Bug 6625 - spring2 new security issue CVE-2011-2730
: spring2 new security issue CVE-2011-2730
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/504289/
:
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-06-29 19:40 CEST by David Walser
Modified: 2012-08-18 10:15 CEST (History)
5 users (show)

See Also:
Source RPM: spring2-2.5.6-2.mga2.src.rpm
CVE:


Attachments

Description David Walser 2012-06-29 19:40:19 CEST
Debian has issued an advisory on June 28:
http://www.debian.org/security/2012/dsa-2504

Mageia 2 is also affected.
Comment 1 D Morgan 2012-07-05 00:47:39 CEST
pushed in mga2 updates_testing
Comment 2 David Walser 2012-07-05 00:49:52 CEST
Thanks.  It looks like the build for Cauldron failed though.
Comment 3 David Walser 2012-07-05 00:51:57 CEST
I'll push this to QA once Cauldron is fixed.

Packages built for Mageia 2:
spring2-2.5.6-2.1.mga2.noarch.rpm
spring2-core-2.5.6-2.1.mga2.noarch.rpm
spring2-aspects-2.5.6-2.1.mga2.noarch.rpm
spring2-aop-2.5.6-2.1.mga2.noarch.rpm
spring2-agent-2.5.6-2.1.mga2.noarch.rpm
spring2-beans-2.5.6-2.1.mga2.noarch.rpm
spring2-context-2.5.6-2.1.mga2.noarch.rpm
spring2-context-support-2.5.6-2.1.mga2.noarch.rpm
spring2-jms-2.5.6-2.1.mga2.noarch.rpm
spring2-jdbc-2.5.6-2.1.mga2.noarch.rpm
spring2-orm-2.5.6-2.1.mga2.noarch.rpm
spring2-test-2.5.6-2.1.mga2.noarch.rpm
spring2-tomcat-weaver-2.5.6-2.1.mga2.noarch.rpm
spring2-tx-2.5.6-2.1.mga2.noarch.rpm
spring2-web-2.5.6-2.1.mga2.noarch.rpm
spring2-webmvc-2.5.6-2.1.mga2.noarch.rpm
spring2-webmvc-portlet-2.5.6-2.1.mga2.noarch.rpm
spring2-webmvc-struts-2.5.6-2.1.mga2.noarch.rpm
spring2-all-2.5.6-2.1.mga2.noarch.rpm
spring2-javadoc-2.5.6-2.1.mga2.noarch.rpm
spring2-manual-2.5.6-2.1.mga2.noarch.rpm
spring2-demo-2.5.6-2.1.mga2.noarch.rpm
spring2-devel-2.5.6-2.1.mga2.noarch.rpm

from spring2-2.5.6-2.1.mga2.src.rpm
Comment 4 David Walser 2012-07-05 13:47:49 CEST
Looks like not all packages for mga2 updates_testing got uploaded.
Comment 5 D Morgan 2012-07-11 15:56:55 CEST
all available now thanks to pterjan
Comment 6 David Walser 2012-07-11 16:00:15 CEST
I count 23 packages in the build log and 18 packages on the mirror.

Also, did this ever get fixed in Cauldron?  The build failed according to Comment 2.
Comment 7 D Morgan 2012-07-11 16:15:45 CEST
i look directly on valstar, so just wait mirors to be updated but on mageia central server this is now OK.

Yes i will look on cauldron later this week ( i hope tomorow )
Comment 8 David Walser 2012-07-17 01:40:37 CEST
D Morgan has decided to remove this from Cauldron.  Assigning to QA now.

Advisory:
========================

Updated spring2 packages fix security vulnerability:

It was discovered that the Spring Framework contains an information
disclosure vulnerability in the processing of certain Expression
Language (EL) patterns, allowing attackers to access sensitive
information using HTTP requests (CVE-2011-2730).

Note: This update adds a springJspExpressionSupport context parameter
which must be manually set to false when the Spring Framework runs
under a container which provides EL support itself.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2730
http://www.springsource.com/security/cve-2011-2730
http://www.debian.org/security/2012/dsa-2504
========================

Updated packages in core/updates_testing:
========================
spring2-2.5.6-2.1.mga2.noarch.rpm
spring2-core-2.5.6-2.1.mga2.noarch.rpm
spring2-aspects-2.5.6-2.1.mga2.noarch.rpm
spring2-aop-2.5.6-2.1.mga2.noarch.rpm
spring2-agent-2.5.6-2.1.mga2.noarch.rpm
spring2-beans-2.5.6-2.1.mga2.noarch.rpm
spring2-context-2.5.6-2.1.mga2.noarch.rpm
spring2-context-support-2.5.6-2.1.mga2.noarch.rpm
spring2-jms-2.5.6-2.1.mga2.noarch.rpm
spring2-jdbc-2.5.6-2.1.mga2.noarch.rpm
spring2-orm-2.5.6-2.1.mga2.noarch.rpm
spring2-test-2.5.6-2.1.mga2.noarch.rpm
spring2-tomcat-weaver-2.5.6-2.1.mga2.noarch.rpm
spring2-tx-2.5.6-2.1.mga2.noarch.rpm
spring2-web-2.5.6-2.1.mga2.noarch.rpm
spring2-webmvc-2.5.6-2.1.mga2.noarch.rpm
spring2-webmvc-portlet-2.5.6-2.1.mga2.noarch.rpm
spring2-webmvc-struts-2.5.6-2.1.mga2.noarch.rpm
spring2-all-2.5.6-2.1.mga2.noarch.rpm
spring2-javadoc-2.5.6-2.1.mga2.noarch.rpm
spring2-manual-2.5.6-2.1.mga2.noarch.rpm
spring2-demo-2.5.6-2.1.mga2.noarch.rpm
spring2-devel-2.5.6-2.1.mga2.noarch.rpm

from spring2-2.5.6-2.1.mga2.src.rpm
Comment 9 claire robinson 2012-08-01 19:07:54 CEST
Seems to be tutorials for this and some code samples here:

http://www.springsource.org/get-started
Comment 10 Dave Hodgins 2012-08-08 05:04:37 CEST
I've posted a request for testers to the general discussion list.
Comment 11 Dave Hodgins 2012-08-16 03:42:09 CEST
Looks like all we can test for this one is that it installs cleanly, which
I've done.

Could someone from the sysadmin team push the srpm
spring2-2.5.6-2.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated spring2 packages fix security vulnerability:

It was discovered that the Spring Framework contains an information
disclosure vulnerability in the processing of certain Expression
Language (EL) patterns, allowing attackers to access sensitive
information using HTTP requests (CVE-2011-2730).

Note: This update adds a springJspExpressionSupport context parameter
which must be manually set to false when the Spring Framework runs
under a container which provides EL support itself.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2730
http://www.springsource.com/security/cve-2011-2730
http://www.debian.org/security/2012/dsa-2504

https://bugs.mageia.org/show_bug.cgi?id=6625
Comment 12 Thomas Backlund 2012-08-18 10:15:31 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0217

Note You need to log in before you can comment on or make changes to this bug.