Debian has issued an advisory on June 28: http://www.debian.org/security/2012/dsa-2504 Mageia 2 is also affected.
CC: (none) => puntogil
CC: (none) => dmorganecWhiteboard: (none) => MGA2TOO
pushed in mga2 updates_testing
Thanks. It looks like the build for Cauldron failed though.
I'll push this to QA once Cauldron is fixed. Packages built for Mageia 2: spring2-2.5.6-2.1.mga2.noarch.rpm spring2-core-2.5.6-2.1.mga2.noarch.rpm spring2-aspects-2.5.6-2.1.mga2.noarch.rpm spring2-aop-2.5.6-2.1.mga2.noarch.rpm spring2-agent-2.5.6-2.1.mga2.noarch.rpm spring2-beans-2.5.6-2.1.mga2.noarch.rpm spring2-context-2.5.6-2.1.mga2.noarch.rpm spring2-context-support-2.5.6-2.1.mga2.noarch.rpm spring2-jms-2.5.6-2.1.mga2.noarch.rpm spring2-jdbc-2.5.6-2.1.mga2.noarch.rpm spring2-orm-2.5.6-2.1.mga2.noarch.rpm spring2-test-2.5.6-2.1.mga2.noarch.rpm spring2-tomcat-weaver-2.5.6-2.1.mga2.noarch.rpm spring2-tx-2.5.6-2.1.mga2.noarch.rpm spring2-web-2.5.6-2.1.mga2.noarch.rpm spring2-webmvc-2.5.6-2.1.mga2.noarch.rpm spring2-webmvc-portlet-2.5.6-2.1.mga2.noarch.rpm spring2-webmvc-struts-2.5.6-2.1.mga2.noarch.rpm spring2-all-2.5.6-2.1.mga2.noarch.rpm spring2-javadoc-2.5.6-2.1.mga2.noarch.rpm spring2-manual-2.5.6-2.1.mga2.noarch.rpm spring2-demo-2.5.6-2.1.mga2.noarch.rpm spring2-devel-2.5.6-2.1.mga2.noarch.rpm from spring2-2.5.6-2.1.mga2.src.rpm
Looks like not all packages for mga2 updates_testing got uploaded.
all available now thanks to pterjan
I count 23 packages in the build log and 18 packages on the mirror. Also, did this ever get fixed in Cauldron? The build failed according to Comment 2.
i look directly on valstar, so just wait mirors to be updated but on mageia central server this is now OK. Yes i will look on cauldron later this week ( i hope tomorow )
D Morgan has decided to remove this from Cauldron. Assigning to QA now. Advisory: ======================== Updated spring2 packages fix security vulnerability: It was discovered that the Spring Framework contains an information disclosure vulnerability in the processing of certain Expression Language (EL) patterns, allowing attackers to access sensitive information using HTTP requests (CVE-2011-2730). Note: This update adds a springJspExpressionSupport context parameter which must be manually set to false when the Spring Framework runs under a container which provides EL support itself. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2730 http://www.springsource.com/security/cve-2011-2730 http://www.debian.org/security/2012/dsa-2504 ======================== Updated packages in core/updates_testing: ======================== spring2-2.5.6-2.1.mga2.noarch.rpm spring2-core-2.5.6-2.1.mga2.noarch.rpm spring2-aspects-2.5.6-2.1.mga2.noarch.rpm spring2-aop-2.5.6-2.1.mga2.noarch.rpm spring2-agent-2.5.6-2.1.mga2.noarch.rpm spring2-beans-2.5.6-2.1.mga2.noarch.rpm spring2-context-2.5.6-2.1.mga2.noarch.rpm spring2-context-support-2.5.6-2.1.mga2.noarch.rpm spring2-jms-2.5.6-2.1.mga2.noarch.rpm spring2-jdbc-2.5.6-2.1.mga2.noarch.rpm spring2-orm-2.5.6-2.1.mga2.noarch.rpm spring2-test-2.5.6-2.1.mga2.noarch.rpm spring2-tomcat-weaver-2.5.6-2.1.mga2.noarch.rpm spring2-tx-2.5.6-2.1.mga2.noarch.rpm spring2-web-2.5.6-2.1.mga2.noarch.rpm spring2-webmvc-2.5.6-2.1.mga2.noarch.rpm spring2-webmvc-portlet-2.5.6-2.1.mga2.noarch.rpm spring2-webmvc-struts-2.5.6-2.1.mga2.noarch.rpm spring2-all-2.5.6-2.1.mga2.noarch.rpm spring2-javadoc-2.5.6-2.1.mga2.noarch.rpm spring2-manual-2.5.6-2.1.mga2.noarch.rpm spring2-demo-2.5.6-2.1.mga2.noarch.rpm spring2-devel-2.5.6-2.1.mga2.noarch.rpm from spring2-2.5.6-2.1.mga2.src.rpm
Version: Cauldron => 2Assignee: bugsquad => qa-bugsWhiteboard: MGA2TOO => (none)
Seems to be tutorials for this and some code samples here: http://www.springsource.org/get-started
I've posted a request for testers to the general discussion list.
CC: (none) => davidwhodgins
Looks like all we can test for this one is that it installs cleanly, which I've done. Could someone from the sysadmin team push the srpm spring2-2.5.6-2.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated spring2 packages fix security vulnerability: It was discovered that the Spring Framework contains an information disclosure vulnerability in the processing of certain Expression Language (EL) patterns, allowing attackers to access sensitive information using HTTP requests (CVE-2011-2730). Note: This update adds a springJspExpressionSupport context parameter which must be manually set to false when the Spring Framework runs under a container which provides EL support itself. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2730 http://www.springsource.com/security/cve-2011-2730 http://www.debian.org/security/2012/dsa-2504 https://bugs.mageia.org/show_bug.cgi?id=6625
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0217
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED