java-sig-commits September 2017

java-sig-commits@lists.fedoraproject.org

1 participants
290 discussions

[Bug 1396487] New: pdfbox-2.0.3 is available
by Red Hat Bugzilla 27 Apr '18

27 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1396487 Bug ID: 1396487 Summary: pdfbox-2.0.3 is available Product: Fedora Version: rawhide Component: pdfbox Assignee: puntogil(a)libero.it Reporter: puntogil(a)libero.it QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, orion(a)cora.nwra.com, puntogil(a)libero.it Latest upstream release: 2.0.3 Current version/release in rawhide: 1.8.12-2.fc26 URL: http://www.apache.org/dist/pdfbox/ Used by Apache Tika >= 1.13 -- You are receiving this mail because: You are on the CC list for the bug.

2 7

[Bug 1443585] New: CVE-2017-5661 fop: XML external entity processing vulnerability
by bugzilla＠redhat.com 26 Apr '18

26 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1443585 Bug ID: 1443585 Summary: CVE-2017-5661 fop: XML external entity processing vulnerability Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: anemec(a)redhat.com CC: bmcclain(a)redhat.com, c.david86(a)gmail.com, dblechte(a)redhat.com, eedri(a)redhat.com, gklein(a)redhat.com, java-maint(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, lsurette(a)redhat.com, mgoldboi(a)redhat.com, michal.skrivanek(a)redhat.com, mizdebsk(a)redhat.com, msimacek(a)redhat.com, rbalakri(a)redhat.com, rhbugs(a)n-dimensional.de, Rhev-m-bugs(a)redhat.com, r.landmann(a)redhat.com, sbonazzo(a)redhat.com, sherold(a)redhat.com, srevivo(a)redhat.com, ydary(a)redhat.com, ykaul(a)redhat.com In Apache FOP before 2.2, files lying on the filesystem of the server which uses FOP can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack. References: https://xmlgraphics.apache.org/security.html http://seclists.org/oss-sec/2017/q2/86 -- You are receiving this mail because: You are on the CC list for the bug.

1 12

[Bug 1443592] New: CVE-2017-5662 batik: XML external entity processing vulnerability
by bugzilla＠redhat.com 26 Apr '18

26 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1443592 Bug ID: 1443592 Summary: CVE-2017-5662 batik: XML external entity processing vulnerability Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: anemec(a)redhat.com CC: bmcclain(a)redhat.com, c.david86(a)gmail.com, dblechte(a)redhat.com, eedri(a)redhat.com, hhorak(a)redhat.com, java-maint(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jorton(a)redhat.com, jvanek(a)redhat.com, mgoldboi(a)redhat.com, michal.skrivanek(a)redhat.com, mizdebsk(a)redhat.com, msimacek(a)redhat.com, sbonazzo(a)redhat.com, sherold(a)redhat.com, ydary(a)redhat.com, ykaul(a)redhat.com In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack. References: https://xmlgraphics.apache.org/security.html http://seclists.org/oss-sec/2017/q2/85 -- You are receiving this mail because: You are on the CC list for the bug.

1 19

[Bug 977249] New: htmlcleaner-2.5 is available
by Red Hat Bugzilla 24 Apr '18

24 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=977249 Bug ID: 977249 Summary: htmlcleaner-2.5 is available Product: Fedora Version: rawhide Component: htmlcleaner Keywords: FutureFeature, Triaged Severity: unspecified Priority: unspecified Assignee: Marcin.Dulak(a)gmail.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: bjoern.esser(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, Marcin.Dulak(a)gmail.com Latest upstream release: 2.5 Current version/release in Fedora Rawhide: 2.2.1-2.fc20 URL: http://sourceforge.net/api/file/index/project-name/htmlcleaner/mtime/desc/l… Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=B0wPSZFa2g&a=cc_unsubscribe

2 46

[Bug 1464158] New: CVE-2017-9735 jetty: Timing channel attack in util/ security/Password.java
by bugzilla＠redhat.com 24 Apr '18

24 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1464158 Bug ID: 1464158 Summary: CVE-2017-9735 jetty: Timing channel attack in util/security/Password.java Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: anemec(a)redhat.com CC: eclipse-sig(a)lists.fedoraproject.org, hhorak(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jjohnstn(a)redhat.com, jorton(a)redhat.com, krzysztof.daniel(a)gmail.com, mizdebsk(a)redhat.com, msimacek(a)redhat.com Jetty is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords. Upstream issue: https://github.com/eclipse/jetty.project/issues/1556 Upstream patch: https://github.com/eclipse/jetty.project/commit/042f325f1cd6e7891d72c7e668f… -- You are receiving this mail because: You are on the CC list for the bug.

1 10

[Bug 1372129] New: CVE-2016-6348 RESTEasy: Use of JacksonJsonpInterceptor in RESTEasy can lead to Cross Site Script Inclusion attack
by Red Hat Bugzilla 20 Apr '18

20 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1372129 Bug ID: 1372129 Summary: CVE-2016-6348 RESTEasy: Use of JacksonJsonpInterceptor in RESTEasy can lead to Cross Site Script Inclusion attack Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: jshepherd(a)redhat.com CC: aileenc(a)redhat.com, alazarot(a)redhat.com, alee(a)redhat.com, aszczucz(a)redhat.com, bazulay(a)redhat.com, bbaranow(a)redhat.com, bdawidow(a)redhat.com, bkearney(a)redhat.com, bmaxwell(a)redhat.com, bmcclain(a)redhat.com, cbillett(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, csutherl(a)redhat.com, dandread(a)redhat.com, darran.lofthouse(a)redhat.com, dblechte(a)redhat.com, dosoudil(a)redhat.com, eedri(a)redhat.com, epp-bugs(a)redhat.com, etirelli(a)redhat.com, felias(a)redhat.com, fnasser(a)redhat.com, gklein(a)redhat.com, gvarsami(a)redhat.com, hchiorea(a)redhat.com, hfnukal(a)redhat.com, huwang(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jawilson(a)redhat.com, jboss-set(a)redhat.com, jbpapp-maint(a)redhat.com, jcoleman(a)redhat.com, jdg-bugs(a)redhat.com, jmatthew(a)redhat.com, jolee(a)redhat.com, jpallich(a)redhat.com, jshepherd(a)redhat.com, katello-bugs(a)redhat.com, kconner(a)redhat.com, kseifried(a)redhat.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lgao(a)redhat.com, lpetrovi(a)redhat.com, lsurette(a)redhat.com, mbaluch(a)redhat.com, mgoldboi(a)redhat.com, mgoldman(a)redhat.com, miburman(a)redhat.com, michal.skrivanek(a)redhat.com, mmccune(a)redhat.com, mweiler(a)redhat.com, mwinkler(a)redhat.com, myarboro(a)redhat.com, nwallace(a)redhat.com, ohadlevy(a)redhat.com, oourfali(a)redhat.com, pavelp(a)redhat.com, pgier(a)redhat.com, pkliczew(a)redhat.com, psakar(a)redhat.com, pslavice(a)redhat.com, puntogil(a)libero.it, rcernich(a)redhat.com, Rhev-m-bugs(a)redhat.com, rnetuka(a)redhat.com, rrajasek(a)redhat.com, rsvoboda(a)redhat.com, rwagner(a)redhat.com, rzhang(a)redhat.com, satellite6-bugs(a)redhat.com, sherold(a)redhat.com, soa-p-jira(a)post-office.corp.redhat.com, spinder(a)redhat.com, tcunning(a)redhat.com, theute(a)redhat.com, tjay(a)redhat.com, tkirby(a)redhat.com, tlestach(a)redhat.com, tomckay(a)redhat.com, tsanders(a)redhat.com, ttarrant(a)redhat.com, twalsh(a)redhat.com, vhalbert(a)redhat.com, vtunka(a)redhat.com, weli(a)redhat.com, ydary(a)redhat.com, ykaul(a)redhat.com It was found that in some configurations the JacksonJsonpInterceptor is activated by default in RESTEasy. An attacker could use this flaw to launch a Cross Site Scripting Inclusion attack. -- You are receiving this mail because: You are on the CC list for the bug.

2 13

[Bug 1372117] New: CVE-2016-6345 RESTEasy: Insufficient use of random values in RESTEasy async jobs could lead to loss of data confidentiality
by Red Hat Bugzilla 20 Apr '18

20 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1372117 Bug ID: 1372117 Summary: CVE-2016-6345 RESTEasy: Insufficient use of random values in RESTEasy async jobs could lead to loss of data confidentiality Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: jshepherd(a)redhat.com CC: aileenc(a)redhat.com, alazarot(a)redhat.com, alee(a)redhat.com, aszczucz(a)redhat.com, bazulay(a)redhat.com, bbaranow(a)redhat.com, bdawidow(a)redhat.com, bkearney(a)redhat.com, bmaxwell(a)redhat.com, bmcclain(a)redhat.com, cbillett(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, csutherl(a)redhat.com, dandread(a)redhat.com, darran.lofthouse(a)redhat.com, dblechte(a)redhat.com, dosoudil(a)redhat.com, eedri(a)redhat.com, epp-bugs(a)redhat.com, etirelli(a)redhat.com, felias(a)redhat.com, fnasser(a)redhat.com, gklein(a)redhat.com, gvarsami(a)redhat.com, hchiorea(a)redhat.com, hfnukal(a)redhat.com, huwang(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jawilson(a)redhat.com, jboss-set(a)redhat.com, jbpapp-maint(a)redhat.com, jcoleman(a)redhat.com, jdg-bugs(a)redhat.com, jmatthew(a)redhat.com, jolee(a)redhat.com, jpallich(a)redhat.com, jshepherd(a)redhat.com, katello-bugs(a)redhat.com, kconner(a)redhat.com, kseifried(a)redhat.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lgao(a)redhat.com, lpetrovi(a)redhat.com, lsurette(a)redhat.com, mbaluch(a)redhat.com, mgoldboi(a)redhat.com, mgoldman(a)redhat.com, miburman(a)redhat.com, michal.skrivanek(a)redhat.com, mmccune(a)redhat.com, mweiler(a)redhat.com, mwinkler(a)redhat.com, myarboro(a)redhat.com, nwallace(a)redhat.com, ohadlevy(a)redhat.com, oourfali(a)redhat.com, pavelp(a)redhat.com, pgier(a)redhat.com, pkliczew(a)redhat.com, psakar(a)redhat.com, pslavice(a)redhat.com, puntogil(a)libero.it, rcernich(a)redhat.com, Rhev-m-bugs(a)redhat.com, rnetuka(a)redhat.com, rrajasek(a)redhat.com, rsvoboda(a)redhat.com, rwagner(a)redhat.com, rzhang(a)redhat.com, satellite6-bugs(a)redhat.com, sherold(a)redhat.com, soa-p-jira(a)post-office.corp.redhat.com, spinder(a)redhat.com, tcunning(a)redhat.com, theute(a)redhat.com, tjay(a)redhat.com, tkirby(a)redhat.com, tlestach(a)redhat.com, tomckay(a)redhat.com, tsanders(a)redhat.com, ttarrant(a)redhat.com, twalsh(a)redhat.com, vhalbert(a)redhat.com, vtunka(a)redhat.com, weli(a)redhat.com, ydary(a)redhat.com, ykaul(a)redhat.com It was found that there was insufficient use of randam values in RESTEasy async jobs. An attacker could use this flaw to steal user data. -- You are receiving this mail because: You are on the CC list for the bug.

2 21

[Bug 1340421] New: apache-poi-3.15-beta1-20160409 is available
by Red Hat Bugzilla 18 Apr '18

18 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1340421 Bug ID: 1340421 Summary: apache-poi-3.15-beta1-20160409 is available Product: Fedora Version: rawhide Component: apache-poi Assignee: mat.booth(a)redhat.com Reporter: puntogil(a)libero.it QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mat.booth(a)redhat.com, puntogil(a)libero.it Latest upstream release: 3.15-beta1-20160409 Current version/release in rawhide: 3.14-1.fc25 URL: http://www.apache.org/dist/poi/dev/src/ http://www.apache.org/dist/poi/release/src Please, consider upgrading -- You are receiving this mail because: You are on the CC list for the bug.

2 5

[Bug 1443635] New: CVE-2017-5645 log4j: Socket receiver deserialization vulnerability
by bugzilla＠redhat.com 16 Apr '18

16 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1443635 Bug ID: 1443635 Summary: CVE-2017-5645 log4j: Socket receiver deserialization vulnerability Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: anemec(a)redhat.com CC: aileenc(a)redhat.com, alazarot(a)redhat.com, aortega(a)redhat.com, apevec(a)redhat.com, avibelli(a)redhat.com, ayoung(a)redhat.com, bkearney(a)redhat.com, bmcclain(a)redhat.com, cbillett(a)redhat.com, chazlett(a)redhat.com, chrisw(a)redhat.com, coneill(a)redhat.com, csutherl(a)redhat.com, cvsbot-xmlrpc(a)redhat.com, dandread(a)redhat.com, dblechte(a)redhat.com, devrim(a)gunduz.org, dwalluck(a)redhat.com, eedri(a)redhat.com, etirelli(a)redhat.com, gklein(a)redhat.com, gsterlin(a)redhat.com, gvarsami(a)redhat.com, gzaronik(a)redhat.com, hhorak(a)redhat.com, huwang(a)redhat.com, java-maint(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jbalunas(a)redhat.com, jclere(a)redhat.com, jcoleman(a)redhat.com, jjoyce(a)redhat.com, jorton(a)redhat.com, jschluet(a)redhat.com, jshepherd(a)redhat.com, kbasil(a)redhat.com, kconner(a)redhat.com, kseifried(a)redhat.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lgao(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com, lpetrovi(a)redhat.com, lsurette(a)redhat.com, markmc(a)redhat.com, mbabacek(a)redhat.com, mbaluch(a)redhat.com, meissner(a)suse.de, mgoldboi(a)redhat.com, michal.skrivanek(a)redhat.com, mizdebsk(a)redhat.com, msimacek(a)redhat.com, mwinkler(a)redhat.com, myarboro(a)redhat.com, nwallace(a)redhat.com, pavelp(a)redhat.com, rbalakri(a)redhat.com, rbryant(a)redhat.com, Rhev-m-bugs(a)redhat.com, rrajasek(a)redhat.com, rwagner(a)redhat.com, rzhang(a)redhat.com, sclewis(a)redhat.com, sherold(a)redhat.com, spinder(a)redhat.com, srevivo(a)redhat.com, taw(a)redhat.com, tcunning(a)redhat.com, tdecacqu(a)redhat.com, theute(a)redhat.com, thomas(a)suse.de, tjay(a)redhat.com, tkirby(a)redhat.com, tlestach(a)redhat.com, tomckay(a)redhat.com, twalsh(a)redhat.com, weli(a)redhat.com, ydary(a)redhat.com, ykaul(a)redhat.com When using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. References: http://seclists.org/oss-sec/2017/q2/78 Upstream bug: https://issues.apache.org/jira/browse/LOG4J2-1863 -- You are receiving this mail because: You are on the CC list for the bug.

1 72

[Bug 1434338] New: CVE-2017-2651 jenkins-mailer-plugin: Emails were sent to addresses not associated with actual users of Jenkins by Mailer Plugin
by bugzilla＠redhat.com 03 Apr '18

03 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1434338 Bug ID: 1434338 Summary: CVE-2017-2651 jenkins-mailer-plugin: Emails were sent to addresses not associated with actual users of Jenkins by Mailer Plugin Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: amaris(a)redhat.com CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com, dedgar(a)redhat.com, dmcphers(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jgoulding(a)redhat.com, jkeck(a)redhat.com, joelsmith(a)redhat.com, kseifried(a)redhat.com, mizdebsk(a)redhat.com, msimacek(a)redhat.com, msrb(a)redhat.com, tdawson(a)redhat.com The Mailer and Email Extension Plugins are able to send emails to a dynamically created list of users based on the changelogs, like authors of SCM changes since the last successful build. This could in some cases result in emails being sent to people who have no user account in Jenkins, and in rare cases even people who were not involved in whatever project was being built, due to some mapping based on the local-part of email addresses. Affected versions: up to and including version 1.19 External Reference: https://jenkins.io/security/advisory/2017-03-20/ -- You are receiving this mail because: You are on the CC list for the bug.

1 7

← Newer
1
...
11
12
13
14
15
16
17
...
29
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits September 2017