java-sig-commits March 2016

java-sig-commits@lists.fedoraproject.org

3 participants
219 discussions

[Bug 1013603] New: jspc: Maven metadata is installed incorrectly
by Red Hat Bugzilla 19 Jul '16

19 Jul '16

https://bugzilla.redhat.com/show_bug.cgi?id=1013603 Bug ID: 1013603 Summary: jspc: Maven metadata is installed incorrectly Product: Fedora Version: rawhide Component: jspc Assignee: pmackinn(a)redhat.com Reporter: mizdebsk(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, pmackinn(a)redhat.com Description of problem: jspc package installs the same Maven metadata in more than one package. This results in incorrect package provides. Version-Release number of selected component (if applicable): 2.0-0.7.alpha.3 Steps to Reproduce: 1. Look at package provides Actual results: mvn(org.codehaus.mojo.jspc:jspc): jspc: package version: 2.0 provided version: 2.0-alpha-3 jspc-compiler-tomcat6 (jspc): package version: 2.0 provided version: 2.0-alpha-3 jspc-compilers (jspc): package version: 2.0 provided version: 2.0-alpha-3 jspc-maven-plugin (jspc): package version: 2.0 provided version: 2.0-alpha-3 mvn(org.codehaus.mojo.jspc:jspc-compiler-api): jspc: package version: 2.0 provided version: 2.0-alpha-3 jspc-compiler-tomcat6 (jspc): package version: 2.0 provided version: 2.0-alpha-3 jspc-compilers (jspc): package version: 2.0 provided version: 2.0-alpha-3 jspc-maven-plugin (jspc): package version: 2.0 provided version: 2.0-alpha-3 mvn(org.codehaus.mojo.jspc:jspc-compiler-tomcat6): jspc: package version: 2.0 provided version: 2.0-alpha-3 jspc-compiler-tomcat6 (jspc): package version: 2.0 provided version: 2.0-alpha-3 jspc-compilers (jspc): package version: 2.0 provided version: 2.0-alpha-3 jspc-maven-plugin (jspc): package version: 2.0 provided version: 2.0-alpha-3 mvn(org.codehaus.mojo.jspc:jspc-compilers): jspc: package version: 2.0 provided version: 2.0-alpha-3 jspc-compiler-tomcat6 (jspc): package version: 2.0 provided version: 2.0-alpha-3 jspc-compilers (jspc): package version: 2.0 provided version: 2.0-alpha-3 jspc-maven-plugin (jspc): package version: 2.0 provided version: 2.0-alpha-3 mvn(org.codehaus.mojo.jspc:jspc-maven-plugin): jspc: package version: 2.0 provided version: 2.0-alpha-3 jspc-compiler-tomcat6 (jspc): package version: 2.0 provided version: 2.0-alpha-3 jspc-compilers (jspc): package version: 2.0 provided version: 2.0-alpha-3 jspc-maven-plugin (jspc): package version: 2.0 provided version: 2.0-alpha-3 -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=Oals1syJlT&a=cc_unsubscribe

1 2

[Bug 958047] New: woodstox-core: javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING not supported
by Red Hat Bugzilla 19 Jul '16

19 Jul '16

Product: Fedora https://bugzilla.redhat.com/show_bug.cgi?id=958047 Bug ID: 958047 Summary: woodstox-core: javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING not supported Product: Fedora Version: rawhide Component: woodstox-core Severity: unspecified Priority: unspecified Assignee: jcapik(a)redhat.com Reporter: fweimer(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, jcapik(a)redhat.com, mizdebsk(a)redhat.com Blocks: 958046 Category: --- This doesn't work: SAXParserFactory factory = new WstxSAXParserFactory(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); SAXParser parser = factory.newSAXParser(); InputSource is = new InputSource(new FileInputStream(args[0])); parser.parse(is, new DefaultHandler()); It results in: Exception in thread "main" org.xml.sax.SAXNotRecognizedException: Feature 'http://javax.xml.XMLConstants/feature/secure-processing' not recognized As a result, it appears impossible to defend against "billion laughs"-style denial of service attacks, along the lines of: https://git.fedorahosted.org/cgit/secure-coding.git/tree/defensive-coding/s… https://git.fedorahosted.org/cgit/secure-coding.git/tree/defensive-coding/s… -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=bPCdHpPVN2&a=cc_unsubscribe

1 4

[Bug 1317520] New: CVE-2016-0734 activemq: Clickjacking in Web Console
by Red Hat Bugzilla 13 Jul '16

13 Jul '16

https://bugzilla.redhat.com/show_bug.cgi?id=1317520 Bug ID: 1317520 Summary: CVE-2016-0734 activemq: Clickjacking in Web Console Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: amaris(a)redhat.com CC: abhgupta(a)redhat.com, agrimm(a)redhat.com, aileenc(a)redhat.com, ccoleman(a)redhat.com, chazlett(a)redhat.com, dmcphers(a)redhat.com, gvarsami(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jcoleman(a)redhat.com, jialiu(a)redhat.com, joelsmith(a)redhat.com, jokerman(a)redhat.com, kconner(a)redhat.com, kseifried(a)redhat.com, ldimaggi(a)redhat.com, lmeyer(a)redhat.com, mmccomas(a)redhat.com, nwallace(a)redhat.com, pavelp(a)redhat.com, puntogil(a)libero.it, rwagner(a)redhat.com, soa-p-jira(a)post-office.corp.redhat.com, s(a)shk.io, tcunning(a)redhat.com, tdawson(a)redhat.com, tiwillia(a)redhat.com, tkirby(a)redhat.com It was reported that the web based administration console does not set the X-Frame-Options header in HTTP responses. This allows the console to be embedded in a frame or iframe which could then be used to cause a user to perform an unintended action in the console. Affected versions: Apache ActiveMQ 5.0.0 - 5.13.1 External Reference: http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcem… -- You are receiving this mail because: You are on the CC list for the bug.

1 18

[Bug 1317516] New: CVE-2016-0782 activemq: Cross-site scripting vulnerabilities in web console
by Red Hat Bugzilla 13 Jul '16

13 Jul '16

https://bugzilla.redhat.com/show_bug.cgi?id=1317516 Bug ID: 1317516 Summary: CVE-2016-0782 activemq: Cross-site scripting vulnerabilities in web console Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: amaris(a)redhat.com CC: abhgupta(a)redhat.com, agrimm(a)redhat.com, aileenc(a)redhat.com, ccoleman(a)redhat.com, chazlett(a)redhat.com, dmcphers(a)redhat.com, gvarsami(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jcoleman(a)redhat.com, jialiu(a)redhat.com, joelsmith(a)redhat.com, jokerman(a)redhat.com, kconner(a)redhat.com, kseifried(a)redhat.com, ldimaggi(a)redhat.com, lmeyer(a)redhat.com, mmccomas(a)redhat.com, nwallace(a)redhat.com, pavelp(a)redhat.com, puntogil(a)libero.it, rwagner(a)redhat.com, soa-p-jira(a)post-office.corp.redhat.com, s(a)shk.io, tcunning(a)redhat.com, tdawson(a)redhat.com, tiwillia(a)redhat.com, tkirby(a)redhat.com Several instances of cross-site scripting vulnerabilities were identified to be present in the web based administration console as well as the ability to trigger a Java memory dump into an arbitrary folder. The root cause of these issues are improper user data output validation and incorrect permissions configured on Jolokia. Affected versions: ActiveMQ 5.0.0 - 5.13.1 External Reference: http://activemq.apache.org/security-advisories.data/CVE-2016-0782-announcem… -- You are receiving this mail because: You are on the CC list for the bug.

1 18

[Bug 1114286] New: felix-bundlerepository-2.0.2 is available
by Red Hat Bugzilla 23 Jun '16

23 Jun '16

https://bugzilla.redhat.com/show_bug.cgi?id=1114286 Bug ID: 1114286 Summary: felix-bundlerepository-2.0.2 is available Product: Fedora Version: rawhide Component: felix-bundlerepository Keywords: FutureFeature, Triaged Assignee: msrb(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msrb(a)redhat.com Latest upstream release: 2.0.2 Current version/release in Fedora Rawhide: 1.6.6-16.fc21 URL: http://felix.apache.org/downloads.cgi Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=HlPTCWV8kg&a=cc_unsubscribe

1 7

[Bug 1308619] New: CVE-2015-8795 solr: multiple XSS vulnerabilities
by Red Hat Bugzilla 02 Jun '16

02 Jun '16

https://bugzilla.redhat.com/show_bug.cgi?id=1308619 Bug ID: 1308619 Summary: CVE-2015-8795 solr: multiple XSS vulnerabilities Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: anemec(a)redhat.com CC: java-sig-commits(a)lists.fedoraproject.org, puntogil(a)libero.it CVE 2015-8795: Multiple cross-site scripting (XSS) vulnerabilities in the Admin UI in Apache Solr before 5.1 allow remote attackers to inject arbitrary web script or HTML via crafted fields that are mishandled during the rendering of the (1) Analysis page, related to webapp/web/js/scripts/analysis.js or (2) Schema-Browser page, related to webapp/web/js/scripts/schema-browser.js. https://issues.apache.org/jira/browse/SOLR-7346 CVE 2015-8796: Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/schema-browser.js in the Admin UI in Apache Solr before 5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted schema-browse URL. https://issues.apache.org/jira/browse/SOLR-7920 CVE 2015-8797: Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/plugins.js in the stats page in the Admin UI in Apache Solr before 5.3.1 allows remote attackers to inject arbitrary web script or HTML via the entry parameter to a plugins/cache URI. https://issues.apache.org/jira/browse/SOLR-7949 -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1314239] New: powermock-1.6.4 is available
by Red Hat Bugzilla 01 Jun '16

01 Jun '16

https://bugzilla.redhat.com/show_bug.cgi?id=1314239 Bug ID: 1314239 Summary: powermock-1.6.4 is available Product: Fedora Version: rawhide Component: powermock Assignee: rkennke(a)redhat.com Reporter: puntogil(a)libero.it QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, jerboaa(a)gmail.com, msimacek(a)redhat.com, neugens(a)redhat.com, projects.rg(a)smart.ms, rkennke(a)redhat.com Latest upstream release: 1.6.4 Current version/release in rawhide: 1.6.2-3.fc24 URL: https://github.com/jayway/powermock/tags Please, consider upgrading -- You are receiving this mail because: You are on the CC list for the bug.

1 8

[Bug 1320842] New: CVE-2016-2166 qpid-proton: reactor sends messages in clear if ssl is requested but not available
by Red Hat Bugzilla 01 Jun '16

01 Jun '16

https://bugzilla.redhat.com/show_bug.cgi?id=1320842 Bug ID: 1320842 Summary: CVE-2016-2166 qpid-proton: reactor sends messages in clear if ssl is requested but not available Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: anemec(a)redhat.com CC: abaron(a)redhat.com, aortega(a)redhat.com, apevec(a)redhat.com, ayoung(a)redhat.com, bkearney(a)redhat.com, chrisw(a)redhat.com, cpelland(a)redhat.com, dallan(a)redhat.com, esammons(a)redhat.com, gkotton(a)redhat.com, iboverma(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jross(a)redhat.com, jschluet(a)redhat.com, kgiusti(a)gmail.com, kpalko(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com, markmc(a)redhat.com, mcressma(a)redhat.com, messaging-bugs(a)redhat.com, mmccune(a)redhat.com, ohadlevy(a)redhat.com, pmyers(a)redhat.com, puntogil(a)libero.it, rbryant(a)redhat.com, rhos-maint(a)redhat.com, rrajasek(a)redhat.com, satellite6-bugs(a)redhat.com, sclewis(a)redhat.com, tdecacqu(a)redhat.com, tjay(a)redhat.com, tlestach(a)redhat.com Messaging applications using the Proton Python API to provision an SSL/TLS encrypted TCP connection may actually instantiate a non-encrypted connection without notice if SSL support is unavailable. This will result in all messages being sent in the clear without the knowledge of the user. This issue affects those applications that use the Proton Reactor Python API to create SSL/TLS connections. Specifically the proton.reactor.Connector, proton.reactor.Container, and proton.utils.BlockingConnection classes are vulnerable. These classes can create an unencrypted connections if the "amqps://" URL prefix is used. The issue only occurs if the installed Proton libraries do not support SSL. This would be the case if the libraries were built without SSL support or the necessary SSL libraries are not present on the system (e.g. OpenSSL in the case of *nix). References: http://seclists.org/bugtraq/2016/Mar/166 Upstream fix: https://issues.apache.org/jira/browse/PROTON-1157 Upstream fixed release: http://qpid.apache.org/releases/qpid-proton-0.12.1/ -- You are receiving this mail because: You are on the CC list for the bug.

1 10

[Bug 1266638] New: maven-plugin-bundle-3.0.0 is available
by Red Hat Bugzilla 30 May '16

30 May '16

https://bugzilla.redhat.com/show_bug.cgi?id=1266638 Bug ID: 1266638 Summary: maven-plugin-bundle-3.0.0 is available Product: Fedora Version: rawhide Component: maven-plugin-bundle Keywords: FutureFeature, Triaged Assignee: msimacek(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, jcapik(a)redhat.com, mizdebsk(a)redhat.com, msimacek(a)redhat.com, msrb(a)redhat.com Latest upstream release: 3.0.0 Current version/release in rawhide: 2.5.4-1.fc24 URL: http://repo2.maven.org/maven2/org/apache/felix/maven-bundle-plugin/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=nlhatFc4hw&a=cc_unsubscribe

1 8

[Bug 1315153] New: error: symbol references not supported in preprocess-only mode
by Red Hat Bugzilla 10 May '16

10 May '16

https://bugzilla.redhat.com/show_bug.cgi?id=1315153 Bug ID: 1315153 Summary: error: symbol references not supported in preprocess-only mode Product: Fedora Version: 22 Component: nasm Assignee: mizdebsk(a)redhat.com Reporter: pomidorabelisima(a)gmail.com QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msimacek(a)redhat.com, msrb(a)redhat.com Created attachment 1133607 --> https://bugzilla.redhat.com/attachment.cgi?id=1133607&action=edit Fix "error: symbol references not supported in preprocess-only mode", needed by Syslinux Description of problem: Build SYSLINUX from source produces: diskstart.inc:438: error: symbol references not supported in preprocess-only mode diskstart.inc:439: error: symbol references not supported in preprocess-only mode Version-Release number of selected component (if applicable): NASM version 2.11.06 compiled on Feb 18 2015 How reproducible: 101% Steps to Reproduce: 1. Build SYSLINUX from source Actual results: Broken SYSLINUX build Expected results: Successful build Additional info: - [Nasm-devel] Syslinux 6.03 build is broken by nasm upgrade 2.11.05 to 2.11.06 https://sourceforge.net/p/nasm/mailman/message/33074214 - nasm: Fix -MD operating mode http://repo.or.cz/nasm.git/commitdiff/0dd37af?hp=b2c3449 -- You are receiving this mail because: You are on the CC list for the bug.

1 7

← Newer
1
...
9
10
11
12
13
14
15
...
22
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits March 2016