Fedora has issued an advisory on November 1: https://lists.fedoraproject.org/pipermail/package-announce/2015-November/170543.html The issue is fixed upstream in 3.2.15. Reproducible: Steps to Reproduce:
Done for Cauldron and mga5 updating to 3.2.15 release. Note that two new packages had to be imported for mga5 and Cauldron: - json-path - json-smart
Thanks David! Advisory: ======================== Updated springframework packages fix security vulnerability: Under some situations, the Spring Framework is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response (CVE-2015-5211). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5211 https://lists.fedoraproject.org/pipermail/package-announce/2015-November/170543.html ======================== Updated packages in core/updates_testing: ======================== json-smart-1.3-0.20140820.1.mga5 json-smart-javadoc-1.3-0.20140820.1.mga5 json-path-0.9.1-1.mga5 json-path-javadoc-0.9.1-1.mga5 springframework-3.2.15-1.mga5 springframework-javadoc-3.2.15-1.mga5 springframework-aop-3.2.15-1.mga5 springframework-beans-3.2.15-1.mga5 springframework-context-3.2.15-1.mga5 springframework-context-support-3.2.15-1.mga5 springframework-expression-3.2.15-1.mga5 springframework-instrument-3.2.15-1.mga5 springframework-instrument-tomcat-3.2.15-1.mga5 springframework-jdbc-3.2.15-1.mga5 springframework-jms-3.2.15-1.mga5 springframework-orm-3.2.15-1.mga5 springframework-oxm-3.2.15-1.mga5 springframework-struts-3.2.15-1.mga5 springframework-test-3.2.15-1.mga5 springframework-test-mvc-3.2.15-1.mga5 springframework-tx-3.2.15-1.mga5 springframework-web-3.2.15-1.mga5 springframework-webmvc-3.2.15-1.mga5 springframework-webmvc-portlet-3.2.15-1.mga5 from SRPMS: json-smart-1.3-0.20140820.1.mga5.src.rpm json-path-0.9.1-1.mga5.src.rpm springframework-3.2.15-1.mga5.src.rpm
CC: (none) => geiger.david68210Assignee: geiger.david68210 => qa-bugs
In VirtualBox, M5, KDE, 32-bit Sample of package(s) under test: springframework springframework-javadoc springframework-javadoc springframework-aop springframework-beans springframework-context springframework-instrument springframework-test springframework-web springframework-webmvc Default install of some springframework packages ( over 325 ) Just a sampling: [root@localhost wilcal]# urpmi springframework Package springframework-3.2.14-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-javadoc Package springframework-javadoc-3.2.14-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-aop Package springframework-aop-3.2.14-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-beans Package springframework-beans-3.2.14-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-context Package springframework-context-3.2.14-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-instrument Package springframework-instrument-3.2.14-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-test Package springframework-test-3.2.14-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-web Package springframework-web-3.2.14-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-webmvc Package springframework-webmvc-3.2.14-1.mga5.noarch is already installed All installed without error. Install springframework packages from updates_testing [root@localhost wilcal]# urpmi springframework Package springframework-3.2.15-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-javadoc Package springframework-javadoc-3.2.15-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-aop Package springframework-aop-3.2.15-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-beans Package springframework-beans-3.2.15-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-context Package springframework-context-3.2.15-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-instrument Package springframework-instrument-3.2.15-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-test Package springframework-test-3.2.15-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-web Package springframework-web-3.2.15-1.mga5.noarch is already installed [root@localhost wilcal]# urpmi springframework-webmvc Package springframework-webmvc-3.2.15-1.mga5.noarch is already installed All package updates installed without error.
CC: (none) => wilcal.int
Whiteboard: (none) => MGA5-32-OK
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
advisory added
CC: (none) => tmbWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0426.html
Status: NEW => RESOLVEDResolution: (none) => FIXED