Bug 13126 - springframework new security issues CVE-2014-0054 and CVE-2014-1904
Summary: springframework new security issues CVE-2014-0054 and CVE-2014-1904
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/592582/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-03-31 18:38 CEST by David Walser
Modified: 2014-04-03 03:09 CEST (History)
3 users (show)

See Also:
Source RPM: springframework-3.1.4-2.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-03-31 18:38:30 CEST
Debian has issued an advisory on March 29:
http://www.debian.org/security/2014/dsa-2890

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-03-31 18:38:36 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-03-31 23:54:26 CEST
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Note to QA: just testing that these install should be sufficient.

Advisory:
========================

Updated springframework packages fix security vulnerabilities:

Jaxb2RootElementHttpMessageConverter in Spring MVC processes external XML
entities (CVE-2014-0054).

Spring MVC introduces a cross-site scripting vulnerability if the action on a
Spring form is not specified (CVE-2014-1904).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0054
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1904
http://www.gopivotal.com/security/cve-2014-0054
http://www.gopivotal.com/security/cve-2014-1904
http://www.debian.org/security/2014/dsa-2890
========================

Updated packages in core/updates_testing:
========================
springframework-3.1.1-21.3.mga3
springframework-javadoc-3.1.1-21.3.mga3
springframework-aop-3.1.1-21.3.mga3
springframework-beans-3.1.1-21.3.mga3
springframework-context-3.1.1-21.3.mga3
springframework-context-support-3.1.1-21.3.mga3
springframework-expression-3.1.1-21.3.mga3
springframework-instrument-3.1.1-21.3.mga3
springframework-jdbc-3.1.1-21.3.mga3
springframework-jms-3.1.1-21.3.mga3
springframework-orm-3.1.1-21.3.mga3
springframework-oxm-3.1.1-21.3.mga3
springframework-struts-3.1.1-21.3.mga3
springframework-tx-3.1.1-21.3.mga3
springframework-web-3.1.1-21.3.mga3
springframework-webmvc-3.1.1-21.3.mga3
springframework-webmvc-portlet-3.1.1-21.3.mga3
springframework-3.1.4-2.2.mga4
springframework-javadoc-3.1.4-2.2.mga4
springframework-aop-3.1.4-2.2.mga4
springframework-beans-3.1.4-2.2.mga4
springframework-context-3.1.4-2.2.mga4
springframework-context-support-3.1.4-2.2.mga4
springframework-expression-3.1.4-2.2.mga4
springframework-instrument-3.1.4-2.2.mga4
springframework-instrument-tomcat-3.1.4-2.2.mga4
springframework-jdbc-3.1.4-2.2.mga4
springframework-jms-3.1.4-2.2.mga4
springframework-orm-3.1.4-2.2.mga4
springframework-oxm-3.1.4-2.2.mga4
springframework-struts-3.1.4-2.2.mga4
springframework-test-3.1.4-2.2.mga4
springframework-tx-3.1.4-2.2.mga4
springframework-web-3.1.4-2.2.mga4
springframework-webmvc-3.1.4-2.2.mga4
springframework-webmvc-portlet-3.1.4-2.2.mga4

from SRPMS:
springframework-3.1.1-21.3.mga3.src.rpm
springframework-3.1.4-2.2.mga4.src.rpm

CC: (none) => dmorganec
Version: Cauldron => 4
Assignee: dmorganec => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 2 claire robinson 2014-04-01 18:37:51 CEST
Testing complete mga3 32 & 64 and mga4 32 & 64

Just checked they update cleanly.

Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates.

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 3 Damien Lallement 2014-04-03 03:09:33 CEST
http://advisories.mageia.org/MGASA-2014-0155.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.