[Bug 958727] New: plexus-utils: XMLWriterUtil should guard against problematic comments
by Red Hat Bugzilla
Product: Fedora
https://bugzilla.redhat.com/show_bug.cgi?id=958727
Bug ID: 958727
Summary: plexus-utils: XMLWriterUtil should guard against
problematic comments
Product: Fedora
Version: rawhide
Component: plexus-utils
Severity: unspecified
Priority: unspecified
Assignee: fnasser(a)redhat.com
Reporter: fweimer(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: fnasser(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com
Blocks: 958220
Category: ---
org.codehaus.plexus.util.xml#writeComment(XMLWriter, String, int, int, int)
does not check if the comment includes a "-->" sequence. This means that text
contained in the command string could be interpreted as XML, possibly leading
to XML injection issues, depending on how this method is being called.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=N5myzkUcYQ&a=cc_unsubscribe
7 years, 12 months
[Bug 958221] New: plexus-utils: directory traversal in org.codehaus.plexus.util.Expand
by Red Hat Bugzilla
Product: Fedora
https://bugzilla.redhat.com/show_bug.cgi?id=958221
Bug ID: 958221
Summary: plexus-utils: directory traversal in
org.codehaus.plexus.util.Expand
Product: Fedora
Version: rawhide
Component: plexus-utils
Severity: unspecified
Priority: unspecified
Assignee: fnasser(a)redhat.com
Reporter: fweimer(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: fnasser(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com
Blocks: 958220
Category: ---
org.codehaus.plexus.util.Expand does not guard against directory traversal, but
such protection is generally expected from unarchiving tools.
I think the class should just be deprecated and removed because there do not
appear to be any users left (not even a test case).
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=hp1lhU9LQd&a=cc_unsubscribe
7 years, 12 months
[Bug 1185148] New: CVE-2014-9634 Jenkins on Tomcat: failure to set secure flag on cookies
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1185148
Bug ID: 1185148
Summary: CVE-2014-9634 Jenkins on Tomcat: failure to set secure
flag on cookies
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: kseifried(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jdetiber(a)redhat.com, jialiu(a)redhat.com,
jkeck(a)redhat.com, joelsmith(a)redhat.com,
jokerman(a)redhat.com, kseifried(a)redhat.com,
lmeyer(a)redhat.com, mmccomas(a)redhat.com,
msrb(a)redhat.com
Yann Rouillard reports:
Jenkins on Tomcat fails to set the secure flag on cookies.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=gU5XTmvmU1&a=cc_unsubscribe
8 years, 2 months
[Bug 1185151] New: CVE-2014-9635 Jenkins on Tomcat: failure to set httponly flag on cookies
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1185151
Bug ID: 1185151
Summary: CVE-2014-9635 Jenkins on Tomcat: failure to set
httponly flag on cookies
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: kseifried(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jdetiber(a)redhat.com, jialiu(a)redhat.com,
jkeck(a)redhat.com, joelsmith(a)redhat.com,
jokerman(a)redhat.com, kseifried(a)redhat.com,
lmeyer(a)redhat.com, mmccomas(a)redhat.com,
msrb(a)redhat.com
Yann Rouillard reports:
Jenkins on Tomcat fails to set the httponly flag on cookies.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=6JvfkFVyd4&a=cc_unsubscribe
8 years, 2 months
[Bug 1140314] New: CVE-2013-4444 tomcat: remote code execution via uploaded JSP
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1140314
Bug ID: 1140314
Summary: CVE-2013-4444 tomcat: remote code execution via
uploaded JSP
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: vdanen(a)redhat.com
CC: akurtako(a)redhat.com, dknox(a)redhat.com,
gmurphy(a)redhat.com, ivan.afonichev(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
jclere(a)redhat.com, jdoyle(a)redhat.com,
krzysztof.daniel(a)gmail.com, lgao(a)redhat.com,
myarboro(a)redhat.com, pslavice(a)redhat.com,
rsvoboda(a)redhat.com, weli(a)redhat.com
As reported fixed in Apache Tomcat 7.0.40 [1]:
In very limited circumstances, it was possible for an attacker to upload a
malicious JSP to a Tomcat server and then trigger the execution of that JSP.
While Remote Code Execution would normally be viewed as a critical
vulnerability, the circumstances under which this is possible are, in the view
of the Tomcat security team, sufficiently limited that this vulnerability is
viewed as important.
For this attack to succeed all of the following requirements must be met:
1. Using Oracle Java 1.7.0 update 25 or earlier (or any other Java
implementation where java.io.File is vulnerable to null byte injection).
2. A web application must be deployed to a vulnerable version of Tomcat.
3. The web application must use the Servlet 3.0 File Upload feature.
4. A file location within a deployed web application must be writeable by the
user the Tomcat process is running as. The Tomcat security documentation
recommends against this.
5. A custom listener for JMX connections (e.g. the JmxRemoteListener that is
not enabled by default) must be configured and be able to load classes from
Tomcat's common class loader (i.e. the custom JMX listener must be placed in
Tomcat's lib directory).
6. The custom JMX listener must be bound to an address other than localhost for
a remote attack (it is bound to localhost by default). If the custom JMX
listener is bound to localhost, a local attack will still be possible.
Note that requirements 2 and 3 may be replaced with the following requirement:
7. A web application is deployed that uses Apache Commons File Upload 1.2.1 or
earlier.
In this case (requirements 1, 4, 5, 6 and 7 met) a similar vulnerability may
exist on any Servlet container, not just Apache Tomcat.
This was fixed in revision 1470437. [2] (April 22, 2013)
This issue was identified by Pierre Ernst of the VMware Security Engineering,
Communications and Response group (vSECR) and reported to the Tomcat security
team via the Pivotal security team on 5 September 2014. It was made public on
10 September 2014.
Affects: 7.0.0 to 7.0.39
[1] http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.40
[2] http://svn.apache.org/viewvc?view=revision&revision=1470437
Statement:
This issue did not affect the versions of tomcat as shipped with Red Hat
Enterprise Linux 5, 6, or 7 nor the versions of tomcat as shipped with JBoss
Enterprise Web Server.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=NIGlAdEiPm&a=cc_unsubscribe
8 years, 2 months
[Bug 1004916] New: Package doesn't provide a sysvinit script or systemd service unit
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1004916
Bug ID: 1004916
Summary: Package doesn't provide a sysvinit script or systemd
service unit
Product: Fedora
Version: 19
Component: activemq
Severity: high
Assignee: mspaulding06(a)gmail.com
Reporter: skottler(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: agrimm(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
mspaulding06(a)gmail.com, tdawson(a)redhat.com
Description of problem:
activemq doesn't provide the necessary scripts/config files to start.
Version-Release number of selected component (if applicable):
0:5.6.0-5.fc19
How reproducible:
Always.
Steps to Reproduce:
1. yum install -y activemq activemq-core
2. try starting the service
3. note there is not a service unit
This seems like a fairly major thing to be missing in the packages. Is there
another package or metapackage that needs to be installed for it to work?
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=IC3tNZ0uDP&a=cc_unsubscribe
8 years, 3 months
[Bug 1127276] New: CVE-2014-5075 smack: MitM vulnerability
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1127276
Bug ID: 1127276
Summary: CVE-2014-5075 smack: MitM vulnerability
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: vkaigoro(a)redhat.com
CC: brms-jira(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
pavelp(a)redhat.com, puntogil(a)libero.it,
tkirby(a)redhat.com, weli(a)redhat.com
It was reported [1] that Smack (XMPP client library) is vulnerable to MitM
attacks with a crafted SSL certificates.
Quote from [1]:
...
Details
-------
Smack is using Java's `SSLSocket`, which checks the peer certificate
using an `X509TrustManager`, but does not perform hostname verification.
Therefore, it is possible to redirect the traffic between a Smack-using
application and a legitimate XMPP server through the attacker's server,
merely by providing a valid certificate for a domain under the
attacker's control.
In Smack versions 2.2.0 to 3.4.1, a custom `ServerTrustManager`
implementation was used, which was supplied with the connection's server
name, and performed hostname verification. However, it failed to verify
the basicConstraints and nameConstraints of the certificate chain
(CVE-2014-0363, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0363)
and has been removed in Smack 4.0.0.
Applications using Smack 2.2.0 to 3.4.1 with a custom `TrustManager` did
not benefit from `ServerTrustManager` and are vulnerable as well, unless
their own `TrustManager` implementation explicitly performs hostname
verification.
...
[1]: http://seclists.org/bugtraq/2014/Aug/29
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=vQuZmnHNAP&a=cc_unsubscribe
8 years, 3 months