springframework-context 3.2.18 1.mga6 noarch springframework-expression 3.2.18 1.mga6 noarch springframework-jdbc 3.2.18 1.mga6 noarch springframework-retry 1.1.1 4.mga6 noarch springframework-test 3.2.18 1.mga6 noarch springframework-tx 3.2.18 1.mga6 noarch The UPDATE pulled in an updated library: - liblog4j12-java-1.2.17-17.mga6.noarch - spring-ldap-1.3.1-14.1.mga6.noarch - spring-ldap-javadoc-1.3.1-14.1.mga6.noarch and went without issue. Doubt we can do more. OKing etc the update. Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0235.html Status:
NEW =>
RESOLVED |