https://bugzilla.redhat.com/show_bug.cgi?id=1396487
Bug ID: 1396487
Summary: pdfbox-2.0.3 is available
Product: Fedora
Version: rawhide
Component: pdfbox
Assignee: puntogil(a)libero.it
Reporter: puntogil(a)libero.it
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
orion(a)cora.nwra.com, puntogil(a)libero.it
Latest upstream release: 2.0.3
Current version/release in rawhide: 1.8.12-2.fc26
URL: http://www.apache.org/dist/pdfbox/
Used by Apache Tika >= 1.13
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1443585
Bug ID: 1443585
Summary: CVE-2017-5661 fop: XML external entity processing
vulnerability
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: bmcclain(a)redhat.com, c.david86(a)gmail.com,
dblechte(a)redhat.com, eedri(a)redhat.com,
gklein(a)redhat.com, java-maint(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
lsurette(a)redhat.com, mgoldboi(a)redhat.com,
michal.skrivanek(a)redhat.com, mizdebsk(a)redhat.com,
msimacek(a)redhat.com, rbalakri(a)redhat.com,
rhbugs(a)n-dimensional.de, Rhev-m-bugs(a)redhat.com,
r.landmann(a)redhat.com, sbonazzo(a)redhat.com,
sherold(a)redhat.com, srevivo(a)redhat.com,
ydary(a)redhat.com, ykaul(a)redhat.com
In Apache FOP before 2.2, files lying on the filesystem of the server which
uses FOP can be revealed to arbitrary users who send maliciously formed SVG
files. The file types that can be shown depend on the user context in which the
exploitable application is running. If the user is root a full compromise of
the server - including confidential or sensitive files - would be possible. XXE
can also be used to attack the availability of the server via denial of service
as the references within a xml document can trivially trigger an amplification
attack.
References:
https://xmlgraphics.apache.org/security.htmlhttp://seclists.org/oss-sec/2017/q2/86
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1443592
Bug ID: 1443592
Summary: CVE-2017-5662 batik: XML external entity processing
vulnerability
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: bmcclain(a)redhat.com, c.david86(a)gmail.com,
dblechte(a)redhat.com, eedri(a)redhat.com,
hhorak(a)redhat.com, java-maint(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jorton(a)redhat.com, jvanek(a)redhat.com,
mgoldboi(a)redhat.com, michal.skrivanek(a)redhat.com,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
sbonazzo(a)redhat.com, sherold(a)redhat.com,
ydary(a)redhat.com, ykaul(a)redhat.com
In Apache Batik before 1.9, files lying on the filesystem of the server which
uses batik can be revealed to arbitrary users who send maliciously formed SVG
files. The file types that can be shown depend on the user context in which the
exploitable application is running. If the user is root a full compromise of
the server - including confidential or sensitive files - would be possible. XXE
can also be used to attack the availability of the server via denial of service
as the references within a xml document can trivially trigger an amplification
attack.
References:
https://xmlgraphics.apache.org/security.htmlhttp://seclists.org/oss-sec/2017/q2/85
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1464158
Bug ID: 1464158
Summary: CVE-2017-9735 jetty: Timing channel attack in
util/security/Password.java
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: eclipse-sig(a)lists.fedoraproject.org,
hhorak(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jjohnstn(a)redhat.com, jorton(a)redhat.com,
krzysztof.daniel(a)gmail.com, mizdebsk(a)redhat.com,
msimacek(a)redhat.com
Jetty is prone to a timing channel in util/security/Password.java, which makes
it easier for remote attackers to obtain access by observing elapsed times
before rejection of incorrect passwords.
Upstream issue:
https://github.com/eclipse/jetty.project/issues/1556
Upstream patch:
https://github.com/eclipse/jetty.project/commit/042f325f1cd6e7891d72c7e668f…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1372129
Bug ID: 1372129
Summary: CVE-2016-6348 RESTEasy: Use of JacksonJsonpInterceptor
in RESTEasy can lead to Cross Site Script Inclusion
attack
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: jshepherd(a)redhat.com
CC: aileenc(a)redhat.com, alazarot(a)redhat.com,
alee(a)redhat.com, aszczucz(a)redhat.com,
bazulay(a)redhat.com, bbaranow(a)redhat.com,
bdawidow(a)redhat.com, bkearney(a)redhat.com,
bmaxwell(a)redhat.com, bmcclain(a)redhat.com,
cbillett(a)redhat.com, cdewolf(a)redhat.com,
chazlett(a)redhat.com, csutherl(a)redhat.com,
dandread(a)redhat.com, darran.lofthouse(a)redhat.com,
dblechte(a)redhat.com, dosoudil(a)redhat.com,
eedri(a)redhat.com, epp-bugs(a)redhat.com,
etirelli(a)redhat.com, felias(a)redhat.com,
fnasser(a)redhat.com, gklein(a)redhat.com,
gvarsami(a)redhat.com, hchiorea(a)redhat.com,
hfnukal(a)redhat.com, huwang(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jboss-set(a)redhat.com,
jbpapp-maint(a)redhat.com, jcoleman(a)redhat.com,
jdg-bugs(a)redhat.com, jmatthew(a)redhat.com,
jolee(a)redhat.com, jpallich(a)redhat.com,
jshepherd(a)redhat.com, katello-bugs(a)redhat.com,
kconner(a)redhat.com, kseifried(a)redhat.com,
kverlaen(a)redhat.com, ldimaggi(a)redhat.com,
lgao(a)redhat.com, lpetrovi(a)redhat.com,
lsurette(a)redhat.com, mbaluch(a)redhat.com,
mgoldboi(a)redhat.com, mgoldman(a)redhat.com,
miburman(a)redhat.com, michal.skrivanek(a)redhat.com,
mmccune(a)redhat.com, mweiler(a)redhat.com,
mwinkler(a)redhat.com, myarboro(a)redhat.com,
nwallace(a)redhat.com, ohadlevy(a)redhat.com,
oourfali(a)redhat.com, pavelp(a)redhat.com,
pgier(a)redhat.com, pkliczew(a)redhat.com,
psakar(a)redhat.com, pslavice(a)redhat.com,
puntogil(a)libero.it, rcernich(a)redhat.com,
Rhev-m-bugs(a)redhat.com, rnetuka(a)redhat.com,
rrajasek(a)redhat.com, rsvoboda(a)redhat.com,
rwagner(a)redhat.com, rzhang(a)redhat.com,
satellite6-bugs(a)redhat.com, sherold(a)redhat.com,
soa-p-jira(a)post-office.corp.redhat.com,
spinder(a)redhat.com, tcunning(a)redhat.com,
theute(a)redhat.com, tjay(a)redhat.com, tkirby(a)redhat.com,
tlestach(a)redhat.com, tomckay(a)redhat.com,
tsanders(a)redhat.com, ttarrant(a)redhat.com,
twalsh(a)redhat.com, vhalbert(a)redhat.com,
vtunka(a)redhat.com, weli(a)redhat.com, ydary(a)redhat.com,
ykaul(a)redhat.com
It was found that in some configurations the JacksonJsonpInterceptor is
activated by default in RESTEasy. An attacker could use this flaw to launch a
Cross Site Scripting Inclusion attack.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1372117
Bug ID: 1372117
Summary: CVE-2016-6345 RESTEasy: Insufficient use of random
values in RESTEasy async jobs could lead to loss of
data confidentiality
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: jshepherd(a)redhat.com
CC: aileenc(a)redhat.com, alazarot(a)redhat.com,
alee(a)redhat.com, aszczucz(a)redhat.com,
bazulay(a)redhat.com, bbaranow(a)redhat.com,
bdawidow(a)redhat.com, bkearney(a)redhat.com,
bmaxwell(a)redhat.com, bmcclain(a)redhat.com,
cbillett(a)redhat.com, cdewolf(a)redhat.com,
chazlett(a)redhat.com, csutherl(a)redhat.com,
dandread(a)redhat.com, darran.lofthouse(a)redhat.com,
dblechte(a)redhat.com, dosoudil(a)redhat.com,
eedri(a)redhat.com, epp-bugs(a)redhat.com,
etirelli(a)redhat.com, felias(a)redhat.com,
fnasser(a)redhat.com, gklein(a)redhat.com,
gvarsami(a)redhat.com, hchiorea(a)redhat.com,
hfnukal(a)redhat.com, huwang(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jboss-set(a)redhat.com,
jbpapp-maint(a)redhat.com, jcoleman(a)redhat.com,
jdg-bugs(a)redhat.com, jmatthew(a)redhat.com,
jolee(a)redhat.com, jpallich(a)redhat.com,
jshepherd(a)redhat.com, katello-bugs(a)redhat.com,
kconner(a)redhat.com, kseifried(a)redhat.com,
kverlaen(a)redhat.com, ldimaggi(a)redhat.com,
lgao(a)redhat.com, lpetrovi(a)redhat.com,
lsurette(a)redhat.com, mbaluch(a)redhat.com,
mgoldboi(a)redhat.com, mgoldman(a)redhat.com,
miburman(a)redhat.com, michal.skrivanek(a)redhat.com,
mmccune(a)redhat.com, mweiler(a)redhat.com,
mwinkler(a)redhat.com, myarboro(a)redhat.com,
nwallace(a)redhat.com, ohadlevy(a)redhat.com,
oourfali(a)redhat.com, pavelp(a)redhat.com,
pgier(a)redhat.com, pkliczew(a)redhat.com,
psakar(a)redhat.com, pslavice(a)redhat.com,
puntogil(a)libero.it, rcernich(a)redhat.com,
Rhev-m-bugs(a)redhat.com, rnetuka(a)redhat.com,
rrajasek(a)redhat.com, rsvoboda(a)redhat.com,
rwagner(a)redhat.com, rzhang(a)redhat.com,
satellite6-bugs(a)redhat.com, sherold(a)redhat.com,
soa-p-jira(a)post-office.corp.redhat.com,
spinder(a)redhat.com, tcunning(a)redhat.com,
theute(a)redhat.com, tjay(a)redhat.com, tkirby(a)redhat.com,
tlestach(a)redhat.com, tomckay(a)redhat.com,
tsanders(a)redhat.com, ttarrant(a)redhat.com,
twalsh(a)redhat.com, vhalbert(a)redhat.com,
vtunka(a)redhat.com, weli(a)redhat.com, ydary(a)redhat.com,
ykaul(a)redhat.com
It was found that there was insufficient use of randam values in RESTEasy async
jobs. An attacker could use this flaw to steal user data.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1340421
Bug ID: 1340421
Summary: apache-poi-3.15-beta1-20160409 is available
Product: Fedora
Version: rawhide
Component: apache-poi
Assignee: mat.booth(a)redhat.com
Reporter: puntogil(a)libero.it
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mat.booth(a)redhat.com, puntogil(a)libero.it
Latest upstream release: 3.15-beta1-20160409
Current version/release in rawhide: 3.14-1.fc25
URL: http://www.apache.org/dist/poi/dev/src/http://www.apache.org/dist/poi/release/src
Please, consider upgrading
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1434338
Bug ID: 1434338
Summary: CVE-2017-2651 jenkins-mailer-plugin: Emails were sent
to addresses not associated with actual users of
Jenkins by Mailer Plugin
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dedgar(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
joelsmith(a)redhat.com, kseifried(a)redhat.com,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
msrb(a)redhat.com, tdawson(a)redhat.com
The Mailer and Email Extension Plugins are able to send emails to a dynamically
created list of users based on the changelogs, like authors of SCM changes
since the last successful build.
This could in some cases result in emails being sent to people who have no user
account in Jenkins, and in rare cases even people who were not involved in
whatever project was being built, due to some mapping based on the local-part
of email addresses.
Affected versions: up to and including version 1.19
External Reference:
https://jenkins.io/security/advisory/2017-03-20/
--
You are receiving this mail because:
You are on the CC list for the bug.