java-sig-commits February 2022

java-sig-commits@lists.fedoraproject.org

1 participants
218 discussions

[Bug 1857010] New: maven-plugin-bundle-5.1.1 is available
by bugzilla＠redhat.com 17 Aug '23

17 Aug '23

https://bugzilla.redhat.com/show_bug.cgi?id=1857010 Bug ID: 1857010 Summary: maven-plugin-bundle-5.1.1 is available Product: Fedora Version: rawhide Status: NEW Component: maven-plugin-bundle Keywords: FutureFeature, Triaged Assignee: stewardship-sig(a)lists.fedoraproject.org Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: akurtako(a)redhat.com, decathorpe(a)gmail.com, jaromir.capik(a)email.cz, java-sig-commits(a)lists.fedoraproject.org, mhroncok(a)redhat.com, mizdebsk(a)redhat.com, stewardship-sig(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Latest upstream release: 5.1.1 Current version/release in rawhide: 4.2.1-1.fc33 URL: https://felix.apache.org/documentation/subprojects/apache-felix-maven-bundl… Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/1922/ -- You are receiving this mail because: You are on the CC list for the bug.

1 14

[Bug 2022974] New: qdox-2.0.1 is available
by bugzilla＠redhat.com 17 Aug '23

17 Aug '23

https://bugzilla.redhat.com/show_bug.cgi?id=2022974 Bug ID: 2022974 Summary: qdox-2.0.1 is available Product: Fedora Version: rawhide Status: NEW Component: qdox Keywords: FutureFeature, Triaged Assignee: mizdebsk(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: akurtako(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora Latest upstream release: 2.0.1 Current version/release in rawhide: 2.0.0-6.fc35 URL: https://github.com/paul-hammant/qdox Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/12832/ -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2022974

1 7

[Bug 2049783] New: CVE-2021-43859 xstream: Injecting highly recursive collections or maps can cause a DoS
by bugzilla＠redhat.com 24 Jul '23

24 Jul '23

https://bugzilla.redhat.com/show_bug.cgi?id=2049783 Bug ID: 2049783 Summary: CVE-2021-43859 xstream: Injecting highly recursive collections or maps can cause a DoS Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: abenaiss(a)redhat.com, aileenc(a)redhat.com, alazarot(a)redhat.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, ataylor(a)redhat.com, bibryam(a)redhat.com, bmontgom(a)redhat.com, chazlett(a)redhat.com, didiksupriadi41(a)gmail.com, drieden(a)redhat.com, emingora(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, fedoraproject.org(a)bluhm-de.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, hbraun(a)redhat.com, ibek(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jnethert(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jolee(a)redhat.com, jrokos(a)redhat.com, jross(a)redhat.com, jschatte(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, lkundrak(a)v3.sk, mizdebsk(a)redhat.com, mnovotny(a)redhat.com, nstielau(a)redhat.com, pantinor(a)redhat.com, pbhattac(a)redhat.com, pdelbell(a)redhat.com, pjindal(a)redhat.com, rguimara(a)redhat.com, rrajasek(a)redhat.com, spandura(a)redhat.com, sponnaga(a)redhat.com, tzimanyi(a)redhat.com Target Milestone: --- Classification: Other XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible. References: https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf https://x-stream.github.io/CVE-2021-43859.html Upstream patch: https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0… -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2049783

1 17

[Bug 2037629] New: testng-7.5 is available
by bugzilla＠redhat.com 17 Jul '23

17 Jul '23

https://bugzilla.redhat.com/show_bug.cgi?id=2037629 Bug ID: 2037629 Summary: testng-7.5 is available Product: Fedora Version: rawhide Status: NEW Component: testng Keywords: FutureFeature, Triaged Assignee: mizdebsk(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: jaromir.capik(a)email.cz, java-sig-commits(a)lists.fedoraproject.org, lkundrak(a)v3.sk, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora Latest upstream release: 7.5 Current version/release in rawhide: 7.4.0-1.fc36 URL: https://github.com/cbeust/testng Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/4956/ -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2037629

1 5

[Bug 1997772] New: CVE-2021-39144 xstream: vulnerable to a remote command execution attack
by bugzilla＠redhat.com 27 Jun '23

27 Jun '23

https://bugzilla.redhat.com/show_bug.cgi?id=1997772 Bug ID: 1997772 Summary: CVE-2021-39144 xstream: vulnerable to a remote command execution attack Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: abenaiss(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, ataylor(a)redhat.com, bibryam(a)redhat.com, bmontgom(a)redhat.com, chazlett(a)redhat.com, drieden(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org, fedoraproject.org(a)bluhm-de.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gvarsami(a)redhat.com, hbraun(a)redhat.com, ibek(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcoleman(a)redhat.com, jnethert(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jolee(a)redhat.com, jrokos(a)redhat.com, jross(a)redhat.com, jschatte(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lkundrak(a)v3.sk, mizdebsk(a)redhat.com, mnovotny(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, pantinor(a)redhat.com, pbhattac(a)redhat.com, pdelbell(a)redhat.com, pjindal(a)redhat.com, rrajasek(a)redhat.com, rwagner(a)redhat.com, sponnaga(a)redhat.com, tcunning(a)redhat.com, tkirby(a)redhat.com, tzimanyi(a)redhat.com Target Milestone: --- Classification: Other XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. References: https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh https://x-stream.github.io/CVE-2021-39144.html -- You are receiving this mail because: You are on the CC list for the bug.

1 27

[Bug 2049784] New: CVE-2021-43859 xstream: Injecting highly recursive collections or maps can cause a DoS [fedora-all]
by bugzilla＠redhat.com 22 Jun '23

22 Jun '23

https://bugzilla.redhat.com/show_bug.cgi?id=2049784 Bug ID: 2049784 Summary: CVE-2021-43859 xstream: Injecting highly recursive collections or maps can cause a DoS [fedora-all] Product: Fedora Version: 35 Status: NEW Component: xstream Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: didiksupriadi41(a)gmail.com Reporter: gsuckevi(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: didiksupriadi41(a)gmail.com, fedoraproject.org(a)bluhm-de.com, java-sig-commits(a)lists.fedoraproject.org, lkundrak(a)v3.sk, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2049784

1 11

[Bug 2014356] New: CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS
by bugzilla＠redhat.com 15 Jun '23

15 Jun '23

https://bugzilla.redhat.com/show_bug.cgi?id=2014356 Bug ID: 2014356 Summary: CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: jwon(a)redhat.com CC: aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, alee(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, asoldano(a)redhat.com, atangrin(a)redhat.com, avibelli(a)redhat.com, bbaranow(a)redhat.com, bgeorges(a)redhat.com, bmaxwell(a)redhat.com, brian.stansberry(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, cmoulliard(a)redhat.com, coolsvap(a)gmail.com, csutherl(a)redhat.com, darran.lofthouse(a)redhat.com, dbecker(a)redhat.com, dkreling(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, eleandro(a)redhat.com, etirelli(a)redhat.com, fjuma(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gzaronikas(a)gmail.com, gzaronik(a)redhat.com, huwang(a)redhat.com, ibek(a)redhat.com, ikanello(a)redhat.com, ivan.afonichev(a)gmail.com, iweiss(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jclere(a)redhat.com, jjoyce(a)redhat.com, jochrist(a)redhat.com, jolee(a)redhat.com, jpallich(a)redhat.com, jperkins(a)redhat.com, jrokos(a)redhat.com, jschatte(a)redhat.com, jschluet(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, krathod(a)redhat.com, krzysztof.daniel(a)gmail.com, kverlaen(a)redhat.com, kwills(a)redhat.com, lgao(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com, lthon(a)redhat.com, mburns(a)redhat.com, mkolesni(a)redhat.com, mnovotny(a)redhat.com, msochure(a)redhat.com, msvehla(a)redhat.com, mszynkie(a)redhat.com, nwallace(a)redhat.com, pdelbell(a)redhat.com, peholase(a)redhat.com, pgallagh(a)redhat.com, pjindal(a)redhat.com, pmackay(a)redhat.com, rguimara(a)redhat.com, rhcs-maint(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rstancel(a)redhat.com, rsvoboda(a)redhat.com, sclewis(a)redhat.com, scohen(a)redhat.com, slinaber(a)redhat.com, smaestri(a)redhat.com, szappis(a)redhat.com, tom.jenkinson(a)redhat.com, tzimanyi(a)redhat.com, yborgess(a)redhat.com Blocks: 2014348 Target Milestone: --- Classification: Other Apache Tomcat did not properly release an HTTP upgrade connection for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. This issue affects the version of Apache Tomcat 10.1.0-M1 to 10.1.0-M5; Apache Tomcat 10.0.0-M10 to 10.0.11; Apache Tomcat 9.0.40 to 9.0.53; Apache Tomcat 8.5.60 to 8.5.71. Upstream commits: Tomcat 10.1: https://github.com/apache/tomcat/commit/d5a6660cba7f51589468937bf3bbad4db78… Tomcat 10.0: https://github.com/apache/tomcat/commit/31d62426645824bdfe076a0c0eafa904d90… Tomcat 9.0: https://github.com/apache/tomcat/commit/80f1438ec45e77a07b96419808971838d25… Tomcat 8.5: https://github.com/apache/tomcat/commit/d27535bdee95d252418201eb21e9d29476a… Reference: https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d… -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2014356

1 32

[Bug 1887211] New: junit-4.13.1 is available
by bugzilla＠redhat.com 15 Jun '23

15 Jun '23

https://bugzilla.redhat.com/show_bug.cgi?id=1887211 Bug ID: 1887211 Summary: junit-4.13.1 is available Product: Fedora Version: rawhide Status: NEW Component: junit Keywords: FutureFeature, Triaged Assignee: java-maint-sig(a)lists.fedoraproject.org Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: dbhole(a)redhat.com, decathorpe(a)gmail.com, java-maint-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, krzysztof.daniel(a)gmail.com, mizdebsk(a)redhat.com, sochotni(a)redhat.com Target Milestone: --- Classification: Fedora Latest upstream release: 4.13.1 Current version/release in rawhide: 4.13-2.fc34 URL: https://github.com/junit-team/junit4 Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/1480/ -- You are receiving this mail because: You are on the CC list for the bug.

1 8

[Bug 2051184] New: lancer fails to build with java-17-openjdk
by bugzilla＠redhat.com 25 May '23

25 May '23

https://bugzilla.redhat.com/show_bug.cgi?id=2051184 Bug ID: 2051184 Summary: lancer fails to build with java-17-openjdk Product: Fedora Version: rawhide Status: NEW Component: lancer Severity: high Assignee: willb(a)redhat.com Reporter: jvanek(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: didiksupriadi41(a)gmail.com, java-maint-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jhuttana(a)redhat.com, jvanek(a)redhat.com, pmikova(a)redhat.com, sgehwolf(a)redhat.com, willb(a)redhat.com Blocks: 2024265 Target Milestone: --- Classification: Fedora lancer fails to build with java-17-openjdk as sytem JDK. See https://fedoraproject.org/wiki/Changes/Java17 . See especially part about known failures: https://fedoraproject.org/wiki/Changes/Java17#common_issues_packagers_can_f… For the build logs, see: https://koji.fedoraproject.org/koji/taskinfo?taskID=82430359 https://kojipkgs.fedoraproject.org/work/tasks/374/82430374/mock_output.log https://kojipkgs.fedoraproject.org/work/tasks/374/82430374/hw_info.log https://kojipkgs.fedoraproject.org/work/tasks/374/82430374/state.log https://kojipkgs.fedoraproject.org/work/tasks/374/82430374/build.log https://kojipkgs.fedoraproject.org/work/tasks/374/82430374/root.log We run the rebuild in side tag f36-java17, but as fail ratio was small, we expect this side tag to be merged into rawhide 7 or 8 of February 2022. To reproduce before this date simply: fedpkg clone lancer; cd lancer; fedpkg build --target f36-java17; #The target is crucial. After this date the usual fedpkg build in f36 and up should do. We run two reruns your package failed both. We had also run the mass rebuilds in copr since November. We keep all encountered failures. See them here: https://copr.fedorainfracloud.org/coprs/jvanek/java17//package/lancer You may find interesting additional informations here. Also we were spamming maintainers regualrly, check you spam folder. We had tried aprox 500 packages, and aprox 65 had failed, so the java-17-openjdk will be system JDK in f36, and you should fix your package if you want to keep it alive. Usually the fix is simple, and best is to update the package to latest upstream version. There will be usual mass rebuild once f36 branches. You may got another FTBFS bug. Let us know here if you have any questions, here in bug, or at java-devel(a)lists.fedoraproject.org . We'd appreciate help from the people who know this package best, but if you don't want to work on this now, let us know so we can try to work around it on our side if needed. Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=2024265 [Bug 2024265] java-17-openjdk as system JDK in F36 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2051184

1 3

[Bug 2028448] New: I've used maven-local-openjdk11, but xmvn still uses JDK17 as toolchain for org.fedoraproject.xmvn:xmvn-mojo:javadoc
by bugzilla＠redhat.com 25 May '23

25 May '23

https://bugzilla.redhat.com/show_bug.cgi?id=2028448 Bug ID: 2028448 Summary: I've used maven-local-openjdk11, but xmvn still uses JDK17 as toolchain for org.fedoraproject.xmvn:xmvn-mojo:javadoc Product: Fedora Version: rawhide Status: NEW Component: xmvn Assignee: mizdebsk(a)redhat.com Reporter: didiksupriadi41(a)gmail.com QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mat.booth(a)gmail.com, mizdebsk(a)redhat.com, msrb(a)redhat.com Target Milestone: --- Classification: Fedora Description of problem: I've used `maven-local-openjdk11`, but apparently `xmvn` still uses JDK17 as toolchain for org.fedoraproject.xmvn:xmvn-mojo:javadoc. Happens when I tried to build `apache-ivy` (requires Pack200 class) here: https://download.copr.fedorainfracloud.org/results/jvanek/java17:pr:7/fedor… but explicitly overriding JAVA_HOME to JDK11 fixed it: https://download.copr.fedorainfracloud.org/results/jvanek/java17:pr:8/fedor… Version-Release number of selected component (if applicable): 4.0.0-4 How reproducible: always Steps to Reproduce: For instance, we'd build `apache-ivy` using jvanek-java17-fedora-rawhide-x86_64.cfg [1] 1. $ fedpkg clone `apache-ivy` 2. $ sed -i 's/maven-local/maven-local-openjdk11/g' apache-ivy.spec 3. $ fedpkg mockbuild --root jvanek-java17-fedora-rawhide-x86_64.cfg Actual results: https://download.copr.fedorainfracloud.org/results/jvanek/java17:pr:7/fedor… Expected results: https://download.copr.fedorainfracloud.org/results/jvanek/java17:pr:8/fedor… Additional info: -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2028448

1 4

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits February 2022