Bug 13126 - springframework new security issues CVE-2014-0054 and CVE-2014-1904
: springframework new security issues CVE-2014-0054 and CVE-2014-1904
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/592582/
: MGA3TOO has_procedure advisory mga3-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-03-31 18:38 CEST by David Walser
Modified: 2014-04-03 03:09 CEST (History)
3 users (show)

See Also:
Source RPM: springframework-3.1.4-2.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-03-31 18:38:30 CEST
Debian has issued an advisory on March 29:
http://www.debian.org/security/2014/dsa-2890

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-03-31 23:54:26 CEST
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Note to QA: just testing that these install should be sufficient.

Advisory:
========================

Updated springframework packages fix security vulnerabilities:

Jaxb2RootElementHttpMessageConverter in Spring MVC processes external XML
entities (CVE-2014-0054).

Spring MVC introduces a cross-site scripting vulnerability if the action on a
Spring form is not specified (CVE-2014-1904).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0054
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1904
http://www.gopivotal.com/security/cve-2014-0054
http://www.gopivotal.com/security/cve-2014-1904
http://www.debian.org/security/2014/dsa-2890
========================

Updated packages in core/updates_testing:
========================
springframework-3.1.1-21.3.mga3
springframework-javadoc-3.1.1-21.3.mga3
springframework-aop-3.1.1-21.3.mga3
springframework-beans-3.1.1-21.3.mga3
springframework-context-3.1.1-21.3.mga3
springframework-context-support-3.1.1-21.3.mga3
springframework-expression-3.1.1-21.3.mga3
springframework-instrument-3.1.1-21.3.mga3
springframework-jdbc-3.1.1-21.3.mga3
springframework-jms-3.1.1-21.3.mga3
springframework-orm-3.1.1-21.3.mga3
springframework-oxm-3.1.1-21.3.mga3
springframework-struts-3.1.1-21.3.mga3
springframework-tx-3.1.1-21.3.mga3
springframework-web-3.1.1-21.3.mga3
springframework-webmvc-3.1.1-21.3.mga3
springframework-webmvc-portlet-3.1.1-21.3.mga3
springframework-3.1.4-2.2.mga4
springframework-javadoc-3.1.4-2.2.mga4
springframework-aop-3.1.4-2.2.mga4
springframework-beans-3.1.4-2.2.mga4
springframework-context-3.1.4-2.2.mga4
springframework-context-support-3.1.4-2.2.mga4
springframework-expression-3.1.4-2.2.mga4
springframework-instrument-3.1.4-2.2.mga4
springframework-instrument-tomcat-3.1.4-2.2.mga4
springframework-jdbc-3.1.4-2.2.mga4
springframework-jms-3.1.4-2.2.mga4
springframework-orm-3.1.4-2.2.mga4
springframework-oxm-3.1.4-2.2.mga4
springframework-struts-3.1.4-2.2.mga4
springframework-test-3.1.4-2.2.mga4
springframework-tx-3.1.4-2.2.mga4
springframework-web-3.1.4-2.2.mga4
springframework-webmvc-3.1.4-2.2.mga4
springframework-webmvc-portlet-3.1.4-2.2.mga4

from SRPMS:
springframework-3.1.1-21.3.mga3.src.rpm
springframework-3.1.4-2.2.mga4.src.rpm
Comment 2 claire robinson 2014-04-01 18:37:51 CEST
Testing complete mga3 32 & 64 and mga4 32 & 64

Just checked they update cleanly.

Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates.

Thanks
Comment 3 Damien Lallement 2014-04-03 03:09:33 CEST
http://advisories.mageia.org/MGASA-2014-0155.html

Note You need to log in before you can comment on or make changes to this bug.