java-sig-commits March 2023

java-sig-commits@lists.fedoraproject.org

1 participants
280 discussions

[Bug 1955739] New: CVE-2021-26291 maven: Block repositories using http by default
by bugzilla＠redhat.com 12 Feb '24

12 Feb '24

https://bugzilla.redhat.com/show_bug.cgi?id=1955739 Bug ID: 1955739 Summary: CVE-2021-26291 maven: Block repositories using http by default Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: aboyko(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, asoldano(a)redhat.com, atangrin(a)redhat.com, bbaranow(a)redhat.com, bmaxwell(a)redhat.com, brian.stansberry(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, darran.lofthouse(a)redhat.com, dkreling(a)redhat.com, dosoudil(a)redhat.com, eleandro(a)redhat.com, etirelli(a)redhat.com, fjuma(a)redhat.com, gvarsami(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com, java-maint-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jcoleman(a)redhat.com, jochrist(a)redhat.com, jperkins(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kaycoth(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, kwills(a)redhat.com, ldimaggi(a)redhat.com, lgao(a)redhat.com, mizdebsk(a)redhat.com, mnovotny(a)redhat.com, msochure(a)redhat.com, msrb(a)redhat.com, msvehla(a)redhat.com, nwallace(a)redhat.com, pjindal(a)redhat.com, pmackay(a)redhat.com, rguimara(a)redhat.com, rrajasek(a)redhat.com, rstancel(a)redhat.com, rsvoboda(a)redhat.com, rwagner(a)redhat.com, smaestri(a)redhat.com, sochotni(a)redhat.com, tcunning(a)redhat.com, tkirby(a)redhat.com, tom.jenkinson(a)redhat.com, tzimanyi(a)redhat.com, yborgess(a)redhat.com Target Milestone: --- Classification: Other Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. References: https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fd… https://lists.apache.org/thread.html/r06db4057b74e0598a412734f693a34a8836ac… https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fd… http://www.openwall.com/lists/oss-security/2021/04/23/5 https://lists.apache.org/thread.html/r0556ce5db7231025785477739ee416b169d8a… https://lists.apache.org/thread.html/ra88a0eba7f84658cefcecc0143fd8bbad52c2… https://lists.apache.org/thread.html/r3f0450dcab7e63b5f233ccfbc6fca5f1867a7… -- You are receiving this mail because: You are on the CC list for the bug.

1 32

[Bug 1801149] New: CVE-2019-13990 libquartz-java: XXE attacks via job description
by bugzilla＠redhat.com 02 Feb '24

02 Feb '24

https://bugzilla.redhat.com/show_bug.cgi?id=1801149 Bug ID: 1801149 Summary: CVE-2019-13990 libquartz-java: XXE attacks via job description Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: darunesh(a)redhat.com CC: agrimm(a)gmail.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, bbuckingham(a)redhat.com, bcourt(a)redhat.com, bkearney(a)redhat.com, btotty(a)redhat.com, chazlett(a)redhat.com, dblechte(a)redhat.com, dfediuck(a)redhat.com, drieden(a)redhat.com, eedri(a)redhat.com, etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org, ggaughan(a)redhat.com, gvarsami(a)redhat.com, hhudgeon(a)redhat.com, ibek(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jcoleman(a)redhat.com, jochrist(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lef(a)fedoraproject.org, lzap(a)redhat.com, mgoldboi(a)redhat.com, michal.skrivanek(a)redhat.com, mmccune(a)redhat.com, mnovotny(a)redhat.com, nwallace(a)redhat.com, paradhya(a)redhat.com, pjindal(a)redhat.com, puntogil(a)libero.it, rchan(a)redhat.com, rjerrido(a)redhat.com, rrajasek(a)redhat.com, rsynek(a)redhat.com, rwagner(a)redhat.com, sbonazzo(a)redhat.com, sdaley(a)redhat.com, sherold(a)redhat.com, sokeeffe(a)redhat.com, tbrisker(a)redhat.com, tcunning(a)redhat.com, tkirby(a)redhat.com, tlestach(a)redhat.com, yturgema(a)redhat.com Target Milestone: --- Classification: Other A vulnerability was found in initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description. Reference: https://github.com/quartz-scheduler/quartz/issues/467 https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af9… https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1… https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de… https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e8… https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a390… -- You are receiving this mail because: You are on the CC list for the bug.

1 27

[Bug 2171439] New: apache-commons-net: FTBFS in Fedora rawhide/f38
by bugzilla＠redhat.com 01 Feb '24

01 Feb '24

https://bugzilla.redhat.com/show_bug.cgi?id=2171439 Bug ID: 2171439 Summary: apache-commons-net: FTBFS in Fedora rawhide/f38 Product: Fedora Version: rawhide Status: NEW Component: apache-commons-net Assignee: luis(a)blackfile.net Reporter: releng(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, luis(a)blackfile.net, mizdebsk(a)redhat.com, SpikeFedora(a)gmail.com Blocks: 2117176 (F38FTBFS) Target Milestone: --- Classification: Fedora apache-commons-net failed to build from source in Fedora rawhide/f38 https://koji.fedoraproject.org/koji/taskinfo?taskID=96310506 For details on the mass rebuild see: https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild Please fix apache-commons-net at your earliest convenience and set the bug's status to ASSIGNED when you start fixing it. If the bug remains in NEW state for 8 weeks, apache-commons-net will be orphaned. Before branching of Fedora 39, apache-commons-net will be retired, if it still fails to build. For more details on the FTBFS policy, please visit: https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails… Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=2117176 [Bug 2117176] Fedora 38 FTBFS Tracker -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2171439

1 2

[Bug 2171438] New: apache-commons-lang3: FTBFS in Fedora rawhide/f38
by bugzilla＠redhat.com 01 Feb '24

01 Feb '24

https://bugzilla.redhat.com/show_bug.cgi?id=2171438 Bug ID: 2171438 Summary: apache-commons-lang3: FTBFS in Fedora rawhide/f38 Product: Fedora Version: rawhide Status: NEW Component: apache-commons-lang3 Assignee: stuart(a)gathman.org Reporter: releng(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, stuart(a)gathman.org Blocks: 2117176 (F38FTBFS) Target Milestone: --- Classification: Fedora apache-commons-lang3 failed to build from source in Fedora rawhide/f38 https://koji.fedoraproject.org/koji/taskinfo?taskID=96310469 For details on the mass rebuild see: https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild Please fix apache-commons-lang3 at your earliest convenience and set the bug's status to ASSIGNED when you start fixing it. If the bug remains in NEW state for 8 weeks, apache-commons-lang3 will be orphaned. Before branching of Fedora 39, apache-commons-lang3 will be retired, if it still fails to build. For more details on the FTBFS policy, please visit: https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails… Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=2117176 [Bug 2117176] Fedora 38 FTBFS Tracker -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2171438

1 1

[Bug 1694308] New: httpcomponents-client-4.5.8 is available
by bugzilla＠redhat.com 31 Jan '24

31 Jan '24

https://bugzilla.redhat.com/show_bug.cgi?id=1694308 Bug ID: 1694308 Summary: httpcomponents-client-4.5.8 is available Product: Fedora Version: rawhide Status: NEW Component: httpcomponents-client Keywords: FutureFeature, Triaged Assignee: stuart(a)gathman.org Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, jerboaa(a)gmail.com, krzysztof.daniel(a)gmail.com, mizdebsk(a)redhat.com, sochotni(a)redhat.com, stuart(a)gathman.org Target Milestone: --- Classification: Fedora Latest upstream release: 4.5.8 Current version/release in rawhide: 4.5.6-3.fc30 URL: http://www.apache.org/dist/httpcomponents/httpclient/source/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/1334/ -- You are receiving this mail because: You are on the CC list for the bug.

1 17

[Bug 2028618] New: maven-doxia-1.11.1 is available
by bugzilla＠redhat.com 30 Jan '24

30 Jan '24

https://bugzilla.redhat.com/show_bug.cgi?id=2028618 Bug ID: 2028618 Summary: maven-doxia-1.11.1 is available Product: Fedora Version: rawhide Status: NEW Component: maven-doxia Keywords: FutureFeature, Triaged Assignee: loganjerry(a)gmail.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: dbhole(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, loganjerry(a)gmail.com, mefoster(a)gmail.com, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora Latest upstream release: 1.11.1 Current version/release in rawhide: 1.9.1-5.fc35 URL: http://maven.apache.org/doxia/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/1903/ -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2028618

1 9

[Bug 2182793] New: log4j: jettison: Uncontrolled Recursion in JSONArray [fedora-all]
by bugzilla＠redhat.com 15 Jan '24

15 Jan '24

https://bugzilla.redhat.com/show_bug.cgi?id=2182793 Bug ID: 2182793 Summary: log4j: jettison: Uncontrolled Recursion in JSONArray [fedora-all] Product: Fedora Version: 37 Status: NEW Component: log4j Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: paul.wouters(a)aiven.io Reporter: pdelbell(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: dbhole(a)redhat.com, devrim(a)gunduz.org, italo.garcia+fedora(a)aiven.io, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, paul.wouters(a)aiven.io, rj.layco(a)gmail.com, rominf(a)aiven.io Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2182788 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2182793

1 4

[Bug 2180533] New: CVE-2023-20861 log4j: springframework: Spring Expression DoS Vulnerability [fedora-all]
by bugzilla＠redhat.com 12 Jan '24

12 Jan '24

https://bugzilla.redhat.com/show_bug.cgi?id=2180533 Bug ID: 2180533 Summary: CVE-2023-20861 log4j: springframework: Spring Expression DoS Vulnerability [fedora-all] Product: Fedora Version: 37 Status: NEW Component: log4j Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: paul.wouters(a)aiven.io Reporter: pdelbell(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: dbhole(a)redhat.com, devrim(a)gunduz.org, italo.garcia+fedora(a)aiven.io, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, paul.wouters(a)aiven.io, rj.layco(a)gmail.com, rominf(a)aiven.io Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2180530 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2180533

1 4

[Bug 2180531] New: CVE-2023-20860 log4j: springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern [fedora-all]
by bugzilla＠redhat.com 12 Jan '24

12 Jan '24

https://bugzilla.redhat.com/show_bug.cgi?id=2180531 Bug ID: 2180531 Summary: CVE-2023-20860 log4j: springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern [fedora-all] Product: Fedora Version: 37 Status: NEW Component: log4j Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: paul.wouters(a)aiven.io Reporter: pdelbell(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: dbhole(a)redhat.com, devrim(a)gunduz.org, italo.garcia+fedora(a)aiven.io, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, paul.wouters(a)aiven.io, rj.layco(a)gmail.com, rominf(a)aiven.io Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2180528 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2180531

1 4

[Bug 2178890] New: CVE-2022-31692 log4j: spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security [fedora-37]
by bugzilla＠redhat.com 12 Jan '24

12 Jan '24

https://bugzilla.redhat.com/show_bug.cgi?id=2178890 Bug ID: 2178890 Summary: CVE-2022-31692 log4j: spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security [fedora-37] Product: Fedora Version: 37 Status: NEW Component: log4j Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: paul.wouters(a)aiven.io Reporter: ahanwate(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: dbhole(a)redhat.com, devrim(a)gunduz.org, italo.garcia+fedora(a)aiven.io, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, paul.wouters(a)aiven.io, rj.layco(a)gmail.com, rominf(a)aiven.io Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2162206 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2178890

1 4

← Newer
1
2
3
4
5
6
7
...
28
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits March 2023