Debian has issued an advisory on November 22: https://www.debian.org/security/2017/dsa-4046 Mageia 6 is also affected.
CC: (none) => geiger.david68210Whiteboard: (none) => MGA6TOO
Status comment: (none) => Patch available from Debian
Updated package uploaded for cauldron and Mageia 6. Advisory: ======================== Updated spring-ldap package fixes security vulnerability: It was discovered that spring-ldap would under some circumstances allow authentication with a correct username but an arbitrary password (CVE-2017-8028). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8028 https://www.debian.org/security/2017/dsa-4046 ======================== Updated packages in core/updates_testing: ======================== spring-ldap-1.3.1-14.1.mga6.noarch.rpm spring-ldap-javadoc-1.3.1-14.1.mga6.noarch.rpm from spring-ldap-1.3.1-14.1.mga6.src.rpm
Assignee: mageia => qa-bugsCC: (none) => mramboVersion: Cauldron => 6Whiteboard: MGA6TOO => (none)
Testing M6/64 These packages have no previous updates. Summary : Java library for simplifying LDAP operations Description : Spring LDAP is a Java library for simplifying LDAP operations, based on the pattern of Spring's JdbcTemplate. The framework relieves the user of common chores, such as looking up and closing contexts, looping through results, etc etc etc $ urpmq --whatrequires-recursive spring-ldap | sort -u springframework-security spring-ldap ----------- Fortunately no sign of a test case (POC). Going for clean update only. Installing from issued repos: # urpmi spring-ldap spring-ldap-javadoc I fodloni dibyniaethau, gosodir y pecynnau canlynol: Pecyn Fersiwn Rhifyn Arch (cyfrwng "Core Release2") aopalliance 1.0 15.mga6 noarch apache-commons-io 2.4 11.mga6 noarch apache-commons-lang 2.6 20.mga6 noarch bea-stax-api 1.2.0 13.mga6 noarch bytelist 1.0.8 12.mga6 noarch cglib 3.2.4 2.mga6 noarch freemarker 2.3.23 3.mga6 noarch geronimo-interceptor 1.0.1 16.mga6 noarch geronimo-validation 1.1 16.mga6 noarch hibernate-jpa-2.0-api 1.0.1 19.mga6 noarch hsqldb1 1.8.1.3 11.mga6 noarch jboss-connector-1.7-api 1.0.0 6.mga6 noarch jcodings 1.0.9 11.mga6 noarch jettison 1.3.7 3.mga6 noarch log4j 2.5 8.mga6 noarch spring-ldap 1.3.1 14.mga6 noarch spring-ldap-javadoc 1.3.1 14.mga6 noarch springframework 3.2.18 1.mga6 noarch springframework-aop 3.2.18 1.mga6 noarch springframework-batch 2.2.7 3.mga6 noarch springframework-beans 3.2.18 1.mga6 noarch springframework-context 3.2.18 1.mga6 noarch springframework-expression 3.2.18 1.mga6 noarch springframework-jdbc 3.2.18 1.mga6 noarch springframework-retry 1.1.1 4.mga6 noarch springframework-test 3.2.18 1.mga6 noarch springframework-tx 3.2.18 1.mga6 noarch The UPDATE pulled in an updated library: - liblog4j12-java-1.2.17-17.mga6.noarch - spring-ldap-1.3.1-14.1.mga6.noarch - spring-ldap-javadoc-1.3.1-14.1.mga6.noarch and went without issue. Doubt we can do more. OKing etc the update.
Keywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA6-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0235.html
Status: NEW => RESOLVEDResolution: (none) => FIXED