Debian has issued an advisory today (January 13): https://lists.debian.org/debian-security-announce/2014/msg00010.html More info is on the Debian and RedHat bugs: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720902 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4152 Mageia 3 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Blocks: (none) => 11726
D Morgan directed me to this commit: https://github.com/poutsma/spring-framework/commit/2843b7d2ee12e3f9c458f6f816befd21b402e3b9 which I've re-diffed and added in SVN for Mageia 3 and Cauldron.
Patched packages uploaded for Mageia 3 and Cauldron. Advisory: ======================== Updated springframework packages fix security vulnerability: Alvaro Munoz discovered a XML External Entity (XXE) injection in the Spring Framework which can be used for conducting CSRF and DoS attacks on other sites (CVE-2013-4152). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4152 http://www.debian.org/security/2014/dsa-2842 ======================== Updated packages in core/updates_testing: ======================== springframework-3.1.1-21.1.mga3 springframework-javadoc-3.1.1-21.1.mga3 springframework-aop-3.1.1-21.1.mga3 springframework-beans-3.1.1-21.1.mga3 springframework-context-3.1.1-21.1.mga3 springframework-context-support-3.1.1-21.1.mga3 springframework-expression-3.1.1-21.1.mga3 springframework-instrument-3.1.1-21.1.mga3 springframework-jdbc-3.1.1-21.1.mga3 springframework-jms-3.1.1-21.1.mga3 springframework-orm-3.1.1-21.1.mga3 springframework-oxm-3.1.1-21.1.mga3 springframework-struts-3.1.1-21.1.mga3 springframework-tx-3.1.1-21.1.mga3 springframework-web-3.1.1-21.1.mga3 springframework-webmvc-3.1.1-21.1.mga3 springframework-webmvc-portlet-3.1.1-21.1.mga3 from springframework-3.1.1-21.1.mga3.src.rpm
CC: (none) => dmorganecVersion: Cauldron => 3Blocks: 11726 => (none)Assignee: dmorganec => qa-bugsWhiteboard: MGA3TOO => (none)
Just testing it installs & updates cleanly (and the 441 dependencies!)
Whiteboard: (none) => has_procedure
Testing complete mga3 32 & 64
Whiteboard: has_procedure => has_procedure mga3-32-ok mga3-64-ok
Advisory uploaded. Validating. Could sysadmin please push to 3 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga3-32-ok mga3-64-ok => has_procedure advisory mga3-32-ok mga3-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0042.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED