MGASA-2015-0294

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2015-0294.html

Import Source

https://advisories.mageia.org/MGASA-2015-0294.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2015-0294

Related

CVE-2015-3192

Published

2015-07-28T21:01:59Z

Modified

2015-07-28T20:49:03Z

Summary

Updated springframework package fixes security vulnerability

Details

In Spring Framework before 3.2.14, if DTD is not entirely disabled, inline DTD declarations can be used to perform denial of service attacks known as XML bombs. Such declarations are both well-formed and valid according to XML schema rules but when parsed can cause out of memory errors. To protect against this kind of attack DTD support must be disabled by setting the disallow-doctype-dec feature in the DOM and SAX APIs to true and by setting the supportDTD property in the StAX API to false (CVE-2015-3192).

This package is no longer supported for Mageia 4. Users of this package are advised to upgrade to Mageia 5

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:5 / springframework

Package

Name: springframework
Purl: pkg:rpm/mageia/springframework?distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.2.14-1.mga5

Ecosystem specific

{
    "section": "core"
}