MGASA-2012-0217
| Date: | August 18th, 2012 |
| Affected releases: | 2 |
Description:
Updated spring2 packages fix security vulnerability:
It was discovered that the Spring Framework contains an information
disclosure vulnerability in the processing of certain Expression
Language (EL) patterns, allowing attackers to access sensitive
information using HTTP requests (CVE-2011-2730).
Note: This update adds a springJspExpressionSupport context parameter
which must be manually set to false when the Spring Framework runs
under a container which provides EL support itself.
Updated Packages:
spring2-2.5.6-2.1.mga2
spring2-agent-2.5.6-2.1.mga2
spring2-all-2.5.6-2.1.mga2
spring2-aop-2.5.6-2.1.mga2
spring2-aspects-2.5.6-2.1.mga2
spring2-beans-2.5.6-2.1.mga2
spring2-context-2.5.6-2.1.mga2
spring2-context-support-2.5.6-2.1.mga2
spring2-core-2.5.6-2.1.mga2
spring2-demo-2.5.6-2.1.mga2
spring2-devel-2.5.6-2.1.mga2
spring2-javadoc-2.5.6-2.1.mga2
spring2-jdbc-2.5.6-2.1.mga2
spring2-jms-2.5.6-2.1.mga2
spring2-manual-2.5.6-2.1.mga2
spring2-orm-2.5.6-2.1.mga2
spring2-test-2.5.6-2.1.mga2
spring2-tomcat-weaver-2.5.6-2.1.mga2
spring2-tx-2.5.6-2.1.mga2
spring2-web-2.5.6-2.1.mga2
spring2-webmvc-2.5.6-2.1.mga2
spring2-webmvc-portlet-2.5.6-2.1.mga2
spring2-webmvc-struts-2.5.6-2.1.mga2
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2730
http://www.springsource.com/security/cve-2011-2730
http://www.debian.org/security/2012/dsa-2504
https://bugs.mageia.org/show_bug.cgi?id=6625
