https://bugzilla.redhat.com/show_bug.cgi?id=1866569
Bug ID: 1866569
Summary: apache-commons-net-3.7 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: apache-commons-net
Keywords: FutureFeature, Triaged
Assignee: luis(a)blackfile.net
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
luis(a)blackfile.net, mizdebsk(a)redhat.com,
sochotni(a)redhat.com, SpikeFedora(a)gmail.com
Target Milestone: ---
Classification: Fedora
Latest upstream release: 3.7
Current version/release in rawhide: 3.6-8.fc32
URL: http://www.apache.org/dist/commons/net/source/
Please consult the package updates policy before you issue an update to a
stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/81/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1982336
Bug ID: 1982336
Summary: CVE-2021-36373 ant: excessive memory allocation when
reading a specially crafted TAR archive
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: abenaiss(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
aos-bugs(a)redhat.com, asoldano(a)redhat.com,
atangrin(a)redhat.com, bbaranow(a)redhat.com,
bibryam(a)redhat.com, bmaxwell(a)redhat.com,
bmontgom(a)redhat.com, brian.stansberry(a)redhat.com,
cdewolf(a)redhat.com, chazlett(a)redhat.com,
darran.lofthouse(a)redhat.com, dkreling(a)redhat.com,
dosoudil(a)redhat.com, drieden(a)redhat.com,
eleandro(a)redhat.com, eparis(a)redhat.com,
etirelli(a)redhat.com, fjuma(a)redhat.com,
ggaughan(a)redhat.com, gmalinko(a)redhat.com,
gvarsami(a)redhat.com, hbraun(a)redhat.com,
ibek(a)redhat.com, iweiss(a)redhat.com,
janstey(a)redhat.com, jaromir.capik(a)email.cz,
java-maint-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcoleman(a)redhat.com,
jochrist(a)redhat.com, jokerman(a)redhat.com,
jolee(a)redhat.com, jpallich(a)redhat.com,
jperkins(a)redhat.com, jrokos(a)redhat.com,
jschatte(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kconner(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
kwills(a)redhat.com, ldimaggi(a)redhat.com,
lgao(a)redhat.com, loleary(a)redhat.com,
mizdebsk(a)redhat.com, mnovotny(a)redhat.com,
msochure(a)redhat.com, msrb(a)redhat.com,
msvehla(a)redhat.com, nstielau(a)redhat.com,
nwallace(a)redhat.com, pantinor(a)redhat.com,
pbhattac(a)redhat.com, pjindal(a)redhat.com,
pmackay(a)redhat.com, rguimara(a)redhat.com,
rrajasek(a)redhat.com, rstancel(a)redhat.com,
rsvoboda(a)redhat.com, rwagner(a)redhat.com,
sd-operator-metering(a)redhat.com, smaestri(a)redhat.com,
spinder(a)redhat.com, sponnaga(a)redhat.com,
tcunning(a)redhat.com, tflannag(a)redhat.com,
theute(a)redhat.com, tkirby(a)redhat.com,
tom.jenkinson(a)redhat.com, tzimanyi(a)redhat.com,
vbobade(a)redhat.com, yborgess(a)redhat.com
Target Milestone: ---
Classification: Other
When reading a specially crafted TAR archive an Apache Ant build can be made to
allocate large amounts of memory that finally leads to an out of memory error,
even for small inputs. This can be used to disrupt builds using Apache Ant.
Apache Ant prior to 1.9.16 and 1.10.11 were affected.
Reference:
https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1981903
Bug ID: 1981903
Summary: CVE-2021-35517 apache-commons-compress: excessive
memory allocation when reading a specially crafted TAR
archive
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: dblechte(a)redhat.com, dfediuck(a)redhat.com,
eedri(a)redhat.com, hhorak(a)redhat.com,
java-maint-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jorton(a)redhat.com, mgoldboi(a)redhat.com,
michal.skrivanek(a)redhat.com, mizdebsk(a)redhat.com,
mkoncek(a)redhat.com, sbonazzo(a)redhat.com,
sherold(a)redhat.com, SpikeFedora(a)gmail.com,
yturgema(a)redhat.com
Target Milestone: ---
Classification: Other
When reading a specially crafted TAR archive, Compress can be made to allocate
large amounts of memory that finally leads to an out of memory error even for
very small inputs. This could be used to mount a denial of service attack
against services that use Compress' tar package.
References:
https://commons.apache.org/proper/commons-compress/security-reports.htmlhttps://lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f…http://www.openwall.com/lists/oss-security/2021/07/13/3
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1981909
Bug ID: 1981909
Summary: CVE-2021-36090 apache-commons-compress: excessive
memory allocation when reading a specially crafted ZIP
archive
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: dblechte(a)redhat.com, dfediuck(a)redhat.com,
eedri(a)redhat.com, hhorak(a)redhat.com,
java-maint-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jorton(a)redhat.com, mgoldboi(a)redhat.com,
michal.skrivanek(a)redhat.com, mizdebsk(a)redhat.com,
mkoncek(a)redhat.com, sbonazzo(a)redhat.com,
sherold(a)redhat.com, SpikeFedora(a)gmail.com,
yturgema(a)redhat.com
Target Milestone: ---
Classification: Other
When reading a specially crafted ZIP archive, Compress can be made to allocate
large amounts of memory that finally leads to an out of memory error even for
very small inputs. This could be used to mount a denial of service attack
against services that use Compress' zip package.
References:
https://lists.apache.org/thread.html/rc4134026d7d7b053d4f9f2205531122732405…https://commons.apache.org/proper/commons-compress/security-reports.htmlhttp://www.openwall.com/lists/oss-security/2021/07/13/4
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1981900
Bug ID: 1981900
Summary: CVE-2021-35516 apache-commons-compress: excessive
memory allocation when reading a specially crafted 7Z
archive
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: dblechte(a)redhat.com, dfediuck(a)redhat.com,
eedri(a)redhat.com, hhorak(a)redhat.com,
java-maint-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jorton(a)redhat.com, mgoldboi(a)redhat.com,
michal.skrivanek(a)redhat.com, mizdebsk(a)redhat.com,
mkoncek(a)redhat.com, sbonazzo(a)redhat.com,
sherold(a)redhat.com, SpikeFedora(a)gmail.com,
yturgema(a)redhat.com
Target Milestone: ---
Classification: Other
When reading a specially crafted 7Z archive, Compress can be made to allocate
large amounts of memory that finally leads to an out of memory error even for
very small inputs. This could be used to mount a denial of service attack
against services that use Compress' sevenz package.
References:
https://commons.apache.org/proper/commons-compress/security-reports.htmlhttps://lists.apache.org/thread.html/rf68442d67eb166f4b6cf0bbbe6c7f99098c12…http://www.openwall.com/lists/oss-security/2021/07/13/2
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1981895
Bug ID: 1981895
Summary: CVE-2021-35515 apache-commons-compress: infinite loop
when reading a specially crafted 7Z archive
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: dblechte(a)redhat.com, dfediuck(a)redhat.com,
eedri(a)redhat.com, hhorak(a)redhat.com,
java-maint-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jorton(a)redhat.com, mgoldboi(a)redhat.com,
michal.skrivanek(a)redhat.com, mizdebsk(a)redhat.com,
mkoncek(a)redhat.com, sbonazzo(a)redhat.com,
sherold(a)redhat.com, SpikeFedora(a)gmail.com,
yturgema(a)redhat.com
Target Milestone: ---
Classification: Other
When reading a specially crafted 7Z archive, the construction of the list of
codecs that decompress an entry can result in an infinite loop. This could be
used to mount a denial of service attack against services that use Compress'
sevenz package.
References:
https://commons.apache.org/proper/commons-compress/security-reports.htmlhttps://lists.apache.org/thread.html/r19ebfd71770ec0617a9ea180e321ef927b3fe…http://www.openwall.com/lists/oss-security/2021/07/13/1
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1987678
Bug ID: 1987678
Summary: lucene: FTBFS in Fedora rawhide/f35
Product: Fedora
Version: rawhide
Status: NEW
Component: lucene
Assignee: akurtako(a)redhat.com
Reporter: releng(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com, dbhole(a)redhat.com,
dchen(a)redhat.com, eclipse-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jerboaa(a)gmail.com, krzysztof.daniel(a)gmail.com,
lef(a)fedoraproject.org, rgrunber(a)redhat.com
Blocks: 1927309 (F35FTBFS,RAWHIDEFTBFS)
Target Milestone: ---
Classification: Fedora
lucene failed to build from source in Fedora rawhide/f35
https://koji.fedoraproject.org/koji/taskinfo?taskID=72400674
For details on the mass rebuild see:
https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
Please fix lucene at your earliest convenience and set the bug's status to
ASSIGNED when you start fixing it. If the bug remains in NEW state for 8 weeks,
lucene will be orphaned. Before branching of Fedora 36,
lucene will be retired, if it still fails to build.
For more details on the FTBFS policy, please visit:
https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails…
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1927309
[Bug 1927309] Fedora 35 FTBFS Tracker
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1996787
Bug ID: 1996787
Summary: objectweb-asm has missing osgi metadata since the
upgrade to 9.1
Product: Fedora
Version: rawhide
Status: NEW
Component: objectweb-asm
Assignee: mizdebsk(a)redhat.com
Reporter: sergio(a)serjux.com
QA Contact: extras-qa(a)fedoraproject.org
CC: dwalluck(a)redhat.com, fnasser(a)redhat.com,
java-maint-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jerboaa(a)gmail.com, mizdebsk(a)redhat.com
Target Milestone: ---
Classification: Fedora
Description of problem:
objectweb-asm has missing osgi metadata since the upgrade to 9.1
Version-Release number of selected component (if applicable):
objectweb-asm-9.1-3.fc35.noarch.rpm
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1981544
Bug ID: 1981544
Summary: CVE-2021-30640 tomcat: JNDI realm authentication
weakness
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: aileenc(a)redhat.com, akoufoud(a)redhat.com,
alazarot(a)redhat.com, alee(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
asoldano(a)redhat.com, atangrin(a)redhat.com,
avibelli(a)redhat.com, bbaranow(a)redhat.com,
bgeorges(a)redhat.com, bmaxwell(a)redhat.com,
brian.stansberry(a)redhat.com, cdewolf(a)redhat.com,
chazlett(a)redhat.com, cmoulliard(a)redhat.com,
coolsvap(a)gmail.com, csutherl(a)redhat.com,
darran.lofthouse(a)redhat.com, dbecker(a)redhat.com,
dkreling(a)redhat.com, dosoudil(a)redhat.com,
drieden(a)redhat.com, eleandro(a)redhat.com,
etirelli(a)redhat.com, fjuma(a)redhat.com,
ggaughan(a)redhat.com, gmalinko(a)redhat.com,
gzaronik(a)redhat.com, huwang(a)redhat.com,
ibek(a)redhat.com, ikanello(a)redhat.com,
ivan.afonichev(a)gmail.com, iweiss(a)redhat.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jclere(a)redhat.com, jjoyce(a)redhat.com,
jochrist(a)redhat.com, jolee(a)redhat.com,
jpallich(a)redhat.com, jperkins(a)redhat.com,
jrokos(a)redhat.com, jschatte(a)redhat.com,
jschluet(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, krathod(a)redhat.com,
krzysztof.daniel(a)gmail.com, kverlaen(a)redhat.com,
kwills(a)redhat.com, lgao(a)redhat.com, lhh(a)redhat.com,
lpeer(a)redhat.com, lthon(a)redhat.com, mburns(a)redhat.com,
mkolesni(a)redhat.com, mnovotny(a)redhat.com,
msochure(a)redhat.com, msvehla(a)redhat.com,
mszynkie(a)redhat.com, nwallace(a)redhat.com,
peholase(a)redhat.com, pgallagh(a)redhat.com,
pjindal(a)redhat.com, pmackay(a)redhat.com,
rguimara(a)redhat.com, rhcs-maint(a)redhat.com,
rrajasek(a)redhat.com, rruss(a)redhat.com,
rstancel(a)redhat.com, rsvoboda(a)redhat.com,
sclewis(a)redhat.com, scohen(a)redhat.com,
slinaber(a)redhat.com, smaestri(a)redhat.com,
szappis(a)redhat.com, tom.jenkinson(a)redhat.com,
tzimanyi(a)redhat.com, yborgess(a)redhat.com
Target Milestone: ---
Classification: Other
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to
authenticate using variations of a valid user name and/or to bypass some of the
protection provided by the LockOut Realm. This issue affects Apache Tomcat
10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.
Reference:
https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1981533
Bug ID: 1981533
Summary: CVE-2021-33037 tomcat: HTTP request smuggling when
used with a reverse proxy
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: aileenc(a)redhat.com, akoufoud(a)redhat.com,
alazarot(a)redhat.com, alee(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
asoldano(a)redhat.com, atangrin(a)redhat.com,
avibelli(a)redhat.com, bbaranow(a)redhat.com,
bgeorges(a)redhat.com, bmaxwell(a)redhat.com,
brian.stansberry(a)redhat.com, cdewolf(a)redhat.com,
chazlett(a)redhat.com, cmoulliard(a)redhat.com,
coolsvap(a)gmail.com, csutherl(a)redhat.com,
darran.lofthouse(a)redhat.com, dbecker(a)redhat.com,
dkreling(a)redhat.com, dosoudil(a)redhat.com,
drieden(a)redhat.com, eleandro(a)redhat.com,
etirelli(a)redhat.com, fjuma(a)redhat.com,
ggaughan(a)redhat.com, gmalinko(a)redhat.com,
gzaronik(a)redhat.com, huwang(a)redhat.com,
ibek(a)redhat.com, ikanello(a)redhat.com,
ivan.afonichev(a)gmail.com, iweiss(a)redhat.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jclere(a)redhat.com, jjoyce(a)redhat.com,
jochrist(a)redhat.com, jolee(a)redhat.com,
jpallich(a)redhat.com, jperkins(a)redhat.com,
jrokos(a)redhat.com, jschatte(a)redhat.com,
jschluet(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, krathod(a)redhat.com,
krzysztof.daniel(a)gmail.com, kverlaen(a)redhat.com,
kwills(a)redhat.com, lgao(a)redhat.com, lhh(a)redhat.com,
lpeer(a)redhat.com, lthon(a)redhat.com, mburns(a)redhat.com,
mkolesni(a)redhat.com, mnovotny(a)redhat.com,
msochure(a)redhat.com, msvehla(a)redhat.com,
mszynkie(a)redhat.com, nwallace(a)redhat.com,
peholase(a)redhat.com, pgallagh(a)redhat.com,
pjindal(a)redhat.com, pmackay(a)redhat.com,
rguimara(a)redhat.com, rhcs-maint(a)redhat.com,
rrajasek(a)redhat.com, rruss(a)redhat.com,
rstancel(a)redhat.com, rsvoboda(a)redhat.com,
sclewis(a)redhat.com, scohen(a)redhat.com,
slinaber(a)redhat.com, smaestri(a)redhat.com,
szappis(a)redhat.com, tom.jenkinson(a)redhat.com,
tzimanyi(a)redhat.com, yborgess(a)redhat.com
Target Milestone: ---
Classification: Other
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did
not correctly parse the HTTP transfer-encoding request header in some
circumstances leading to the possibility to request smuggling when used with a
reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding
header if the client declared it would only accept an HTTP/1.0 response; -
Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if
present, the chunked encoding was the final encoding.
Reference:
https://lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232…
--
You are receiving this mail because:
You are on the CC list for the bug.