java-sig-commits August 2021

java-sig-commits@lists.fedoraproject.org

1 participants
320 discussions

[Bug 1866569] New: apache-commons-net-3.7 is available
by bugzilla＠redhat.com 07 Sep '22

07 Sep '22

https://bugzilla.redhat.com/show_bug.cgi?id=1866569 Bug ID: 1866569 Summary: apache-commons-net-3.7 is available Product: Fedora Version: rawhide Status: NEW Component: apache-commons-net Keywords: FutureFeature, Triaged Assignee: luis(a)blackfile.net Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, luis(a)blackfile.net, mizdebsk(a)redhat.com, sochotni(a)redhat.com, SpikeFedora(a)gmail.com Target Milestone: --- Classification: Fedora Latest upstream release: 3.7 Current version/release in rawhide: 3.6-8.fc32 URL: http://www.apache.org/dist/commons/net/source/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/81/ -- You are receiving this mail because: You are on the CC list for the bug.

1 6

[Bug 1982336] New: CVE-2021-36373 ant: excessive memory allocation when reading a specially crafted TAR archive
by bugzilla＠redhat.com 31 Aug '22

31 Aug '22

https://bugzilla.redhat.com/show_bug.cgi?id=1982336 Bug ID: 1982336 Summary: CVE-2021-36373 ant: excessive memory allocation when reading a specially crafted TAR archive Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: abenaiss(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, asoldano(a)redhat.com, atangrin(a)redhat.com, bbaranow(a)redhat.com, bibryam(a)redhat.com, bmaxwell(a)redhat.com, bmontgom(a)redhat.com, brian.stansberry(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, darran.lofthouse(a)redhat.com, dkreling(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, eleandro(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, fjuma(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gvarsami(a)redhat.com, hbraun(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com, janstey(a)redhat.com, jaromir.capik(a)email.cz, java-maint-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcoleman(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jolee(a)redhat.com, jpallich(a)redhat.com, jperkins(a)redhat.com, jrokos(a)redhat.com, jschatte(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, kwills(a)redhat.com, ldimaggi(a)redhat.com, lgao(a)redhat.com, loleary(a)redhat.com, mizdebsk(a)redhat.com, mnovotny(a)redhat.com, msochure(a)redhat.com, msrb(a)redhat.com, msvehla(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, pantinor(a)redhat.com, pbhattac(a)redhat.com, pjindal(a)redhat.com, pmackay(a)redhat.com, rguimara(a)redhat.com, rrajasek(a)redhat.com, rstancel(a)redhat.com, rsvoboda(a)redhat.com, rwagner(a)redhat.com, sd-operator-metering(a)redhat.com, smaestri(a)redhat.com, spinder(a)redhat.com, sponnaga(a)redhat.com, tcunning(a)redhat.com, tflannag(a)redhat.com, theute(a)redhat.com, tkirby(a)redhat.com, tom.jenkinson(a)redhat.com, tzimanyi(a)redhat.com, vbobade(a)redhat.com, yborgess(a)redhat.com Target Milestone: --- Classification: Other When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected. Reference: https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00… -- You are receiving this mail because: You are on the CC list for the bug.

1 14

[Bug 1981903] New: CVE-2021-35517 apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive
by bugzilla＠redhat.com 30 Aug '22

30 Aug '22

https://bugzilla.redhat.com/show_bug.cgi?id=1981903 Bug ID: 1981903 Summary: CVE-2021-35517 apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: dblechte(a)redhat.com, dfediuck(a)redhat.com, eedri(a)redhat.com, hhorak(a)redhat.com, java-maint-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jorton(a)redhat.com, mgoldboi(a)redhat.com, michal.skrivanek(a)redhat.com, mizdebsk(a)redhat.com, mkoncek(a)redhat.com, sbonazzo(a)redhat.com, sherold(a)redhat.com, SpikeFedora(a)gmail.com, yturgema(a)redhat.com Target Milestone: --- Classification: Other When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package. References: https://commons.apache.org/proper/commons-compress/security-reports.html https://lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f… http://www.openwall.com/lists/oss-security/2021/07/13/3 -- You are receiving this mail because: You are on the CC list for the bug.

1 17

[Bug 1981909] New: CVE-2021-36090 apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive
by bugzilla＠redhat.com 30 Aug '22

30 Aug '22

https://bugzilla.redhat.com/show_bug.cgi?id=1981909 Bug ID: 1981909 Summary: CVE-2021-36090 apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: dblechte(a)redhat.com, dfediuck(a)redhat.com, eedri(a)redhat.com, hhorak(a)redhat.com, java-maint-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jorton(a)redhat.com, mgoldboi(a)redhat.com, michal.skrivanek(a)redhat.com, mizdebsk(a)redhat.com, mkoncek(a)redhat.com, sbonazzo(a)redhat.com, sherold(a)redhat.com, SpikeFedora(a)gmail.com, yturgema(a)redhat.com Target Milestone: --- Classification: Other When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package. References: https://lists.apache.org/thread.html/rc4134026d7d7b053d4f9f2205531122732405… https://commons.apache.org/proper/commons-compress/security-reports.html http://www.openwall.com/lists/oss-security/2021/07/13/4 -- You are receiving this mail because: You are on the CC list for the bug.

1 18

[Bug 1981900] New: CVE-2021-35516 apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive
by bugzilla＠redhat.com 30 Aug '22

30 Aug '22

https://bugzilla.redhat.com/show_bug.cgi?id=1981900 Bug ID: 1981900 Summary: CVE-2021-35516 apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: dblechte(a)redhat.com, dfediuck(a)redhat.com, eedri(a)redhat.com, hhorak(a)redhat.com, java-maint-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jorton(a)redhat.com, mgoldboi(a)redhat.com, michal.skrivanek(a)redhat.com, mizdebsk(a)redhat.com, mkoncek(a)redhat.com, sbonazzo(a)redhat.com, sherold(a)redhat.com, SpikeFedora(a)gmail.com, yturgema(a)redhat.com Target Milestone: --- Classification: Other When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package. References: https://commons.apache.org/proper/commons-compress/security-reports.html https://lists.apache.org/thread.html/rf68442d67eb166f4b6cf0bbbe6c7f99098c12… http://www.openwall.com/lists/oss-security/2021/07/13/2 -- You are receiving this mail because: You are on the CC list for the bug.

1 19

[Bug 1981895] New: CVE-2021-35515 apache-commons-compress: infinite loop when reading a specially crafted 7Z archive
by bugzilla＠redhat.com 30 Aug '22

30 Aug '22

https://bugzilla.redhat.com/show_bug.cgi?id=1981895 Bug ID: 1981895 Summary: CVE-2021-35515 apache-commons-compress: infinite loop when reading a specially crafted 7Z archive Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: dblechte(a)redhat.com, dfediuck(a)redhat.com, eedri(a)redhat.com, hhorak(a)redhat.com, java-maint-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jorton(a)redhat.com, mgoldboi(a)redhat.com, michal.skrivanek(a)redhat.com, mizdebsk(a)redhat.com, mkoncek(a)redhat.com, sbonazzo(a)redhat.com, sherold(a)redhat.com, SpikeFedora(a)gmail.com, yturgema(a)redhat.com Target Milestone: --- Classification: Other When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package. References: https://commons.apache.org/proper/commons-compress/security-reports.html https://lists.apache.org/thread.html/r19ebfd71770ec0617a9ea180e321ef927b3fe… http://www.openwall.com/lists/oss-security/2021/07/13/1 -- You are receiving this mail because: You are on the CC list for the bug.

1 19

[Bug 1987678] New: lucene: FTBFS in Fedora rawhide/f35
by bugzilla＠redhat.com 09 Aug '22

09 Aug '22

https://bugzilla.redhat.com/show_bug.cgi?id=1987678 Bug ID: 1987678 Summary: lucene: FTBFS in Fedora rawhide/f35 Product: Fedora Version: rawhide Status: NEW Component: lucene Assignee: akurtako(a)redhat.com Reporter: releng(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: akurtako(a)redhat.com, dbhole(a)redhat.com, dchen(a)redhat.com, eclipse-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jerboaa(a)gmail.com, krzysztof.daniel(a)gmail.com, lef(a)fedoraproject.org, rgrunber(a)redhat.com Blocks: 1927309 (F35FTBFS,RAWHIDEFTBFS) Target Milestone: --- Classification: Fedora lucene failed to build from source in Fedora rawhide/f35 https://koji.fedoraproject.org/koji/taskinfo?taskID=72400674 For details on the mass rebuild see: https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild Please fix lucene at your earliest convenience and set the bug's status to ASSIGNED when you start fixing it. If the bug remains in NEW state for 8 weeks, lucene will be orphaned. Before branching of Fedora 36, lucene will be retired, if it still fails to build. For more details on the FTBFS policy, please visit: https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails… Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1927309 [Bug 1927309] Fedora 35 FTBFS Tracker -- You are receiving this mail because: You are on the CC list for the bug.

1 9

[Bug 1996787] New: objectweb-asm has missing osgi metadata since the upgrade to 9.1
by bugzilla＠redhat.com 26 Jul '22

26 Jul '22

https://bugzilla.redhat.com/show_bug.cgi?id=1996787 Bug ID: 1996787 Summary: objectweb-asm has missing osgi metadata since the upgrade to 9.1 Product: Fedora Version: rawhide Status: NEW Component: objectweb-asm Assignee: mizdebsk(a)redhat.com Reporter: sergio(a)serjux.com QA Contact: extras-qa(a)fedoraproject.org CC: dwalluck(a)redhat.com, fnasser(a)redhat.com, java-maint-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jerboaa(a)gmail.com, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora Description of problem: objectweb-asm has missing osgi metadata since the upgrade to 9.1 Version-Release number of selected component (if applicable): objectweb-asm-9.1-3.fc35.noarch.rpm -- You are receiving this mail because: You are on the CC list for the bug.

1 6

[Bug 1981544] New: CVE-2021-30640 tomcat: JNDI realm authentication weakness
by bugzilla＠redhat.com 07 Jul '22

07 Jul '22

https://bugzilla.redhat.com/show_bug.cgi?id=1981544 Bug ID: 1981544 Summary: CVE-2021-30640 tomcat: JNDI realm authentication weakness Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, alee(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, asoldano(a)redhat.com, atangrin(a)redhat.com, avibelli(a)redhat.com, bbaranow(a)redhat.com, bgeorges(a)redhat.com, bmaxwell(a)redhat.com, brian.stansberry(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, cmoulliard(a)redhat.com, coolsvap(a)gmail.com, csutherl(a)redhat.com, darran.lofthouse(a)redhat.com, dbecker(a)redhat.com, dkreling(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, eleandro(a)redhat.com, etirelli(a)redhat.com, fjuma(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gzaronik(a)redhat.com, huwang(a)redhat.com, ibek(a)redhat.com, ikanello(a)redhat.com, ivan.afonichev(a)gmail.com, iweiss(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jclere(a)redhat.com, jjoyce(a)redhat.com, jochrist(a)redhat.com, jolee(a)redhat.com, jpallich(a)redhat.com, jperkins(a)redhat.com, jrokos(a)redhat.com, jschatte(a)redhat.com, jschluet(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, krathod(a)redhat.com, krzysztof.daniel(a)gmail.com, kverlaen(a)redhat.com, kwills(a)redhat.com, lgao(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com, lthon(a)redhat.com, mburns(a)redhat.com, mkolesni(a)redhat.com, mnovotny(a)redhat.com, msochure(a)redhat.com, msvehla(a)redhat.com, mszynkie(a)redhat.com, nwallace(a)redhat.com, peholase(a)redhat.com, pgallagh(a)redhat.com, pjindal(a)redhat.com, pmackay(a)redhat.com, rguimara(a)redhat.com, rhcs-maint(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rstancel(a)redhat.com, rsvoboda(a)redhat.com, sclewis(a)redhat.com, scohen(a)redhat.com, slinaber(a)redhat.com, smaestri(a)redhat.com, szappis(a)redhat.com, tom.jenkinson(a)redhat.com, tzimanyi(a)redhat.com, yborgess(a)redhat.com Target Milestone: --- Classification: Other A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. Reference: https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688… -- You are receiving this mail because: You are on the CC list for the bug.

1 16

[Bug 1981533] New: CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy
by bugzilla＠redhat.com 07 Jul '22

07 Jul '22

https://bugzilla.redhat.com/show_bug.cgi?id=1981533 Bug ID: 1981533 Summary: CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, alee(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, asoldano(a)redhat.com, atangrin(a)redhat.com, avibelli(a)redhat.com, bbaranow(a)redhat.com, bgeorges(a)redhat.com, bmaxwell(a)redhat.com, brian.stansberry(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, cmoulliard(a)redhat.com, coolsvap(a)gmail.com, csutherl(a)redhat.com, darran.lofthouse(a)redhat.com, dbecker(a)redhat.com, dkreling(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, eleandro(a)redhat.com, etirelli(a)redhat.com, fjuma(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gzaronik(a)redhat.com, huwang(a)redhat.com, ibek(a)redhat.com, ikanello(a)redhat.com, ivan.afonichev(a)gmail.com, iweiss(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jclere(a)redhat.com, jjoyce(a)redhat.com, jochrist(a)redhat.com, jolee(a)redhat.com, jpallich(a)redhat.com, jperkins(a)redhat.com, jrokos(a)redhat.com, jschatte(a)redhat.com, jschluet(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, krathod(a)redhat.com, krzysztof.daniel(a)gmail.com, kverlaen(a)redhat.com, kwills(a)redhat.com, lgao(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com, lthon(a)redhat.com, mburns(a)redhat.com, mkolesni(a)redhat.com, mnovotny(a)redhat.com, msochure(a)redhat.com, msvehla(a)redhat.com, mszynkie(a)redhat.com, nwallace(a)redhat.com, peholase(a)redhat.com, pgallagh(a)redhat.com, pjindal(a)redhat.com, pmackay(a)redhat.com, rguimara(a)redhat.com, rhcs-maint(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rstancel(a)redhat.com, rsvoboda(a)redhat.com, sclewis(a)redhat.com, scohen(a)redhat.com, slinaber(a)redhat.com, smaestri(a)redhat.com, szappis(a)redhat.com, tom.jenkinson(a)redhat.com, tzimanyi(a)redhat.com, yborgess(a)redhat.com Target Milestone: --- Classification: Other Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding. Reference: https://lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232… -- You are receiving this mail because: You are on the CC list for the bug.

1 16

← Newer
1
2
3
4
5
6
7
8
...
32
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits August 2021