Debian has issued an advisory on March 29: http://www.debian.org/security/2014/dsa-2890 Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Note to QA: just testing that these install should be sufficient. Advisory: ======================== Updated springframework packages fix security vulnerabilities: Jaxb2RootElementHttpMessageConverter in Spring MVC processes external XML entities (CVE-2014-0054). Spring MVC introduces a cross-site scripting vulnerability if the action on a Spring form is not specified (CVE-2014-1904). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0054 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1904 http://www.gopivotal.com/security/cve-2014-0054 http://www.gopivotal.com/security/cve-2014-1904 http://www.debian.org/security/2014/dsa-2890 ======================== Updated packages in core/updates_testing: ======================== springframework-3.1.1-21.3.mga3 springframework-javadoc-3.1.1-21.3.mga3 springframework-aop-3.1.1-21.3.mga3 springframework-beans-3.1.1-21.3.mga3 springframework-context-3.1.1-21.3.mga3 springframework-context-support-3.1.1-21.3.mga3 springframework-expression-3.1.1-21.3.mga3 springframework-instrument-3.1.1-21.3.mga3 springframework-jdbc-3.1.1-21.3.mga3 springframework-jms-3.1.1-21.3.mga3 springframework-orm-3.1.1-21.3.mga3 springframework-oxm-3.1.1-21.3.mga3 springframework-struts-3.1.1-21.3.mga3 springframework-tx-3.1.1-21.3.mga3 springframework-web-3.1.1-21.3.mga3 springframework-webmvc-3.1.1-21.3.mga3 springframework-webmvc-portlet-3.1.1-21.3.mga3 springframework-3.1.4-2.2.mga4 springframework-javadoc-3.1.4-2.2.mga4 springframework-aop-3.1.4-2.2.mga4 springframework-beans-3.1.4-2.2.mga4 springframework-context-3.1.4-2.2.mga4 springframework-context-support-3.1.4-2.2.mga4 springframework-expression-3.1.4-2.2.mga4 springframework-instrument-3.1.4-2.2.mga4 springframework-instrument-tomcat-3.1.4-2.2.mga4 springframework-jdbc-3.1.4-2.2.mga4 springframework-jms-3.1.4-2.2.mga4 springframework-orm-3.1.4-2.2.mga4 springframework-oxm-3.1.4-2.2.mga4 springframework-struts-3.1.4-2.2.mga4 springframework-test-3.1.4-2.2.mga4 springframework-tx-3.1.4-2.2.mga4 springframework-web-3.1.4-2.2.mga4 springframework-webmvc-3.1.4-2.2.mga4 springframework-webmvc-portlet-3.1.4-2.2.mga4 from SRPMS: springframework-3.1.1-21.3.mga3.src.rpm springframework-3.1.4-2.2.mga4.src.rpm
CC: (none) => dmorganecVersion: Cauldron => 4Assignee: dmorganec => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Testing complete mga3 32 & 64 and mga4 32 & 64 Just checked they update cleanly. Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates. Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2014-0155.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED