Fedora has issued an advisory on April 26: https://lists.fedoraproject.org/pipermail/package-announce/2015-May/157348.html The patch they added doesn't work for us because it conflicts with a few patches that we added for other security issues that they never got around to fixing. It appears that their patch partially supercedes two of them. The upstream commit for this CVE doesn't appear to be backportable. I don't see how to fix this without possibly losing some of the other fixes we've already added. Reproducible: Steps to Reproduce:
i tested to backport debian patch
CC: (none) => mageia
Nicolas saw that Debian had a patch after all. I had looked there, but I missed it. Thanks! Advisory: ======================== Updated springframework packages fix security vulnerabilities: When processing user provided XML documents, the Spring Framework did not disable by default the resolution of URI references in a DTD declaration. By observing differences in response times, an attacker could then identify valid IP addresses on the internal network with functioning web servers (CVE-2014-0225). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0225 https://lists.fedoraproject.org/pipermail/package-announce/2015-May/157348.html ======================== Updated packages in core/updates_testing: ======================== springframework-3.1.4-2.3.mga4 springframework-javadoc-3.1.4-2.3.mga4 springframework-aop-3.1.4-2.3.mga4 springframework-beans-3.1.4-2.3.mga4 springframework-context-3.1.4-2.3.mga4 springframework-context-support-3.1.4-2.3.mga4 springframework-expression-3.1.4-2.3.mga4 springframework-instrument-3.1.4-2.3.mga4 springframework-instrument-tomcat-3.1.4-2.3.mga4 springframework-jdbc-3.1.4-2.3.mga4 springframework-jms-3.1.4-2.3.mga4 springframework-orm-3.1.4-2.3.mga4 springframework-oxm-3.1.4-2.3.mga4 springframework-struts-3.1.4-2.3.mga4 springframework-test-3.1.4-2.3.mga4 springframework-tx-3.1.4-2.3.mga4 springframework-web-3.1.4-2.3.mga4 springframework-webmvc-3.1.4-2.3.mga4 springframework-webmvc-portlet-3.1.4-2.3.mga4 from springframework-3.1.4-2.3.mga4.src.rpm
Assignee: dmorganec => qa-bugs
Please just verify that the updated packages install cleanly.
Whiteboard: (none) => has_procedure
Whiteboard: has_procedure => has_procedure mga4-32-ok
(In reply to David Walser from comment #3) > Please just verify that the updated packages install cleanly. updated packages install cleanly on MGA4-64-OK on VBox.
CC: (none) => shlomifWhiteboard: has_procedure mga4-32-ok => has_procedure mga4-32-ok MGA4-64-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-32-ok MGA4-64-OK => has_procedure advisory mga4-32-ok MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0211.html
Status: NEW => RESOLVEDResolution: (none) => FIXED