Product: Fedora
https://bugzilla.redhat.com/show_bug.cgi?id=958047
Bug ID: 958047
Summary: woodstox-core:
javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING not
supported
Product: Fedora
Version: rawhide
Component: woodstox-core
Severity: unspecified
Priority: unspecified
Assignee: jcapik(a)redhat.com
Reporter: fweimer(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
jcapik(a)redhat.com, mizdebsk(a)redhat.com
Blocks: 958046
Category: ---
This doesn't work:
SAXParserFactory factory = new WstxSAXParserFactory();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
SAXParser parser = factory.newSAXParser();
InputSource is = new InputSource(new FileInputStream(args[0]));
parser.parse(is, new DefaultHandler());
It results in:
Exception in thread "main" org.xml.sax.SAXNotRecognizedException: Feature
'http://javax.xml.XMLConstants/feature/secure-processing' not recognized
As a result, it appears impossible to defend against "billion laughs"-style
denial of service attacks, along the lines of:
https://git.fedorahosted.org/cgit/secure-coding.git/tree/defensive-coding/s…https://git.fedorahosted.org/cgit/secure-coding.git/tree/defensive-coding/s…
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=bPCdHpPVN2&a=cc_unsubscribe
https://bugzilla.redhat.com/show_bug.cgi?id=1317520
Bug ID: 1317520
Summary: CVE-2016-0734 activemq: Clickjacking in Web Console
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: abhgupta(a)redhat.com, agrimm(a)redhat.com,
aileenc(a)redhat.com, ccoleman(a)redhat.com,
chazlett(a)redhat.com, dmcphers(a)redhat.com,
gvarsami(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jcoleman(a)redhat.com, jialiu(a)redhat.com,
joelsmith(a)redhat.com, jokerman(a)redhat.com,
kconner(a)redhat.com, kseifried(a)redhat.com,
ldimaggi(a)redhat.com, lmeyer(a)redhat.com,
mmccomas(a)redhat.com, nwallace(a)redhat.com,
pavelp(a)redhat.com, puntogil(a)libero.it,
rwagner(a)redhat.com,
soa-p-jira(a)post-office.corp.redhat.com, s(a)shk.io,
tcunning(a)redhat.com, tdawson(a)redhat.com,
tiwillia(a)redhat.com, tkirby(a)redhat.com
It was reported that the web based administration console does not set the
X-Frame-Options header in HTTP responses. This allows the console to be
embedded in a frame or iframe which could then be used to cause a user to
perform an unintended action in the console.
Affected versions: Apache ActiveMQ 5.0.0 - 5.13.1
External Reference:
http://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcem…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1317516
Bug ID: 1317516
Summary: CVE-2016-0782 activemq: Cross-site scripting
vulnerabilities in web console
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: abhgupta(a)redhat.com, agrimm(a)redhat.com,
aileenc(a)redhat.com, ccoleman(a)redhat.com,
chazlett(a)redhat.com, dmcphers(a)redhat.com,
gvarsami(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jcoleman(a)redhat.com, jialiu(a)redhat.com,
joelsmith(a)redhat.com, jokerman(a)redhat.com,
kconner(a)redhat.com, kseifried(a)redhat.com,
ldimaggi(a)redhat.com, lmeyer(a)redhat.com,
mmccomas(a)redhat.com, nwallace(a)redhat.com,
pavelp(a)redhat.com, puntogil(a)libero.it,
rwagner(a)redhat.com,
soa-p-jira(a)post-office.corp.redhat.com, s(a)shk.io,
tcunning(a)redhat.com, tdawson(a)redhat.com,
tiwillia(a)redhat.com, tkirby(a)redhat.com
Several instances of cross-site scripting vulnerabilities were identified to be
present in the web based administration console as well as the ability to
trigger a Java memory dump into an arbitrary folder. The root cause of these
issues are improper user data output validation and incorrect permissions
configured on Jolokia.
Affected versions: ActiveMQ 5.0.0 - 5.13.1
External Reference:
http://activemq.apache.org/security-advisories.data/CVE-2016-0782-announcem…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1308619
Bug ID: 1308619
Summary: CVE-2015-8795 solr: multiple XSS vulnerabilities
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: java-sig-commits(a)lists.fedoraproject.org,
puntogil(a)libero.it
CVE 2015-8795:
Multiple cross-site scripting (XSS) vulnerabilities in the Admin UI in
Apache Solr before 5.1 allow remote attackers to inject arbitrary web
script or HTML via crafted fields that are mishandled during the
rendering of the (1) Analysis page, related to
webapp/web/js/scripts/analysis.js or (2) Schema-Browser page, related
to webapp/web/js/scripts/schema-browser.js.
https://issues.apache.org/jira/browse/SOLR-7346
CVE 2015-8796:
Cross-site scripting (XSS) vulnerability in
webapp/web/js/scripts/schema-browser.js in the Admin UI in Apache Solr
before 5.3 allows remote attackers to inject arbitrary web script or
HTML via a crafted schema-browse URL.
https://issues.apache.org/jira/browse/SOLR-7920
CVE 2015-8797:
Cross-site scripting (XSS) vulnerability in
webapp/web/js/scripts/plugins.js in the stats page in the Admin UI in
Apache Solr before 5.3.1 allows remote attackers to inject arbitrary
web script or HTML via the entry parameter to a plugins/cache URI.
https://issues.apache.org/jira/browse/SOLR-7949
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1314239
Bug ID: 1314239
Summary: powermock-1.6.4 is available
Product: Fedora
Version: rawhide
Component: powermock
Assignee: rkennke(a)redhat.com
Reporter: puntogil(a)libero.it
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
jerboaa(a)gmail.com, msimacek(a)redhat.com,
neugens(a)redhat.com, projects.rg(a)smart.ms,
rkennke(a)redhat.com
Latest upstream release: 1.6.4
Current version/release in rawhide: 1.6.2-3.fc24
URL: https://github.com/jayway/powermock/tags
Please, consider upgrading
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1320842
Bug ID: 1320842
Summary: CVE-2016-2166 qpid-proton: reactor sends messages in
clear if ssl is requested but not available
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: abaron(a)redhat.com, aortega(a)redhat.com,
apevec(a)redhat.com, ayoung(a)redhat.com,
bkearney(a)redhat.com, chrisw(a)redhat.com,
cpelland(a)redhat.com, dallan(a)redhat.com,
esammons(a)redhat.com, gkotton(a)redhat.com,
iboverma(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jross(a)redhat.com, jschluet(a)redhat.com,
kgiusti(a)gmail.com, kpalko(a)redhat.com, lhh(a)redhat.com,
lpeer(a)redhat.com, markmc(a)redhat.com,
mcressma(a)redhat.com, messaging-bugs(a)redhat.com,
mmccune(a)redhat.com, ohadlevy(a)redhat.com,
pmyers(a)redhat.com, puntogil(a)libero.it,
rbryant(a)redhat.com, rhos-maint(a)redhat.com,
rrajasek(a)redhat.com, satellite6-bugs(a)redhat.com,
sclewis(a)redhat.com, tdecacqu(a)redhat.com,
tjay(a)redhat.com, tlestach(a)redhat.com
Messaging applications using the Proton Python API to provision an SSL/TLS
encrypted TCP connection may actually instantiate a non-encrypted connection
without notice if SSL support is unavailable. This will result in all messages
being sent in the clear without the knowledge of the user.
This issue affects those applications that use the Proton Reactor Python API to
create SSL/TLS connections. Specifically the proton.reactor.Connector,
proton.reactor.Container, and proton.utils.BlockingConnection classes are
vulnerable. These classes can create an unencrypted connections if the
"amqps://" URL prefix is used.
The issue only occurs if the installed Proton libraries do not support SSL.
This would be the case if the libraries were built without SSL support or the
necessary SSL libraries are not present on the system (e.g. OpenSSL in the case
of *nix).
References:
http://seclists.org/bugtraq/2016/Mar/166
Upstream fix:
https://issues.apache.org/jira/browse/PROTON-1157
Upstream fixed release:
http://qpid.apache.org/releases/qpid-proton-0.12.1/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1266638
Bug ID: 1266638
Summary: maven-plugin-bundle-3.0.0 is available
Product: Fedora
Version: rawhide
Component: maven-plugin-bundle
Keywords: FutureFeature, Triaged
Assignee: msimacek(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
jcapik(a)redhat.com, mizdebsk(a)redhat.com,
msimacek(a)redhat.com, msrb(a)redhat.com
Latest upstream release: 3.0.0
Current version/release in rawhide: 2.5.4-1.fc24
URL: http://repo2.maven.org/maven2/org/apache/felix/maven-bundle-plugin/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=nlhatFc4hw&a=cc_unsubscribe
https://bugzilla.redhat.com/show_bug.cgi?id=1315153
Bug ID: 1315153
Summary: error: symbol references not supported in
preprocess-only mode
Product: Fedora
Version: 22
Component: nasm
Assignee: mizdebsk(a)redhat.com
Reporter: pomidorabelisima(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
msrb(a)redhat.com
Created attachment 1133607
--> https://bugzilla.redhat.com/attachment.cgi?id=1133607&action=edit
Fix "error: symbol references not supported in preprocess-only mode", needed by
Syslinux
Description of problem:
Build SYSLINUX from source produces:
diskstart.inc:438: error: symbol references not supported in preprocess-only
mode
diskstart.inc:439: error: symbol references not supported in preprocess-only
mode
Version-Release number of selected component (if applicable):
NASM version 2.11.06 compiled on Feb 18 2015
How reproducible:
101%
Steps to Reproduce:
1. Build SYSLINUX from source
Actual results:
Broken SYSLINUX build
Expected results:
Successful build
Additional info:
- [Nasm-devel] Syslinux 6.03 build is broken by nasm upgrade 2.11.05 to 2.11.06
https://sourceforge.net/p/nasm/mailman/message/33074214
- nasm: Fix -MD operating mode
http://repo.or.cz/nasm.git/commitdiff/0dd37af?hp=b2c3449
--
You are receiving this mail because:
You are on the CC list for the bug.