| Summary: | spring2 new security issue CVE-2011-2730 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, dmorganec, puntogil, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/504289/ | ||
| Whiteboard: | |||
| Source RPM: | spring2-2.5.6-2.mga2.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2012-06-29 19:40:19 CEST
David Walser
2012-06-29 19:40:51 CEST
CC:
(none) =>
puntogil
David Walser
2012-06-29 19:41:04 CEST
CC:
(none) =>
dmorganec pushed in mga2 updates_testing Thanks. It looks like the build for Cauldron failed though. I'll push this to QA once Cauldron is fixed. Packages built for Mageia 2: spring2-2.5.6-2.1.mga2.noarch.rpm spring2-core-2.5.6-2.1.mga2.noarch.rpm spring2-aspects-2.5.6-2.1.mga2.noarch.rpm spring2-aop-2.5.6-2.1.mga2.noarch.rpm spring2-agent-2.5.6-2.1.mga2.noarch.rpm spring2-beans-2.5.6-2.1.mga2.noarch.rpm spring2-context-2.5.6-2.1.mga2.noarch.rpm spring2-context-support-2.5.6-2.1.mga2.noarch.rpm spring2-jms-2.5.6-2.1.mga2.noarch.rpm spring2-jdbc-2.5.6-2.1.mga2.noarch.rpm spring2-orm-2.5.6-2.1.mga2.noarch.rpm spring2-test-2.5.6-2.1.mga2.noarch.rpm spring2-tomcat-weaver-2.5.6-2.1.mga2.noarch.rpm spring2-tx-2.5.6-2.1.mga2.noarch.rpm spring2-web-2.5.6-2.1.mga2.noarch.rpm spring2-webmvc-2.5.6-2.1.mga2.noarch.rpm spring2-webmvc-portlet-2.5.6-2.1.mga2.noarch.rpm spring2-webmvc-struts-2.5.6-2.1.mga2.noarch.rpm spring2-all-2.5.6-2.1.mga2.noarch.rpm spring2-javadoc-2.5.6-2.1.mga2.noarch.rpm spring2-manual-2.5.6-2.1.mga2.noarch.rpm spring2-demo-2.5.6-2.1.mga2.noarch.rpm spring2-devel-2.5.6-2.1.mga2.noarch.rpm from spring2-2.5.6-2.1.mga2.src.rpm Looks like not all packages for mga2 updates_testing got uploaded. all available now thanks to pterjan I count 23 packages in the build log and 18 packages on the mirror. Also, did this ever get fixed in Cauldron? The build failed according to Comment 2. i look directly on valstar, so just wait mirors to be updated but on mageia central server this is now OK. Yes i will look on cauldron later this week ( i hope tomorow ) D Morgan has decided to remove this from Cauldron. Assigning to QA now. Advisory: ======================== Updated spring2 packages fix security vulnerability: It was discovered that the Spring Framework contains an information disclosure vulnerability in the processing of certain Expression Language (EL) patterns, allowing attackers to access sensitive information using HTTP requests (CVE-2011-2730). Note: This update adds a springJspExpressionSupport context parameter which must be manually set to false when the Spring Framework runs under a container which provides EL support itself. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2730 http://www.springsource.com/security/cve-2011-2730 http://www.debian.org/security/2012/dsa-2504 ======================== Updated packages in core/updates_testing: ======================== spring2-2.5.6-2.1.mga2.noarch.rpm spring2-core-2.5.6-2.1.mga2.noarch.rpm spring2-aspects-2.5.6-2.1.mga2.noarch.rpm spring2-aop-2.5.6-2.1.mga2.noarch.rpm spring2-agent-2.5.6-2.1.mga2.noarch.rpm spring2-beans-2.5.6-2.1.mga2.noarch.rpm spring2-context-2.5.6-2.1.mga2.noarch.rpm spring2-context-support-2.5.6-2.1.mga2.noarch.rpm spring2-jms-2.5.6-2.1.mga2.noarch.rpm spring2-jdbc-2.5.6-2.1.mga2.noarch.rpm spring2-orm-2.5.6-2.1.mga2.noarch.rpm spring2-test-2.5.6-2.1.mga2.noarch.rpm spring2-tomcat-weaver-2.5.6-2.1.mga2.noarch.rpm spring2-tx-2.5.6-2.1.mga2.noarch.rpm spring2-web-2.5.6-2.1.mga2.noarch.rpm spring2-webmvc-2.5.6-2.1.mga2.noarch.rpm spring2-webmvc-portlet-2.5.6-2.1.mga2.noarch.rpm spring2-webmvc-struts-2.5.6-2.1.mga2.noarch.rpm spring2-all-2.5.6-2.1.mga2.noarch.rpm spring2-javadoc-2.5.6-2.1.mga2.noarch.rpm spring2-manual-2.5.6-2.1.mga2.noarch.rpm spring2-demo-2.5.6-2.1.mga2.noarch.rpm spring2-devel-2.5.6-2.1.mga2.noarch.rpm from spring2-2.5.6-2.1.mga2.src.rpm Version:
Cauldron =>
2 Seems to be tutorials for this and some code samples here: http://www.springsource.org/get-started I've posted a request for testers to the general discussion list. CC:
(none) =>
davidwhodgins Looks like all we can test for this one is that it installs cleanly, which I've done. Could someone from the sysadmin team push the srpm spring2-2.5.6-2.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated spring2 packages fix security vulnerability: It was discovered that the Spring Framework contains an information disclosure vulnerability in the processing of certain Expression Language (EL) patterns, allowing attackers to access sensitive information using HTTP requests (CVE-2011-2730). Note: This update adds a springJspExpressionSupport context parameter which must be manually set to false when the Spring Framework runs under a container which provides EL support itself. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2730 http://www.springsource.com/security/cve-2011-2730 http://www.debian.org/security/2012/dsa-2504 https://bugs.mageia.org/show_bug.cgi?id=6625 Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0217 Status:
NEW =>
RESOLVED |