java-sig-commits July 2020

java-sig-commits@lists.fedoraproject.org

1 participants
430 discussions

[Bug 1819697] New: CVE-2019-10393 jenkins-script-security-plugin: handling of method names in method call expressions allowed attackers to execute arbitrary code in sandboxed scripts
by bugzilla＠redhat.com 08 Jul '20

08 Jul '20

https://bugzilla.redhat.com/show_bug.cgi?id=1819697 Bug ID: 1819697 Summary: CVE-2019-10393 jenkins-script-security-plugin: handling of method names in method call expressions allowed attackers to execute arbitrary code in sandboxed scripts Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: darunesh(a)redhat.com CC: abenaiss(a)redhat.com, aos-bugs(a)redhat.com, bmontgom(a)redhat.com, eparis(a)redhat.com, extras-orphan(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jokerman(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com, nstielau(a)redhat.com, pbhattac(a)redhat.com, sponnaga(a)redhat.com, vbobade(a)redhat.com Target Milestone: --- Classification: Other A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of method names in method call expressions allowed attackers to execute arbitrary code in sandboxed scripts. Reference: http://www.openwall.com/lists/oss-security/2019/09/12/2 -- You are receiving this mail because: You are on the CC list for the bug.

1 10

[Bug 1819692] New: CVE-2019-10394 jenkins-script-security-plugin: handling of property names in property expressions on the left-hand side of assignment expression leads to execute arbitrary code in sandboxed scripts
by bugzilla＠redhat.com 08 Jul '20

08 Jul '20

https://bugzilla.redhat.com/show_bug.cgi?id=1819692 Bug ID: 1819692 Summary: CVE-2019-10394 jenkins-script-security-plugin: handling of property names in property expressions on the left-hand side of assignment expression leads to execute arbitrary code in sandboxed scripts Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: darunesh(a)redhat.com CC: abenaiss(a)redhat.com, aos-bugs(a)redhat.com, bmontgom(a)redhat.com, eparis(a)redhat.com, extras-orphan(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jokerman(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com, nstielau(a)redhat.com, pbhattac(a)redhat.com, sponnaga(a)redhat.com, vbobade(a)redhat.com Target Milestone: --- Classification: Other A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in property expressions on the left-hand side of assignment expressions allowed attackers to execute arbitrary code in sandboxed scripts. Reference: http://www.openwall.com/lists/oss-security/2019/09/12/2 -- You are receiving this mail because: You are on the CC list for the bug.

1 10

[Bug 1393454] CVE-2016-1000031 Apache Commons FileUpload: DiskFileItem file manipulation
by bugzilla＠redhat.com 07 Jul '20

07 Jul '20

https://bugzilla.redhat.com/show_bug.cgi?id=1393454 Jonathan Christison <jochrist(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ataylor(a)redhat.com, | |ganandan(a)redhat.com, | |jochrist(a)redhat.com, | |jwon(a)redhat.com -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1806398] CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability
by bugzilla＠redhat.com 07 Jul '20

07 Jul '20

https://bugzilla.redhat.com/show_bug.cgi?id=1806398 errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:2840 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1806398] CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability
by bugzilla＠redhat.com 07 Jul '20

07 Jul '20

https://bugzilla.redhat.com/show_bug.cgi?id=1806398 --- Comment #140 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2020:2840 https://access.redhat.com/errata/RHSA-2020:2840 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1850842] New: jackson-databind-2.11.1 is available
by bugzilla＠redhat.com 06 Jul '20

06 Jul '20

https://bugzilla.redhat.com/show_bug.cgi?id=1850842 Bug ID: 1850842 Summary: jackson-databind-2.11.1 is available Product: Fedora Version: rawhide Status: NEW Component: jackson-databind Keywords: FutureFeature, Triaged Assignee: decathorpe(a)gmail.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: decathorpe(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, lef(a)fedoraproject.org, puntogil(a)libero.it, stewardship-sig(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Latest upstream release: 2.11.1 Current version/release in rawhide: 2.11.0-1.fc33 URL: https://github.com/FasterXML/jackson-databind/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/10963/ -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1850843] New: jackson-core-2.11.1 is available
by bugzilla＠redhat.com 06 Jul '20

06 Jul '20

https://bugzilla.redhat.com/show_bug.cgi?id=1850843 Bug ID: 1850843 Summary: jackson-core-2.11.1 is available Product: Fedora Version: rawhide Status: NEW Component: jackson-core Keywords: FutureFeature, Triaged Assignee: decathorpe(a)gmail.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: decathorpe(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, puntogil(a)libero.it, roman(a)fenkhuber.at, stewardship-sig(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Latest upstream release: 2.11.1 Current version/release in rawhide: 2.11.0-1.fc33 URL: https://github.com/FasterXML/jackson-core Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/10962/ -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1850841] New: jackson-annotations-2.11.1 is available
by bugzilla＠redhat.com 06 Jul '20

06 Jul '20

https://bugzilla.redhat.com/show_bug.cgi?id=1850841 Bug ID: 1850841 Summary: jackson-annotations-2.11.1 is available Product: Fedora Version: rawhide Status: NEW Component: jackson-annotations Keywords: FutureFeature, Triaged Assignee: decathorpe(a)gmail.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: decathorpe(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, lef(a)fedoraproject.org, puntogil(a)libero.it, stewardship-sig(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Latest upstream release: 2.11.1 Current version/release in rawhide: 2.11.0-1.fc33 URL: https://github.com/FasterXML/jackson-annotations Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/89327/ -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1664731] New: CVE-2018-20433 c3p0: XML external entity processing in extractXmlConfigFromInputStream [epel-7]
by bugzilla＠redhat.com 06 Jul '20

06 Jul '20

https://bugzilla.redhat.com/show_bug.cgi?id=1664731 Bug ID: 1664731 Summary: CVE-2018-20433 c3p0: XML external entity processing in extractXmlConfigFromInputStream [epel-7] Product: Fedora EPEL Version: epel7 Status: NEW Component: c3p0 Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: dingyichen(a)gmail.com Reporter: anemec(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: dingyichen(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, lef(a)fedoraproject.org, mat.booth(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of epel-7. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1709862] New: CVE-2019-5427 c3p0: loading XML configuration leads to denial of service [epel-7]
by bugzilla＠redhat.com 06 Jul '20

06 Jul '20

https://bugzilla.redhat.com/show_bug.cgi?id=1709862 Bug ID: 1709862 Summary: CVE-2019-5427 c3p0: loading XML configuration leads to denial of service [epel-7] Product: Fedora EPEL Version: epel7 Status: NEW Component: c3p0 Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: dingyichen(a)gmail.com Reporter: msiddiqu(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: decathorpe(a)gmail.com, dingyichen(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, lef(a)fedoraproject.org, mat.booth(a)redhat.com, stewardship-sig(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of epel-7. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. -- You are receiving this mail because: You are on the CC list for the bug.

1 4

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits July 2020