Bug 23690

Summary: CVE-2010-1622: Spring Framework execution of arbitrary code
Product: Sisyphus Reporter: Slava Semushin <php-coder>
Component: spring2Assignee: viy <viy>
Status: CLOSED FIXED QA Contact: qa-sisyphus
Severity: major    
Priority: P3 Keywords: security
Version: unstable   
Hardware: all   
OS: Linux   

Description Slava Semushin 2010-06-29 07:42:37 MSD 
The Spring Framework provides a mechanism to use client provided data to update the properties of an object. This mechanism allows an attacker to modify the properties of the class loader used to load the object (via 'class.classloader'). This can lead to arbitrary command execution since, for example, an attacker can modify the URLs used by the class loader to point to locations controlled by the attacker.

http://www.springsource.com/security/cve-2010-1622
Comment 1 Repository Robot 2010-09-28 14:14:07 MSD 
spring2-0:2.5.6-alt2_6.SEC02jpp6 -> sisyphus:

* Tue Sep 28 2010 Igor Vlasenko <viy@altlinux> 0:2.5.6-alt2_6.SEC02jpp6
- new bugfix release SEC02 (closes: #23690)

* Tue Sep 28 2010 Igor Vlasenko <viy@altlinux> 0:2.5.6-alt2_6.SEC01jpp6
- new bugfix release SEC01