https://bugzilla.redhat.com/show_bug.cgi?id=1955739
Bug ID: 1955739
Summary: CVE-2021-26291 maven: Block repositories using http by
default
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: aboyko(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
asoldano(a)redhat.com, atangrin(a)redhat.com,
bbaranow(a)redhat.com, bmaxwell(a)redhat.com,
brian.stansberry(a)redhat.com, cdewolf(a)redhat.com,
chazlett(a)redhat.com, darran.lofthouse(a)redhat.com,
dkreling(a)redhat.com, dosoudil(a)redhat.com,
eleandro(a)redhat.com, etirelli(a)redhat.com,
fjuma(a)redhat.com, gvarsami(a)redhat.com,
ibek(a)redhat.com, iweiss(a)redhat.com,
java-maint-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jcoleman(a)redhat.com, jochrist(a)redhat.com,
jperkins(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kaycoth(a)redhat.com,
kconner(a)redhat.com, krathod(a)redhat.com,
kverlaen(a)redhat.com, kwills(a)redhat.com,
ldimaggi(a)redhat.com, lgao(a)redhat.com,
mizdebsk(a)redhat.com, mnovotny(a)redhat.com,
msochure(a)redhat.com, msrb(a)redhat.com,
msvehla(a)redhat.com, nwallace(a)redhat.com,
pjindal(a)redhat.com, pmackay(a)redhat.com,
rguimara(a)redhat.com, rrajasek(a)redhat.com,
rstancel(a)redhat.com, rsvoboda(a)redhat.com,
rwagner(a)redhat.com, smaestri(a)redhat.com,
sochotni(a)redhat.com, tcunning(a)redhat.com,
tkirby(a)redhat.com, tom.jenkinson(a)redhat.com,
tzimanyi(a)redhat.com, yborgess(a)redhat.com
Target Milestone: ---
Classification: Other
Apache Maven will follow repositories that are defined in a dependency’s
Project Object Model (pom) which may be surprising to some users, resulting in
potential risk if a malicious actor takes over that repository or is able to
insert themselves into a position to pretend to be that repository. Maven is
changing the default behavior in 3.8.1+ to no longer follow http (non-SSL)
repository references by default. If you are currently using a repository
manager to govern the repositories used by your builds, you are unaffected by
the risks present in the legacy behavior, and are unaffected by this
vulnerability and change to default behavior.
References:
https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fd…https://lists.apache.org/thread.html/r06db4057b74e0598a412734f693a34a8836ac…https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fd…http://www.openwall.com/lists/oss-security/2021/04/23/5https://lists.apache.org/thread.html/r0556ce5db7231025785477739ee416b169d8a…https://lists.apache.org/thread.html/ra88a0eba7f84658cefcecc0143fd8bbad52c2…https://lists.apache.org/thread.html/r3f0450dcab7e63b5f233ccfbc6fca5f1867a7…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1801149
Bug ID: 1801149
Summary: CVE-2019-13990 libquartz-java: XXE attacks via job
description
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: darunesh(a)redhat.com
CC: agrimm(a)gmail.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
bbuckingham(a)redhat.com, bcourt(a)redhat.com,
bkearney(a)redhat.com, btotty(a)redhat.com,
chazlett(a)redhat.com, dblechte(a)redhat.com,
dfediuck(a)redhat.com, drieden(a)redhat.com,
eedri(a)redhat.com, etirelli(a)redhat.com,
extras-orphan(a)fedoraproject.org, ggaughan(a)redhat.com,
gvarsami(a)redhat.com, hhudgeon(a)redhat.com,
ibek(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jcoleman(a)redhat.com, jochrist(a)redhat.com,
jstastny(a)redhat.com, jwon(a)redhat.com,
kconner(a)redhat.com, krathod(a)redhat.com,
kverlaen(a)redhat.com, ldimaggi(a)redhat.com,
lef(a)fedoraproject.org, lzap(a)redhat.com,
mgoldboi(a)redhat.com, michal.skrivanek(a)redhat.com,
mmccune(a)redhat.com, mnovotny(a)redhat.com,
nwallace(a)redhat.com, paradhya(a)redhat.com,
pjindal(a)redhat.com, puntogil(a)libero.it,
rchan(a)redhat.com, rjerrido(a)redhat.com,
rrajasek(a)redhat.com, rsynek(a)redhat.com,
rwagner(a)redhat.com, sbonazzo(a)redhat.com,
sdaley(a)redhat.com, sherold(a)redhat.com,
sokeeffe(a)redhat.com, tbrisker(a)redhat.com,
tcunning(a)redhat.com, tkirby(a)redhat.com,
tlestach(a)redhat.com, yturgema(a)redhat.com
Target Milestone: ---
Classification: Other
A vulnerability was found in initDocumentParser in
xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through
2.3.0 allows XXE attacks via a job description.
Reference:
https://github.com/quartz-scheduler/quartz/issues/467https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af9…https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1…https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de…https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e8…https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a390…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2171439
Bug ID: 2171439
Summary: apache-commons-net: FTBFS in Fedora rawhide/f38
Product: Fedora
Version: rawhide
Status: NEW
Component: apache-commons-net
Assignee: luis(a)blackfile.net
Reporter: releng(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
luis(a)blackfile.net, mizdebsk(a)redhat.com,
SpikeFedora(a)gmail.com
Blocks: 2117176 (F38FTBFS)
Target Milestone: ---
Classification: Fedora
apache-commons-net failed to build from source in Fedora rawhide/f38
https://koji.fedoraproject.org/koji/taskinfo?taskID=96310506
For details on the mass rebuild see:
https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
Please fix apache-commons-net at your earliest convenience and set the bug's
status to
ASSIGNED when you start fixing it. If the bug remains in NEW state for 8 weeks,
apache-commons-net will be orphaned. Before branching of Fedora 39,
apache-commons-net will be retired, if it still fails to build.
For more details on the FTBFS policy, please visit:
https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails…
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2117176
[Bug 2117176] Fedora 38 FTBFS Tracker
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2171439
https://bugzilla.redhat.com/show_bug.cgi?id=2171438
Bug ID: 2171438
Summary: apache-commons-lang3: FTBFS in Fedora rawhide/f38
Product: Fedora
Version: rawhide
Status: NEW
Component: apache-commons-lang3
Assignee: stuart(a)gathman.org
Reporter: releng(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, stuart(a)gathman.org
Blocks: 2117176 (F38FTBFS)
Target Milestone: ---
Classification: Fedora
apache-commons-lang3 failed to build from source in Fedora rawhide/f38
https://koji.fedoraproject.org/koji/taskinfo?taskID=96310469
For details on the mass rebuild see:
https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
Please fix apache-commons-lang3 at your earliest convenience and set the bug's
status to
ASSIGNED when you start fixing it. If the bug remains in NEW state for 8 weeks,
apache-commons-lang3 will be orphaned. Before branching of Fedora 39,
apache-commons-lang3 will be retired, if it still fails to build.
For more details on the FTBFS policy, please visit:
https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails…
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2117176
[Bug 2117176] Fedora 38 FTBFS Tracker
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2171438
https://bugzilla.redhat.com/show_bug.cgi?id=1694308
Bug ID: 1694308
Summary: httpcomponents-client-4.5.8 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: httpcomponents-client
Keywords: FutureFeature, Triaged
Assignee: stuart(a)gathman.org
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
jerboaa(a)gmail.com, krzysztof.daniel(a)gmail.com,
mizdebsk(a)redhat.com, sochotni(a)redhat.com,
stuart(a)gathman.org
Target Milestone: ---
Classification: Fedora
Latest upstream release: 4.5.8
Current version/release in rawhide: 4.5.6-3.fc30
URL: http://www.apache.org/dist/httpcomponents/httpclient/source/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/1334/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2028618
Bug ID: 2028618
Summary: maven-doxia-1.11.1 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: maven-doxia
Keywords: FutureFeature, Triaged
Assignee: loganjerry(a)gmail.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: dbhole(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
loganjerry(a)gmail.com, mefoster(a)gmail.com,
mizdebsk(a)redhat.com
Target Milestone: ---
Classification: Fedora
Latest upstream release: 1.11.1
Current version/release in rawhide: 1.9.1-5.fc35
URL: http://maven.apache.org/doxia/
Please consult the package updates policy before you issue an update to a
stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/1903/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2028618
https://bugzilla.redhat.com/show_bug.cgi?id=2182793
Bug ID: 2182793
Summary: log4j: jettison: Uncontrolled Recursion in JSONArray
[fedora-all]
Product: Fedora
Version: 37
Status: NEW
Component: log4j
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: paul.wouters(a)aiven.io
Reporter: pdelbell(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: dbhole(a)redhat.com, devrim(a)gunduz.org,
italo.garcia+fedora(a)aiven.io,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, paul.wouters(a)aiven.io,
rj.layco(a)gmail.com, rominf(a)aiven.io
Target Milestone: ---
Classification: Fedora
More information about this security flaw is available in the following bug:
http://bugzilla.redhat.com/show_bug.cgi?id=2182788
Disclaimer: Community trackers are created by Red Hat Product Security team on
a best effort basis. Package maintainers are required to ascertain if the flaw
indeed affects their package, before starting the update process.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2182793
https://bugzilla.redhat.com/show_bug.cgi?id=2180533
Bug ID: 2180533
Summary: CVE-2023-20861 log4j: springframework: Spring
Expression DoS Vulnerability [fedora-all]
Product: Fedora
Version: 37
Status: NEW
Component: log4j
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: paul.wouters(a)aiven.io
Reporter: pdelbell(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: dbhole(a)redhat.com, devrim(a)gunduz.org,
italo.garcia+fedora(a)aiven.io,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, paul.wouters(a)aiven.io,
rj.layco(a)gmail.com, rominf(a)aiven.io
Target Milestone: ---
Classification: Fedora
More information about this security flaw is available in the following bug:
http://bugzilla.redhat.com/show_bug.cgi?id=2180530
Disclaimer: Community trackers are created by Red Hat Product Security team on
a best effort basis. Package maintainers are required to ascertain if the flaw
indeed affects their package, before starting the update process.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2180533
https://bugzilla.redhat.com/show_bug.cgi?id=2180531
Bug ID: 2180531
Summary: CVE-2023-20860 log4j: springframework: Security Bypass
With Un-Prefixed Double Wildcard Pattern [fedora-all]
Product: Fedora
Version: 37
Status: NEW
Component: log4j
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: paul.wouters(a)aiven.io
Reporter: pdelbell(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: dbhole(a)redhat.com, devrim(a)gunduz.org,
italo.garcia+fedora(a)aiven.io,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, paul.wouters(a)aiven.io,
rj.layco(a)gmail.com, rominf(a)aiven.io
Target Milestone: ---
Classification: Fedora
More information about this security flaw is available in the following bug:
http://bugzilla.redhat.com/show_bug.cgi?id=2180528
Disclaimer: Community trackers are created by Red Hat Product Security team on
a best effort basis. Package maintainers are required to ascertain if the flaw
indeed affects their package, before starting the update process.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2180531
https://bugzilla.redhat.com/show_bug.cgi?id=2178890
Bug ID: 2178890
Summary: CVE-2022-31692 log4j: spring-security: Authorization
rules can be bypassed via forward or include
dispatcher types in Spring Security [fedora-37]
Product: Fedora
Version: 37
Status: NEW
Component: log4j
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: paul.wouters(a)aiven.io
Reporter: ahanwate(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: dbhole(a)redhat.com, devrim(a)gunduz.org,
italo.garcia+fedora(a)aiven.io,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, paul.wouters(a)aiven.io,
rj.layco(a)gmail.com, rominf(a)aiven.io
Target Milestone: ---
Classification: Fedora
More information about this security flaw is available in the following bug:
http://bugzilla.redhat.com/show_bug.cgi?id=2162206
Disclaimer: Community trackers are created by Red Hat Product Security team on
a best effort basis. Package maintainers are required to ascertain if the flaw
indeed affects their package, before starting the update process.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2178890