[Bug 1902826] New: CVE-2020-27218 jetty: buffer not correctly recycled in Gzip Request inflation
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1902826
Bug ID: 1902826
Summary: CVE-2020-27218 jetty: buffer not correctly recycled in
Gzip Request inflation
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: abenaiss(a)redhat.com, aboyko(a)redhat.com,
aileenc(a)redhat.com, akoufoud(a)redhat.com,
alazarot(a)redhat.com, almorale(a)redhat.com,
anstephe(a)redhat.com, aos-bugs(a)redhat.com,
ataylor(a)redhat.com, bmontgom(a)redhat.com,
btofel(a)redhat.com, chazlett(a)redhat.com,
drieden(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eparis(a)redhat.com, etirelli(a)redhat.com,
ganandan(a)redhat.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, gvarsami(a)redhat.com,
ibek(a)redhat.com, janstey(a)redhat.com,
java-maint(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcoleman(a)redhat.com,
jjohnstn(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kconner(a)redhat.com,
krathod(a)redhat.com, krzysztof.daniel(a)gmail.com,
kverlaen(a)redhat.com, ldimaggi(a)redhat.com,
mat.booth(a)redhat.com, mizdebsk(a)redhat.com,
mnovotny(a)redhat.com, nstielau(a)redhat.com,
nwallace(a)redhat.com, pbhattac(a)redhat.com,
pdrozd(a)redhat.com, pjindal(a)redhat.com,
rrajasek(a)redhat.com, rsynek(a)redhat.com,
rwagner(a)redhat.com, sdaley(a)redhat.com,
sd-operator-metering(a)redhat.com, sochotni(a)redhat.com,
sponnaga(a)redhat.com, sthorger(a)redhat.com,
tcunning(a)redhat.com, tkirby(a)redhat.com,
vbobade(a)redhat.com
Target Milestone: ---
Classification: Other
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to
10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation
is enabled and requests from different clients are multiplexed onto a single
connection, and if an attacker can send a request with a body that is received
entirely but not consumed by the application, then a subsequent request on the
same connection will see that body prepended to its body. The attacker will not
see any data but may inject data into the body of the subsequent request.
References:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=568892
https://github.com/eclipse/jetty.project/security/advisories/GHSA-86wm-rr...
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years, 1 month
[Bug 1987437] New: eclipse-egit: FTBFS in Fedora rawhide/f35
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1987437
Bug ID: 1987437
Summary: eclipse-egit: FTBFS in Fedora rawhide/f35
Product: Fedora
Version: rawhide
Status: NEW
Component: eclipse-egit
Assignee: akurtako(a)redhat.com
Reporter: releng(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com, andjrobins(a)gmail.com,
eclipse-sig(a)lists.fedoraproject.org,
jerboaa(a)gmail.com, mat.booth(a)gmail.com,
rgrunber(a)redhat.com, rob.myers(a)gtri.gatech.edu
Blocks: 1927309 (F35FTBFS,RAWHIDEFTBFS)
Target Milestone: ---
Classification: Fedora
eclipse-egit failed to build from source in Fedora rawhide/f35
https://koji.fedoraproject.org/koji/taskinfo?taskID=72340515
For details on the mass rebuild see:
https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
Please fix eclipse-egit at your earliest convenience and set the bug's status
to
ASSIGNED when you start fixing it. If the bug remains in NEW state for 8 weeks,
eclipse-egit will be orphaned. Before branching of Fedora 36,
eclipse-egit will be retired, if it still fails to build.
For more details on the FTBFS policy, please visit:
https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fai...
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1927309
[Bug 1927309] Fedora 35 FTBFS Tracker
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years, 1 month
[Bug 1987441] New: eclipse-jgit: FTBFS in Fedora rawhide/f35
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1987441
Bug ID: 1987441
Summary: eclipse-jgit: FTBFS in Fedora rawhide/f35
Product: Fedora
Version: rawhide
Status: NEW
Component: eclipse-jgit
Assignee: akurtako(a)redhat.com
Reporter: releng(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com, andjrobins(a)gmail.com,
eclipse-sig(a)lists.fedoraproject.org,
jerboaa(a)gmail.com, mat.booth(a)gmail.com,
rgrunber(a)redhat.com
Blocks: 1927309 (F35FTBFS,RAWHIDEFTBFS)
Target Milestone: ---
Classification: Fedora
eclipse-jgit failed to build from source in Fedora rawhide/f35
https://koji.fedoraproject.org/koji/taskinfo?taskID=72340549
For details on the mass rebuild see:
https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
Please fix eclipse-jgit at your earliest convenience and set the bug's status
to
ASSIGNED when you start fixing it. If the bug remains in NEW state for 8 weeks,
eclipse-jgit will be orphaned. Before branching of Fedora 36,
eclipse-jgit will be retired, if it still fails to build.
For more details on the FTBFS policy, please visit:
https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fai...
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1927309
[Bug 1927309] Fedora 35 FTBFS Tracker
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years, 1 month
[Bug 1988028] New: tycho: FTBFS in Fedora rawhide/f35
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1988028
Bug ID: 1988028
Summary: tycho: FTBFS in Fedora rawhide/f35
Product: Fedora
Version: rawhide
Status: NEW
Component: tycho
Assignee: akurtako(a)redhat.com
Reporter: releng(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
krzysztof.daniel(a)gmail.com, mat.booth(a)gmail.com,
mizdebsk(a)redhat.com, rgrunber(a)redhat.com,
sochotni(a)redhat.com
Blocks: 1927309 (F35FTBFS,RAWHIDEFTBFS)
Target Milestone: ---
Classification: Fedora
tycho failed to build from source in Fedora rawhide/f35
https://koji.fedoraproject.org/koji/taskinfo?taskID=72516669
For details on the mass rebuild see:
https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
Please fix tycho at your earliest convenience and set the bug's status to
ASSIGNED when you start fixing it. If the bug remains in NEW state for 8 weeks,
tycho will be orphaned. Before branching of Fedora 36,
tycho will be retired, if it still fails to build.
For more details on the FTBFS policy, please visit:
https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fai...
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1927309
[Bug 1927309] Fedora 35 FTBFS Tracker
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years, 1 month
[Bug 2002524] New: Marketplace eclipse-mpc
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2002524
Bug ID: 2002524
Summary: Marketplace eclipse-mpc
Product: Fedora
Version: 34
Hardware: x86_64
OS: Linux
Status: NEW
Component: eclipse-mpc
Severity: high
Assignee: extras-orphan(a)fedoraproject.org
Reporter: flydove(a)qq.com
QA Contact: extras-qa(a)fedoraproject.org
CC: eclipse-sig(a)lists.fedoraproject.org,
extras-orphan(a)fedoraproject.org, mat.booth(a)gmail.com,
rgrunber(a)redhat.com
Target Milestone: ---
Classification: Fedora
Eclipse Marketplace is Not Found On Help Menu
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years, 4 months
[Bug 1933816] New: CVE-2020-11988 xmlgraphics-commons: SSRF due to improper input validation by the XMPParser
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1933816
Bug ID: 1933816
Summary: CVE-2020-11988 xmlgraphics-commons: SSRF due to
improper input validation by the XMPParser
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: aileenc(a)redhat.com, akoufoud(a)redhat.com,
akurtako(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, andjrobins(a)gmail.com,
anstephe(a)redhat.com, bibryam(a)redhat.com,
chazlett(a)redhat.com, dbhole(a)redhat.com,
drieden(a)redhat.com, ebaron(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
etirelli(a)redhat.com, ganandan(a)redhat.com,
ggaughan(a)redhat.com, gmalinko(a)redhat.com,
hbraun(a)redhat.com, ibek(a)redhat.com,
janstey(a)redhat.com, java-maint(a)redhat.com,
jerboaa(a)gmail.com, jjohnstn(a)redhat.com,
jkang(a)redhat.com, jochrist(a)redhat.com,
jstastny(a)redhat.com, jwon(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
lef(a)fedoraproject.org, mat.booth(a)redhat.com,
mcermak(a)redhat.com, mizdebsk(a)redhat.com,
mnovotny(a)redhat.com, mprchlik(a)redhat.com,
pantinor(a)redhat.com, patrickm(a)redhat.com,
pjindal(a)redhat.com, rgrunber(a)redhat.com,
rlandman(a)redhat.com, rrajasek(a)redhat.com,
rsynek(a)redhat.com, sdaley(a)redhat.com,
vkadlcik(a)redhat.com
Target Milestone: ---
Classification: Other
Apache XmlGraphics Commons 2.4 is vulnerable to server-side request forgery,
caused by improper input validation by the XMPParser. By using a
specially-crafted argument, an attacker could exploit this vulnerability to
cause the underlying server to make arbitrary GET requests.
References:
https://xmlgraphics.apache.org/security.html
https://www.openwall.com/lists/oss-security/2021/02/24/1
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years, 4 months