Fedora has issued an advisory on July 4: https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162017.html The issue is fixed upstream in 3.2.14. Mageia 4 and Mageia 5 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
David Geiger uploaded a fixed build for Mageia 5, but I guess it hasn't been buildable yet in Cauldron. Nothing is done for Mageia 4 yet. springframework-3.2.14-1.mga5 springframework-aop-3.2.14-1.mga5 springframework-beans-3.2.14-1.mga5 springframework-context-3.2.14-1.mga5 springframework-context-support-3.2.14-1.mga5 springframework-expression-3.2.14-1.mga5 springframework-instrument-3.2.14-1.mga5 springframework-instrument-tomcat-3.2.14-1.mga5 springframework-javadoc-3.2.14-1.mga5 springframework-jdbc-3.2.14-1.mga5 springframework-jms-3.2.14-1.mga5 springframework-orm-3.2.14-1.mga5 springframework-oxm-3.2.14-1.mga5 springframework-struts-3.2.14-1.mga5 springframework-test-3.2.14-1.mga5 springframework-tx-3.2.14-1.mga5 springframework-web-3.2.14-1.mga5 springframework-webmvc-3.2.14-1.mga5 springframework-webmvc-portlet-3.2.14-1.mga5 from springframework-3.2.14-1.mga5.src.rpm
CC: (none) => geiger.david68210
springframework-3.2.14-1.mga6 uploaded for Cauldron by David.
Version: Cauldron => 5Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO
@ David Walser: I think it is impossible to update sringframework to 3.2.14 version for mga4 due to missing dependencies on "options', "jffi-native", "jdo-api" and maybe yet others. :( I tried to build locally on my mga4, but unsuccessful.
We have patched springframework in the past, so that's an option, but this time I can't find any references to the upstream commit(s) to fix it. We could look at a diff between 3.2.13 and 3.2.14 and see how much of it is backportable. It sounds like this security issue is more impactful for >= 3.2, though the "other unsupported versions" being affected suggests 3.1 is affected somewhat: http://pivotal.io/security/cve-2015-3192 If we decide we can't fix this for Mageia 4, I think we can live with that.
mga4 is on 3.1.4 version and I think it is very very too old for fix this security. I think also we can live without this fix for mga4.
Commits: https://github.com/spring-projects/spring-framework/commit/5a711c05ec750f069235597173084c2ee7962424 https://github.com/spring-projects/spring-framework/commit/0d394a02f3b7a0e7fcd36f2eff7682949c38b1b2 https://github.com/spring-projects/spring-framework/commit/d875772103132a448818568259346898524467e4 It looks like it would take significant effort to backport. Not worth it. We can't support this package on Mageia 4 anymore (and upstream isn't supporting 3.1 anyway). WONTFIX for Mageia 4.
Whiteboard: MGA4TOO => (none)
Package list in Comment 1. Advisory: ======================== Updated springframework packages fixes security vulnerability: In Spring Framework before 3.2.14, if DTD is not entirely disabled, inline DTD declarations can be used to perform denial of service attacks known as XML bombs. Such declarations are both well-formed and valid according to XML schema rules but when parsed can cause out of memory errors. To protect against this kind of attack DTD support must be disabled by setting the disallow-doctype-dec feature in the DOM and SAX APIs to true and by setting the supportDTD property in the StAX API to false (CVE-2015-3192). This package is no longer supported for Mageia 4. Users of this package are advised to upgrade to Mageia 5. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3192 http://pivotal.io/security/cve-2015-3192 https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162017.html
Assignee: bugsquad => qa-bugs
For this package we usually just check that it installs and updates cleanly. If someone has some knownledge about more relevant tests, just add them in a comment.
Whiteboard: (none) => has_procedure
Testing Mageia 5 64 complete. *** Testing upgrade *** # urpmi springframework springframework-aop springframework-beans springframework-context springframework-context-support springframework-expression springframework-instrument springframework-instrument springframework-javadoc springframework-jdbc springframework-jms springframework-orm springframework-oxm springframework-struts springframework-test springframework-tx springframework-web springframework-webmvc springframework-webmvc-portlet then # urpmi springframework springframework-aop springframework-beans springframework-context springframework-context-support springframework-expression springframework-instrument springframework-instrument springframework-javadoc springframework-jdbc springframework-jms springframework-orm springframework-oxm springframework-struts springframework-test springframework-tx springframework-web springframework-webmvc springframework-webmvc-portlet --search-media "Updates Testing" all went well. *** Testing installation *** # urpme springframework springframework-aop springframework-beans springframework-context springframework-context-support springframework-expression springframework-instrument springframework-instrument springframework-javadoc springframework-jdbc springframework-jms springframework-orm springframework-oxm springframework-struts springframework-test springframework-tx springframework-web springframework-webmvc springframework-webmvc-portlet then # urpmi springframework springframework-aop springframework-beans springframework-context springframework-context-support springframework-expression springframework-instrument springframework-instrument springframework-javadoc springframework-jdbc springframework-jms springframework-orm springframework-oxm springframework-struts springframework-test springframework-tx springframework-web springframework-webmvc springframework-webmvc-portlet --search-media "Updates Testing"
Whiteboard: has_procedure => has_procedure MGA5-64-OK
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0294.html
Status: NEW => RESOLVEDResolution: (none) => FIXED