https://bugzilla.redhat.com/show_bug.cgi?id=1857010
Bug ID: 1857010
Summary: maven-plugin-bundle-5.1.1 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: maven-plugin-bundle
Keywords: FutureFeature, Triaged
Assignee: stewardship-sig(a)lists.fedoraproject.org
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com, decathorpe(a)gmail.com,
jaromir.capik(a)email.cz,
java-sig-commits(a)lists.fedoraproject.org,
mhroncok(a)redhat.com, mizdebsk(a)redhat.com,
stewardship-sig(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
Latest upstream release: 5.1.1
Current version/release in rawhide: 4.2.1-1.fc33
URL:
https://felix.apache.org/documentation/subprojects/apache-felix-maven-bundl…
Please consult the package updates policy before you issue an update to a
stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/1922/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2022974
Bug ID: 2022974
Summary: qdox-2.0.1 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: qdox
Keywords: FutureFeature, Triaged
Assignee: mizdebsk(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com
Target Milestone: ---
Classification: Fedora
Latest upstream release: 2.0.1
Current version/release in rawhide: 2.0.0-6.fc35
URL: https://github.com/paul-hammant/qdox
Please consult the package updates policy before you issue an update to a
stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/12832/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2022974
https://bugzilla.redhat.com/show_bug.cgi?id=2049783
Bug ID: 2049783
Summary: CVE-2021-43859 xstream: Injecting highly recursive
collections or maps can cause a DoS
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: abenaiss(a)redhat.com, aileenc(a)redhat.com,
alazarot(a)redhat.com, anstephe(a)redhat.com,
aos-bugs(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, didiksupriadi41(a)gmail.com,
drieden(a)redhat.com, emingora(a)redhat.com,
eparis(a)redhat.com, etirelli(a)redhat.com,
fedoraproject.org(a)bluhm-de.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, hbraun(a)redhat.com,
ibek(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jnethert(a)redhat.com,
jochrist(a)redhat.com, jokerman(a)redhat.com,
jolee(a)redhat.com, jrokos(a)redhat.com, jross(a)redhat.com,
jschatte(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, krathod(a)redhat.com,
kverlaen(a)redhat.com, lkundrak(a)v3.sk,
mizdebsk(a)redhat.com, mnovotny(a)redhat.com,
nstielau(a)redhat.com, pantinor(a)redhat.com,
pbhattac(a)redhat.com, pdelbell(a)redhat.com,
pjindal(a)redhat.com, rguimara(a)redhat.com,
rrajasek(a)redhat.com, spandura(a)redhat.com,
sponnaga(a)redhat.com, tzimanyi(a)redhat.com
Target Milestone: ---
Classification: Other
XStream is an open source java library to serialize objects to XML and back
again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100%
CPU time on the target system depending on CPU type or parallel execution of
such a payload resulting in a denial of service only by manipulating the
processed input stream. XStream 1.4.19 monitors and accumulates the time it
takes to add elements to collections and throws an exception if a set threshold
is exceeded. Users are advised to upgrade as soon as possible. Users unable to
upgrade may set the NO_REFERENCE mode to prevent recursion. See
GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not
possible.
References:
https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjfhttps://x-stream.github.io/CVE-2021-43859.html
Upstream patch:
https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2049783
https://bugzilla.redhat.com/show_bug.cgi?id=2037629
Bug ID: 2037629
Summary: testng-7.5 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: testng
Keywords: FutureFeature, Triaged
Assignee: mizdebsk(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: jaromir.capik(a)email.cz,
java-sig-commits(a)lists.fedoraproject.org,
lkundrak(a)v3.sk, mizdebsk(a)redhat.com
Target Milestone: ---
Classification: Fedora
Latest upstream release: 7.5
Current version/release in rawhide: 7.4.0-1.fc36
URL: https://github.com/cbeust/testng
Please consult the package updates policy before you issue an update to a
stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from Anitya:
https://release-monitoring.org/project/4956/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2037629
https://bugzilla.redhat.com/show_bug.cgi?id=1997772
Bug ID: 1997772
Summary: CVE-2021-39144 xstream: vulnerable to a remote command
execution attack
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: abenaiss(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
aos-bugs(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, drieden(a)redhat.com,
eparis(a)redhat.com, etirelli(a)redhat.com,
extras-orphan(a)fedoraproject.org,
fedoraproject.org(a)bluhm-de.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, gvarsami(a)redhat.com,
hbraun(a)redhat.com, ibek(a)redhat.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcoleman(a)redhat.com,
jnethert(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jolee(a)redhat.com,
jrokos(a)redhat.com, jross(a)redhat.com,
jschatte(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kconner(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
ldimaggi(a)redhat.com, lkundrak(a)v3.sk,
mizdebsk(a)redhat.com, mnovotny(a)redhat.com,
nstielau(a)redhat.com, nwallace(a)redhat.com,
pantinor(a)redhat.com, pbhattac(a)redhat.com,
pdelbell(a)redhat.com, pjindal(a)redhat.com,
rrajasek(a)redhat.com, rwagner(a)redhat.com,
sponnaga(a)redhat.com, tcunning(a)redhat.com,
tkirby(a)redhat.com, tzimanyi(a)redhat.com
Target Milestone: ---
Classification: Other
XStream is a simple library to serialize objects to XML and back again. In
affected versions this vulnerability may allow a remote attacker has sufficient
rights to execute commands of the host only by manipulating the processed input
stream. No user is affected, who followed the recommendation to setup XStream's
security framework with a whitelist limited to the minimal required types.
XStream 1.4.18 uses no longer a blacklist by default, since it cannot be
secured for general purpose.
References:
https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fhhttps://x-stream.github.io/CVE-2021-39144.html
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2049784
Bug ID: 2049784
Summary: CVE-2021-43859 xstream: Injecting highly recursive
collections or maps can cause a DoS [fedora-all]
Product: Fedora
Version: 35
Status: NEW
Component: xstream
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: didiksupriadi41(a)gmail.com
Reporter: gsuckevi(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: didiksupriadi41(a)gmail.com,
fedoraproject.org(a)bluhm-de.com,
java-sig-commits(a)lists.fedoraproject.org,
lkundrak(a)v3.sk, mizdebsk(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2049784
https://bugzilla.redhat.com/show_bug.cgi?id=2014356
Bug ID: 2014356
Summary: CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP
upgrade connection leak could lead to DoS
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: jwon(a)redhat.com
CC: aileenc(a)redhat.com, akoufoud(a)redhat.com,
alazarot(a)redhat.com, alee(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
asoldano(a)redhat.com, atangrin(a)redhat.com,
avibelli(a)redhat.com, bbaranow(a)redhat.com,
bgeorges(a)redhat.com, bmaxwell(a)redhat.com,
brian.stansberry(a)redhat.com, cdewolf(a)redhat.com,
chazlett(a)redhat.com, cmoulliard(a)redhat.com,
coolsvap(a)gmail.com, csutherl(a)redhat.com,
darran.lofthouse(a)redhat.com, dbecker(a)redhat.com,
dkreling(a)redhat.com, dosoudil(a)redhat.com,
drieden(a)redhat.com, eleandro(a)redhat.com,
etirelli(a)redhat.com, fjuma(a)redhat.com,
ggaughan(a)redhat.com, gmalinko(a)redhat.com,
gzaronikas(a)gmail.com, gzaronik(a)redhat.com,
huwang(a)redhat.com, ibek(a)redhat.com,
ikanello(a)redhat.com, ivan.afonichev(a)gmail.com,
iweiss(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jclere(a)redhat.com, jjoyce(a)redhat.com,
jochrist(a)redhat.com, jolee(a)redhat.com,
jpallich(a)redhat.com, jperkins(a)redhat.com,
jrokos(a)redhat.com, jschatte(a)redhat.com,
jschluet(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, krathod(a)redhat.com,
krzysztof.daniel(a)gmail.com, kverlaen(a)redhat.com,
kwills(a)redhat.com, lgao(a)redhat.com, lhh(a)redhat.com,
lpeer(a)redhat.com, lthon(a)redhat.com, mburns(a)redhat.com,
mkolesni(a)redhat.com, mnovotny(a)redhat.com,
msochure(a)redhat.com, msvehla(a)redhat.com,
mszynkie(a)redhat.com, nwallace(a)redhat.com,
pdelbell(a)redhat.com, peholase(a)redhat.com,
pgallagh(a)redhat.com, pjindal(a)redhat.com,
pmackay(a)redhat.com, rguimara(a)redhat.com,
rhcs-maint(a)redhat.com, rrajasek(a)redhat.com,
rruss(a)redhat.com, rstancel(a)redhat.com,
rsvoboda(a)redhat.com, sclewis(a)redhat.com,
scohen(a)redhat.com, slinaber(a)redhat.com,
smaestri(a)redhat.com, szappis(a)redhat.com,
tom.jenkinson(a)redhat.com, tzimanyi(a)redhat.com,
yborgess(a)redhat.com
Blocks: 2014348
Target Milestone: ---
Classification: Other
Apache Tomcat did not properly release an HTTP upgrade connection for WebSocket
connections once the WebSocket connection was closed. This created a memory
leak that, over time, could lead to a denial of service via an
OutOfMemoryError. This issue affects the version of Apache Tomcat 10.1.0-M1 to
10.1.0-M5; Apache Tomcat 10.0.0-M10 to 10.0.11; Apache Tomcat 9.0.40 to 9.0.53;
Apache Tomcat 8.5.60 to 8.5.71.
Upstream commits:
Tomcat 10.1:
https://github.com/apache/tomcat/commit/d5a6660cba7f51589468937bf3bbad4db78…
Tomcat 10.0:
https://github.com/apache/tomcat/commit/31d62426645824bdfe076a0c0eafa904d90…
Tomcat 9.0:
https://github.com/apache/tomcat/commit/80f1438ec45e77a07b96419808971838d25…
Tomcat 8.5:
https://github.com/apache/tomcat/commit/d27535bdee95d252418201eb21e9d29476a…
Reference:
https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2014356
https://bugzilla.redhat.com/show_bug.cgi?id=1887211
Bug ID: 1887211
Summary: junit-4.13.1 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: junit
Keywords: FutureFeature, Triaged
Assignee: java-maint-sig(a)lists.fedoraproject.org
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: dbhole(a)redhat.com, decathorpe(a)gmail.com,
java-maint-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
krzysztof.daniel(a)gmail.com, mizdebsk(a)redhat.com,
sochotni(a)redhat.com
Target Milestone: ---
Classification: Fedora
Latest upstream release: 4.13.1
Current version/release in rawhide: 4.13-2.fc34
URL: https://github.com/junit-team/junit4
Please consult the package updates policy before you issue an update to a
stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/1480/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2028448
Bug ID: 2028448
Summary: I've used maven-local-openjdk11, but xmvn still uses
JDK17 as toolchain for
org.fedoraproject.xmvn:xmvn-mojo:javadoc
Product: Fedora
Version: rawhide
Status: NEW
Component: xmvn
Assignee: mizdebsk(a)redhat.com
Reporter: didiksupriadi41(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mat.booth(a)gmail.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
Target Milestone: ---
Classification: Fedora
Description of problem:
I've used `maven-local-openjdk11`, but apparently `xmvn` still uses JDK17 as
toolchain for org.fedoraproject.xmvn:xmvn-mojo:javadoc.
Happens when I tried to build `apache-ivy` (requires Pack200 class) here:
https://download.copr.fedorainfracloud.org/results/jvanek/java17:pr:7/fedor…
but explicitly overriding JAVA_HOME to JDK11 fixed it:
https://download.copr.fedorainfracloud.org/results/jvanek/java17:pr:8/fedor…
Version-Release number of selected component (if applicable):
4.0.0-4
How reproducible:
always
Steps to Reproduce:
For instance, we'd build `apache-ivy` using
jvanek-java17-fedora-rawhide-x86_64.cfg [1]
1. $ fedpkg clone `apache-ivy`
2. $ sed -i 's/maven-local/maven-local-openjdk11/g' apache-ivy.spec
3. $ fedpkg mockbuild --root jvanek-java17-fedora-rawhide-x86_64.cfg
Actual results:
https://download.copr.fedorainfracloud.org/results/jvanek/java17:pr:7/fedor…
Expected results:
https://download.copr.fedorainfracloud.org/results/jvanek/java17:pr:8/fedor…
Additional info:
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2028448