Advisories » MGASA-2015-0211

Updated springframework packages fix CVE-2014-0225

Publication date: 11 May 2015
Modification date: 11 May 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-0225

Description

Updated springframework packages fix security vulnerabilities:

When processing user provided XML documents, the Spring Framework did not
disable by default the resolution of URI references in a DTD declaration. By
observing differences in response times, an attacker could then identify
valid IP addresses on the internal network with functioning web servers
(CVE-2014-0225).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=15886
• https://lists.fedoraproject.org/pipermail/package-announce/2015-May/157348.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0225

SRPMS

4/core

• springframework-3.1.4-2.3.mga4