Debian has issued an advisory on February 8: http://www.debian.org/security/2014/dsa-2857 The fix for CVE-2013-4152 was incomplete, and an XSS issue was found. Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Upstream commits are linked in this post: https://lists.debian.org/debian-java/2014/01/msg00052.html As it says, the CVE-2013-6430 patch applies cleanly, the CVE-2013-6429 patch needs some work.
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated springframework packages fix security vulnerabilities: It was discovered by the Spring development team that the fix for the XML External Entity (XXE) Injection (CVE-2013-4152) in the Spring Framework was incomplete. Spring MVC's SourceHttpMessageConverter also processed user provided XML and neither disabled XML external entities nor provided an option to disable them. SourceHttpMessageConverter has been modified to provide an option to control the processing of XML external entities and that processing is now disabled by default (CVE-2013-6429). In addition Jon Passki discovered a possible XSS vulnerability: The JavaScriptUtils.javaScriptEscape() method did not escape all characters that are sensitive within either a JS single quoted string, JS double quoted string, or HTML script data context. In most cases this will result in an unexploitable parse error but in some cases it could result in an XSS vulnerability (CVE-2013-6430). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6429 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6430 http://www.debian.org/security/2014/dsa-2857 ======================== Updated packages in core/updates_testing: ======================== springframework-3.1.1-21.2.mga3 springframework-javadoc-3.1.1-21.2.mga3 springframework-aop-3.1.1-21.2.mga3 springframework-beans-3.1.1-21.2.mga3 springframework-context-3.1.1-21.2.mga3 springframework-context-support-3.1.1-21.2.mga3 springframework-expression-3.1.1-21.2.mga3 springframework-instrument-3.1.1-21.2.mga3 springframework-jdbc-3.1.1-21.2.mga3 springframework-jms-3.1.1-21.2.mga3 springframework-orm-3.1.1-21.2.mga3 springframework-oxm-3.1.1-21.2.mga3 springframework-struts-3.1.1-21.2.mga3 springframework-tx-3.1.1-21.2.mga3 springframework-web-3.1.1-21.2.mga3 springframework-webmvc-3.1.1-21.2.mga3 springframework-webmvc-portlet-3.1.1-21.2.mga3 springframework-3.1.4-2.1.mga4 springframework-javadoc-3.1.4-2.1.mga4 springframework-aop-3.1.4-2.1.mga4 springframework-beans-3.1.4-2.1.mga4 springframework-context-3.1.4-2.1.mga4 springframework-context-support-3.1.4-2.1.mga4 springframework-expression-3.1.4-2.1.mga4 springframework-instrument-3.1.4-2.1.mga4 springframework-instrument-tomcat-3.1.4-2.1.mga4 springframework-jdbc-3.1.4-2.1.mga4 springframework-jms-3.1.4-2.1.mga4 springframework-orm-3.1.4-2.1.mga4 springframework-oxm-3.1.4-2.1.mga4 springframework-struts-3.1.4-2.1.mga4 springframework-test-3.1.4-2.1.mga4 springframework-tx-3.1.4-2.1.mga4 springframework-web-3.1.4-2.1.mga4 springframework-webmvc-3.1.4-2.1.mga4 springframework-webmvc-portlet-3.1.4-2.1.mga4 from SRPMS: springframework-3.1.1-21.2.mga3.src.rpm springframework-3.1.4-2.1.mga4.src.rpm
CC: (none) => dmorganecVersion: Cauldron => 4Assignee: dmorganec => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
To test, just ensure the packages install and update cleanly.
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Installed on mga4 32bit: [root@localhost marc]#rpm -qa | grep springframework: springframework-jdbc-3.1.4-2.mga4 springframework-webmvc-portlet-3.1.4-2.mga4 springframework-context-3.1.4-2.mga4 springframework-web-3.1.4-2.mga4 springframework-orm-3.1.4-2.mga4 springframework-beans-3.1.4-2.mga4 springframework-aop-3.1.4-2.mga4 springframework-tx-3.1.4-2.mga4 springframework-javadoc-3.1.4-2.mga4 springframework-struts-3.1.4-2.mga4 springframework-expression-3.1.4-2.mga4 springframework-context-support-3.1.4-2.mga4 springframework-jms-3.1.4-2.mga4 springframework-instrument-3.1.4-2.mga4 springframework-instrument-tomcat-3.1.4-2.mga4 springframework-oxm-3.1.4-2.mga4 springframework-webmvc-3.1.4-2.mga4 springframework-test-3.1.4-2.mga4 springframework-3.1.4-2.mga4 after update: [root@localhost marc]# rpm -qa | grep springframe springframework-oxm-3.1.4-2.1.mga4 springframework-jdbc-3.1.4-2.1.mga4 springframework-3.1.4-2.1.mga4 springframework-orm-3.1.4-2.1.mga4 springframework-expression-3.1.4-2.1.mga4 springframework-aop-3.1.4-2.1.mga4 springframework-context-support-3.1.4-2.1.mga4 springframework-struts-3.1.4-2.1.mga4 springframework-context-3.1.4-2.1.mga4 springframework-jms-3.1.4-2.1.mga4 springframework-instrument-3.1.4-2.1.mga4 springframework-webmvc-portlet-3.1.4-2.1.mga4 springframework-web-3.1.4-2.1.mga4 springframework-javadoc-3.1.4-2.1.mga4 springframework-instrument-tomcat-3.1.4-2.1.mga4 springframework-beans-3.1.4-2.1.mga4 springframework-test-3.1.4-2.1.mga4 springframework-tx-3.1.4-2.1.mga4 springframework-webmvc-3.1.4-2.1.mga4 everything installed and updated smoothly. going on with 64bit
CC: (none) => marc.lattemannWhiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-32-OK
In VirtualBox, M3, KDE, 32-bit Package(s) under test: springframework default install of springframework [root@localhost wilcal]# urpmi springframework Package springframework-3.1.1-21.1.mga3.noarch is already installed installs as expected [root@localhost wilcal]# urpmi springframework Package springframework-3.1.1-21.2.mga3.noarch is already installed installs as expected Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
CC: (none) => wilcal.int
Whiteboard: MGA3TOO has_procedure MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK
In VirtualBox, M3, KDE, 32-bit Package(s) under test: springframework 437 other related packages install from updates_testing as expected Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
In VirtualBox, M3, KDE, 64-bit Package(s) under test: springframework [root@localhost wilcal]# uname -a Linux localhost 3.10.28-desktop-1.mga3 #1 SMP Sat Feb 1 16:15:10 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux default install of springframework [root@localhost wilcal]# urpmi springframework Package springframework-3.1.1-21.1.mga3.noarch is already installed installs as expected install springframework from update_testing [root@localhost wilcal]# urpmi springframework Package springframework-3.1.1-21.2.mga3.noarch is already installed installs as expected 437 other related packages install as expected Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK
in my comment #4 seems that are not all packages installed as listed in comment #2 - depends probably on pre-selection when 'urpmi -ay springframework'? Or is there another way to install all packages? However in mga4 64bit same result with same packages installed. If this is OK, then it can be validated?
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
In VirtualBox, M4, KDE, 64-bit Package(s) under test: springframework [wilcal@localhost ~]$ uname -a Linux localhost 3.12.9-desktop-1.mga4 #1 SMP Sat Feb 1 18:16:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux default install of springframework [root@localhost wilcal]# urpmi springframework Package springframework-3.1.4-2.mga4.noarch is already installed installs as expected install springframework from update_testing [root@localhost wilcal]# urpmi springframework Package springframework-3.1.4-2.1.mga4.noarch is already installed installs as expected 431 other related packages install as expected Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
CC: (none) => remiWhiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory
Update pushed: http://advisories.mageia.org/MGASA-2014-0096.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED