[Bug 1933808] New: CVE-2020-11987 batik: SSRF due to improper input validation by the NodePickerPanel
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1933808
Bug ID: 1933808
Summary: CVE-2020-11987 batik: SSRF due to improper input
validation by the NodePickerPanel
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: aileenc(a)redhat.com, akurtako(a)redhat.com,
andjrobins(a)gmail.com, chazlett(a)redhat.com,
dbhole(a)redhat.com, drieden(a)redhat.com,
ebaron(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
ggaughan(a)redhat.com, gmalinko(a)redhat.com,
janstey(a)redhat.com, java-maint(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jerboaa(a)gmail.com, jjohnstn(a)redhat.com,
jkang(a)redhat.com, jochrist(a)redhat.com,
jvanek(a)redhat.com, jwon(a)redhat.com,
lef(a)fedoraproject.org, mat.booth(a)redhat.com,
mizdebsk(a)redhat.com, rgrunber(a)redhat.com
Target Milestone: ---
Classification: Other
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by
improper input validation by the NodePickerPanel. By using a specially-crafted
argument, an attacker could exploit this vulnerability to cause the underlying
server to make arbitrary GET requests.
References:
https://xmlgraphics.apache.org/security.html
https://www.openwall.com/lists/oss-security/2021/02/24/2
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years, 4 months
[Bug 1937440] New: CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
Bug ID: 1937440
Summary: CVE-2020-13936 velocity: arbitrary code execution when
attacker is able to modify templates
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: aboyko(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, akurtako(a)redhat.com,
alazarot(a)redhat.com, almorale(a)redhat.com,
andjrobins(a)gmail.com, anstephe(a)redhat.com,
aos-bugs(a)redhat.com, asoldano(a)redhat.com,
atangrin(a)redhat.com, ataylor(a)redhat.com,
bbaranow(a)redhat.com, bibryam(a)redhat.com,
bmaxwell(a)redhat.com, bmontgom(a)redhat.com,
brian.stansberry(a)redhat.com, cdewolf(a)redhat.com,
chazlett(a)redhat.com, darran.lofthouse(a)redhat.com,
dbhole(a)redhat.com, decathorpe(a)gmail.com,
devrim(a)gunduz.org, dkreling(a)redhat.com,
dosoudil(a)redhat.com, drieden(a)redhat.com,
ebaron(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eleandro(a)redhat.com, eparis(a)redhat.com,
etirelli(a)redhat.com, fjuma(a)redhat.com,
ganandan(a)redhat.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, gvarsami(a)redhat.com,
hbraun(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com,
janstey(a)redhat.com, java-maint(a)redhat.com,
java-maint-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcantril(a)redhat.com,
jcoleman(a)redhat.com, jerboaa(a)gmail.com,
jjohnstn(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jolee(a)redhat.com,
jperkins(a)redhat.com, jross(a)redhat.com,
jschatte(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kconner(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
kwills(a)redhat.com, ldimaggi(a)redhat.com,
lef(a)fedoraproject.org, lgao(a)redhat.com,
loleary(a)redhat.com, mat.booth(a)redhat.com,
mizdebsk(a)redhat.com, mnovotny(a)redhat.com,
msochure(a)redhat.com, msvehla(a)redhat.com,
nstielau(a)redhat.com, nwallace(a)redhat.com,
pantinor(a)redhat.com, pjindal(a)redhat.com,
pmackay(a)redhat.com, rgrunber(a)redhat.com,
rguimara(a)redhat.com, rhcs-maint(a)redhat.com,
rrajasek(a)redhat.com, rstancel(a)redhat.com,
rsvoboda(a)redhat.com, rsynek(a)redhat.com,
rwagner(a)redhat.com, sdaley(a)redhat.com,
sd-operator-metering(a)redhat.com, smaestri(a)redhat.com,
sochotni(a)redhat.com, spinder(a)redhat.com,
sponnaga(a)redhat.com, tcunning(a)redhat.com,
tflannag(a)redhat.com, theute(a)redhat.com,
tkirby(a)redhat.com, tom.jenkinson(a)redhat.com,
yborgess(a)redhat.com
Target Milestone: ---
Classification: Other
An attacker that is able to modify Velocity templates may execute arbitrary
Java code or run arbitrary system commands with the same privileges as the
account running the Servlet container. This applies to applications that allow
untrusted users to upload/modify velocity templates running Apache Velocity
Engine versions up to 2.2.
References:
https://lists.apache.org/thread.html/r01043f584cbd47959fabe18fff64de940f8...
http://www.openwall.com/lists/oss-security/2021/03/10/1
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years, 5 months
[Bug 1900374] New: M2E plugin stop works after upgrade
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1900374
Bug ID: 1900374
Summary: M2E plugin stop works after upgrade
Product: Fedora
Version: 33
Hardware: x86_64
OS: Linux
Status: NEW
Component: eclipse-m2e-core
Severity: urgent
Assignee: mat.booth(a)redhat.com
Reporter: danielsun3164(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: eclipse-sig(a)lists.fedoraproject.org, gerard(a)ryan.lt,
mat.booth(a)redhat.com, mizdebsk(a)redhat.com
Target Milestone: ---
Classification: Fedora
Created attachment 1732101
--> https://bugzilla.redhat.com/attachment.cgi?id=1732101&action=edit
.metadata/.log in new workspace
Description of problem:
I upgraded several eclipse packages today and M2E plugin stopped works.
Version-Release number of selected component (if applicable):
$ rpm -q eclipse-platform eclipse-m2e-core lucene
eclipse-platform-4.17-3.fc33.x86_64
eclipse-m2e-core-1.16.2-1.fc33.noarch
lucene-8.6.3-1.fc33.noarch
How reproducible:
Everytime
Steps to Reproduce:
1. Open eclipse in a new workspace
2. Create a new Maven Project
Actual results:
A dialog as following was displayed:
title: Multiple problems have occurred
Message: The selected wizard could not be started.
Problem Opening Wizard
(Details:
The selected wizard could not be started.
Plug-in org.eclipse.m2e.core.ui was unable to load class
org.eclipse.m2e.core.ui.internal.wizards.MavenProjectWizard.
An error occurred while automatically activating bundle org.eclipse.m2e.core.ui
(5821).)
Updaing Maven Dependencies
(Details:
An internal error occurred during: "Updating Maven Dependencies".
org/eclipse/m2e/core/internal/embedder/MavenExecutionContext)
Expected results:
M2E plugin should works without errors.
Additional info:
Openning an existing workspace with maven project got the same "Updaing Maven
Dependencies" error.
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years, 5 months
[Bug 1889417] New: Eclipse Repository loader constraint violation after adding JBoss Developer Tools 4.16
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1889417
Bug ID: 1889417
Summary: Eclipse Repository loader constraint violation after
adding JBoss Developer Tools 4.16
Product: Fedora
Version: 33
Status: NEW
Component: eclipse-m2e-core
Assignee: mat.booth(a)redhat.com
Reporter: shihping.chan(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: eclipse-sig(a)lists.fedoraproject.org, gerard(a)ryan.lt,
mat.booth(a)redhat.com, mizdebsk(a)redhat.com
Target Milestone: ---
Classification: Fedora
Description of problem:
After adding the rest of JBoss Developer Tools 4.16.0 to a relatively clean
eclipse
get
An internal error occurred during: "Repository registry initialization".
loader constraint violation: when resolving interface method
'org.apache.maven.index.context.IndexingContext
org.apache.maven.index.NexusIndexer.addIndexingContextForced(java.lang.String,
java.lang.String, java.io.File, org.apache.lucene.store.Directory,
java.lang.String, java.lang.String, java.util.List)' the class loader
org.eclipse.osgi.internal.loader.EquinoxClassLoader @ca944c6 of the current
class, org/eclipse/m2e/core/internal/index/nexus/NexusIndexManager, and the
class loader org.eclipse.osgi.internal.loader.EquinoxClassLoader @34e347a5 for
the method's defining class, org/apache/maven/index/NexusIndexer, have
different Class objects for the type org/apache/lucene/store/Directory used in
the signature (org.eclipse.m2e.core.internal.index.nexus.NexusIndexManager is
in unnamed module of loader org.eclipse.osgi.internal.loader.EquinoxClassLoader
@ca944c6, parent loader 'platform'; org.apache.maven.index.NexusIndexer is in
unnamed module of loader org.eclipse.osgi.internal.loader.EquinoxClassLoader
@34e347a5, parent loader 'platform')
Version-Release number of selected component (if applicable):
eclipse-emf-core-2.22.0-2.fc33.noarch
eclipse-usage-4.16.0-2.fc33.noarch
eclipse-swt-4.16-13.fc33.x86_64
eclipse-m2e-workspace-0.4.0-16.fc33.noarch
eclipse-equinox-osgi-4.16-13.fc33.x86_64
eclipse-ecf-core-3.14.8-5.fc33.noarch
eclipse-platform-4.16-13.fc33.x86_64
eclipse-jdt-4.16-13.fc33.noarch
eclipse-emf-runtime-2.22.0-2.fc33.noarch
eclipse-gef-3.11.0-13.fc33.noarch
eclipse-webtools-common-3.18.0-5.fc33.noarch
eclipse-p2-discovery-4.16-13.fc33.noarch
eclipse-webtools-servertools-3.18.0-5.fc33.noarch
eclipse-emf-xsd-2.22.0-2.fc33.noarch
eclipse-webtools-sourceediting-3.18.0-5.fc33.noarch
eclipse-m2e-core-1.16.1-2.fc33.noarch
eclipse-mpc-1.8.3-2.fc33.noarch
eclipse-pydev-7.7.0-1.fc33.x86_64
How reproducible:
Always
Steps to Reproduce:
1. Remove ~/.eclipse
2. Note: part of JBoss Developer Tools 4.16.0 comes installed
3. Got to Marketplace, install every feature of 4.16.0.
Actual results:
On restart the following mesage
An internal error occurred during: "Repository registry initialization".
loader constraint violation: when resolving interface method
'org.apache.maven.index.context.IndexingContext
org.apache.maven.index.NexusIndexer.addIndexingContextForced(java.lang.String,
java.lang.String, java.io.File, org.apache.lucene.store.Directory,
java.lang.String, java.lang.String, java.util.List)' the class loader
org.eclipse.osgi.internal.loader.EquinoxClassLoader @ca944c6 of the current
class, org/eclipse/m2e/core/internal/index/nexus/NexusIndexManager, and the
class loader org.eclipse.osgi.internal.loader.EquinoxClassLoader @34e347a5 for
the method's defining class, org/apache/maven/index/NexusIndexer, have
different Class objects for the type org/apache/lucene/store/Directory used in
the signature (org.eclipse.m2e.core.internal.index.nexus.NexusIndexManager is
in unnamed module of loader org.eclipse.osgi.internal.loader.EquinoxClassLoader
@ca944c6, parent loader 'platform'; org.apache.maven.index.NexusIndexer is in
unnamed module of loader org.eclipse.osgi.internal.loader.EquinoxClassLoader
@34e347a5, parent loader 'platform')
Expected results:
Features are added with no errors
Additional info:
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years, 5 months
[Bug 2007124] New: eclipse does not start after install
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2007124
Bug ID: 2007124
Summary: eclipse does not start after install
Product: Fedora
Version: 33
OS: Linux
Status: NEW
Component: eclipse
Severity: urgent
Assignee: extras-orphan(a)fedoraproject.org
Reporter: customercare(a)resellerdesktop.de
QA Contact: extras-qa(a)fedoraproject.org
CC: dbhole(a)redhat.com, ebaron(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
extras-orphan(a)fedoraproject.org, jerboaa(a)gmail.com,
jjohnstn(a)redhat.com, lef(a)fedoraproject.org,
mat.booth(a)gmail.com, rgrunber(a)redhat.com
Target Milestone: ---
Classification: Fedora
Created attachment 1825508
--> https://bugzilla.redhat.com/attachment.cgi?id=1825508&action=edit
install log
Description of problem:
After installation of "eclipse" via "dnf install eclipse", eclipse does show a
splashscreen on startup and then failes horribly.
Startup Log + Install Log attached
Version-Release number of selected component (if applicable):
Name : eclipse-jdt
Epoch : 1
Version : 4.16
Release : 13.fc33
Architecture: noarch
Install Date: Do 23 Sep 2021 09:53:26 CEST
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2007124
2 years, 5 months
[Bug 2010270] New: Eclipse packages are not available
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2010270
Bug ID: 2010270
Summary: Eclipse packages are not available
Product: Fedora
Version: 35
Status: NEW
Component: eclipse-cdt
Assignee: extras-orphan(a)fedoraproject.org
Reporter: sebastian.saletnik(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
extras-orphan(a)fedoraproject.org, jjohnstn(a)redhat.com,
rgrunber(a)redhat.com, TicoTimo(a)gmail.com
Target Milestone: ---
Classification: Fedora
Description of problem:
Eclipse packages are not available
How reproducible:
install the eclipse package with dnf
Steps to Reproduce:
dnf install eclipse-cdt
Actual results:
No match for argument: eclipse-cdt
Error: Unable to find a match: eclipse-cdt
Expected results:
install eclipse packages
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2010270
2 years, 7 months