https://bugzilla.redhat.com/show_bug.cgi?id=1340421
Bug ID: 1340421
Summary: apache-poi-3.15-beta1-20160409 is available
Product: Fedora
Version: rawhide
Component: apache-poi
Assignee: mat.booth(a)redhat.com
Reporter: puntogil(a)libero.it
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mat.booth(a)redhat.com, puntogil(a)libero.it
Latest upstream release: 3.15-beta1-20160409
Current version/release in rawhide: 3.14-1.fc25
URL: http://www.apache.org/dist/poi/dev/src/http://www.apache.org/dist/poi/release/src
Please, consider upgrading
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1564408
Yasuhiro Ozone <yozone(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |yozone(a)redhat.com
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1559905
Bug ID: 1559905
Summary: CVE-2018-8881 nasm: Heap overflow in function tokenize
in asm/preproc.c
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: lpardo(a)redhat.com
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com
Netwide Assembler (NASM) 2.13.02rc2 has a heap-based buffer over-read in the
function tokenize in asm/preproc.c, related to an unterminated string.
References:
https://bugzilla.nasm.us/show_bug.cgi?id=3392446
Patch:
https://github.com/cyrillos/nasm/commit/3144e84add8b152cc7a71e44617ce6f21da…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1567720
Sam Fowler <sfowler(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |1567719 (CVE-2018-10016)
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1567719
[Bug 1567719] CVE-2018-10016 nasm: Divide-by-zero asm/eval.c:expr5() allows
for crash via crafted file
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1567720
--- Comment #1 from Sam Fowler <sfowler(a)redhat.com> ---
Use the following template to for the 'fedpkg update' request to submit an
update for this issue as it contains the top-level parent bug(s) as well as
this tracking bug. This will ensure that all associated bugs get updated
when new packages are pushed to stable.
=====
# bugfix, security, enhancement, newpackage (required)
type=security
# testing, stable
request=testing
# Bug numbers: 1234,9876
bugs=1567719,1567720
# Description of your update
notes=Security fix for [PUT CVEs HERE]
# Enable request automation based on the stable/unstable karma thresholds
autokarma=True
stable_karma=3
unstable_karma=-3
# Automatically close bugs when this marked as stable
close_bugs=True
# Suggest that users restart after update
suggest_reboot=False
======
Additionally, you may opt to use the bodhi web interface to submit updates:
https://bodhi.fedoraproject.org/updates/new
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1462702
Hooman Broujerdi <hghasemb(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=important,public=201 |impact=important,public=201
|70714,reported=20170616,sou |70714,reported=20170616,sou
|rce=researcher,cvss3=8.1/CV |rce=researcher,cvss3=8.1/CV
|SS:3.0/AV:N/AC:H/PR:N/UI:N/ |SS:3.0/AV:N/AC:H/PR:N/UI:N/
|S:U/C:H/I:H/A:H,cwe=CWE-20, |S:U/C:H/I:H/A:H,cwe=CWE-20,
|amq-6/jackson-databind=nota |amq-6/jackson-databind=wont
|ffected,jdg-7/jackson-datab |fix,jdg-7/jackson-databind=
|ind=affected,jdv-6/jackson- |affected,jdv-6/jackson-data
|databind=affected,eap-7/jac |bind=affected,eap-7/jackson
|kson-databind=affected,bpms |-databind=affected,bpms-6/j
|-6/jackson-databind=affecte |ackson-databind=affected,br
|d,brms-6/jackson-databind=a |ms-6/jackson-databind=affec
|ffected,fuse-6/jackson-data |ted,fuse-6/jackson-databind
|bind=notaffected,openshift- |=wontfix,openshift-enterpri
|enterprise-2/jackson-databi |se-2/jackson-databind=wontf
|nd=wontfix,rhn_satellite_6/ |ix,rhn_satellite_6/jackson-
|jackson-databind=affected/i |databind=affected/impact=lo
|mpact=low,rhmap-4/jackson-d |w,rhmap-4/jackson-databind=
|atabind=notaffected,sam-1/j |notaffected,sam-1/jackson-d
|ackson-databind=wontfix,rhe |atabind=wontfix,rhev-m-3/ja
|v-m-3/jasperreports-server- |sperreports-server-pro=wont
|pro=wontfix,rhev-m-4/eap7-j |fix,rhev-m-4/eap7-jackson-d
|ackson-databind=affected,rh |atabind=affected,rhscl-2/rh
|scl-2/rh-eclipse46-jackson- |-eclipse46-jackson-databind
|databind=affected,fedora-al |=affected,fedora-all/jackso
|l/jackson-databind=affected |n-databind=affected,jon-3/C
|,jon-3/Core |ore
|Server=notaffected,eap-6/ja |Server=notaffected,eap-6/ja
|ckson-databind=affected,dts |ckson-databind=affected,dts
|-4/devtoolset-4-jackson-dat |-4/devtoolset-4-jackson-dat
|abind=affected,rhscl-3/rh-m |abind=affected,rhscl-3/rh-m
|aven35-jackson-databind=aff |aven35-jackson-databind=aff
|ected,vertx-3/jackson-datab |ected,vertx-3/jackson-datab
|ind=notaffected,swarm-7/jac |ind=notaffected,swarm-7/jac
|kson-databind=notaffected |kson-databind=notaffected
--- Comment #56 from Hooman Broujerdi <hghasemb(a)redhat.com> ---
Statement:
Although JBoss Fuse ships the vulnerable version of jackson-databind, however
it does not call on enableDefaultTyping() for any polymorphic deserialization
operations which is the root cause of this vulnerability. We have raised a Jira
tracker to ensure that jackson-databind will be upgraded for Fuse 7.0, however
due to feasibility issues jackson-databind cannot be upgraded in JBoss Fuse
6.3.
--
You are receiving this mail because:
You are on the CC list for the bug.