Mageia alert MGASA-2012-0217 (spring2) [LWN.net]


From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2012-0217: spring2-2.5.6-2.1.mga2 (2/core) 
Date:
    	       Sat, 18 Aug 2012 10:15:13 +0200
Message-ID:
    	       <20120818081513.GA31088@valstar.mageia.org>
Archive-link:
    	       Article, Thread
              
MGASA-2012-0217
Date: 	August 18th, 2012
Affected releases: 	2


Description:
Updated spring2 packages fix security vulnerability:

It was discovered that the Spring Framework contains an information
disclosure vulnerability in the processing of certain Expression
Language (EL) patterns, allowing attackers to access sensitive
information using HTTP requests (CVE-2011-2730).

Note: This update adds a springJspExpressionSupport context parameter
which must be manually set to false when the Spring Framework runs
under a container which provides EL support itself.


Updated Packages:
spring2-2.5.6-2.1.mga2
spring2-agent-2.5.6-2.1.mga2
spring2-all-2.5.6-2.1.mga2
spring2-aop-2.5.6-2.1.mga2
spring2-aspects-2.5.6-2.1.mga2
spring2-beans-2.5.6-2.1.mga2
spring2-context-2.5.6-2.1.mga2
spring2-context-support-2.5.6-2.1.mga2
spring2-core-2.5.6-2.1.mga2
spring2-demo-2.5.6-2.1.mga2
spring2-devel-2.5.6-2.1.mga2
spring2-javadoc-2.5.6-2.1.mga2
spring2-jdbc-2.5.6-2.1.mga2
spring2-jms-2.5.6-2.1.mga2
spring2-manual-2.5.6-2.1.mga2
spring2-orm-2.5.6-2.1.mga2
spring2-test-2.5.6-2.1.mga2
spring2-tomcat-weaver-2.5.6-2.1.mga2
spring2-tx-2.5.6-2.1.mga2
spring2-web-2.5.6-2.1.mga2
spring2-webmvc-2.5.6-2.1.mga2
spring2-webmvc-portlet-2.5.6-2.1.mga2
spring2-webmvc-struts-2.5.6-2.1.mga2


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2730
http://www.springsource.com/security/cve-2011-2730
http://www.debian.org/security/2012/dsa-2504
https://bugs.mageia.org/show_bug.cgi?id=6625
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-...
(Log in to post comments)