[jira] Updated: (GERONIMO-5387) Update the spring framework to fix Spring framework CVE-2010-1622 vulnerability.

Wed, 07 Jul 2010 07:51:16 -0700 

     [ 
https://issues.apache.org/jira/browse/GERONIMO-5387?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Rick McGuire updated GERONIMO-5387:
-----------------------------------

        Summary: Update the spring framework to fix Spring framework 
CVE-2010-1622 vulnerability.   (was: Update the spring framework version used 
in Geronimo. )
       Priority: Critical  (was: Major)
    Description: 
The Spring framework used by the Apache Geronimo server has a critical security 
vulnerability that can allow injection of malicious code into the a web 
application.  Details of the vulnerability can be found here: 

http://www.securityfocus.com/archive/1/511877/30/0/threaded

There are no known locations in the Geronimo server where this vulnerability 
can be exploited, but any applications built using the included spring 
framework libraries can be a risk.  This will update Spring version to the 
2.5.6.SEC02 level. 

  was:The spring framework version used in Geronimo requires an update to pick 
up some important fixes. 


> Update the spring framework to fix Spring framework CVE-2010-1622 
> vulnerability. 
> ---------------------------------------------------------------------------------
>
>                 Key: GERONIMO-5387
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-5387
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: general
>    Affects Versions: 2.1.5, 2.2
>            Reporter: Rick McGuire
>            Assignee: Rick McGuire
>            Priority: Critical
>             Fix For: 2.1.6, 2.2.1
>
>
> The Spring framework used by the Apache Geronimo server has a critical 
> security vulnerability that can allow injection of malicious code into the a 
> web application.  Details of the vulnerability can be found here: 
> http://www.securityfocus.com/archive/1/511877/30/0/threaded
> There are no known locations in the Geronimo server where this vulnerability 
> can be exploited, but any applications built using the included spring 
> framework libraries can be a risk.  This will update Spring version to the 
> 2.5.6.SEC02 level. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to