java-sig-commits September 2017

java-sig-commits@lists.fedoraproject.org

1 participants
290 discussions

[Bug 1397484] New: CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests
by Red Hat Bugzilla 12 Feb '18

12 Feb '18

https://bugzilla.redhat.com/show_bug.cgi?id=1397484 Bug ID: 1397484 Summary: CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: amaris(a)redhat.com CC: aileenc(a)redhat.com, alee(a)redhat.com, aszczucz(a)redhat.com, bbaranow(a)redhat.com, bdawidow(a)redhat.com, bgollahe(a)redhat.com, bmaxwell(a)redhat.com, ccoleman(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, csutherl(a)redhat.com, dandread(a)redhat.com, darran.lofthouse(a)redhat.com, dedgar(a)redhat.com, dmcphers(a)redhat.com, dosoudil(a)redhat.com, epp-bugs(a)redhat.com, felias(a)redhat.com, fnasser(a)redhat.com, gzaronik(a)redhat.com, hchiorea(a)redhat.com, hfnukal(a)redhat.com, hhorak(a)redhat.com, ivan.afonichev(a)gmail.com, jason.greene(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jawilson(a)redhat.com, jboss-set(a)redhat.com, jclere(a)redhat.com, jcoleman(a)redhat.com, jdg-bugs(a)redhat.com, jdoyle(a)redhat.com, jgoulding(a)redhat.com, jialiu(a)redhat.com, joelsmith(a)redhat.com, jokerman(a)redhat.com, jolee(a)redhat.com, jorton(a)redhat.com, jpallich(a)redhat.com, jshepherd(a)redhat.com, kanderso(a)redhat.com, krzysztof.daniel(a)gmail.com, lgao(a)redhat.com, lmeyer(a)redhat.com, mbabacek(a)redhat.com, mbaluch(a)redhat.com, me(a)coolsvap.net, miburman(a)redhat.com, mizdebsk(a)redhat.com, mmccomas(a)redhat.com, mnewsome(a)redhat.com, mweiler(a)redhat.com, myarboro(a)redhat.com, nwallace(a)redhat.com, ohudlick(a)redhat.com, pavelp(a)redhat.com, pgier(a)redhat.com, psakar(a)redhat.com, pslavice(a)redhat.com, rnetuka(a)redhat.com, rsvoboda(a)redhat.com, rzima(a)redhat.com, spinder(a)redhat.com, theute(a)redhat.com, trick(a)vanstaveren.us, ttarrant(a)redhat.com, twalsh(a)redhat.com, vhalbert(a)redhat.com, vtunka(a)redhat.com, weli(a)redhat.com The code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. Affects: 6.0.0 to 6.0.47, 7.0.0 to 7.0.72, 8.0.0.RC1 to 8.0.38, 8.5.0 to 8.5.6 Upstream patches: Tomcat 6.0.48: https://svn.apache.org/viewvc?view=rev&rev=1767683 Tomcat 7.0.73: http://svn.apache.org/viewvc?view=rev&rev=1767675 Tomcat 8.0.39: http://svn.apache.org/viewvc?view=rev&rev=1767653 Tomcat 8.5.8: http://svn.apache.org/viewvc?view=rev&rev=1767645 External References: https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8 -- You are receiving this mail because: You are on the CC list for the bug.

2 48

[Bug 1376712] New: CVE-2016-1240 tomcat: Local privilege escalation via unsafe file handling in the Tomcat init script
by Red Hat Bugzilla 12 Feb '18

12 Feb '18

https://bugzilla.redhat.com/show_bug.cgi?id=1376712 Bug ID: 1376712 Summary: CVE-2016-1240 tomcat: Local privilege escalation via unsafe file handling in the Tomcat init script Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: anemec(a)redhat.com CC: alee(a)redhat.com, aszczucz(a)redhat.com, bbaranow(a)redhat.com, bdawidow(a)redhat.com, bgollahe(a)redhat.com, bmaxwell(a)redhat.com, ccoleman(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, csutherl(a)redhat.com, dandread(a)redhat.com, darran.lofthouse(a)redhat.com, dedgar(a)redhat.com, dmcphers(a)redhat.com, dosoudil(a)redhat.com, epp-bugs(a)redhat.com, felias(a)redhat.com, fnasser(a)redhat.com, hchiorea(a)redhat.com, hfnukal(a)redhat.com, hhorak(a)redhat.com, ivan.afonichev(a)gmail.com, jason.greene(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jawilson(a)redhat.com, jboss-set(a)redhat.com, jclere(a)redhat.com, jcoleman(a)redhat.com, jdg-bugs(a)redhat.com, jdoyle(a)redhat.com, jgoulding(a)redhat.com, jialiu(a)redhat.com, joelsmith(a)redhat.com, jokerman(a)redhat.com, jolee(a)redhat.com, jorton(a)redhat.com, jpallich(a)redhat.com, jshepherd(a)redhat.com, kanderso(a)redhat.com, krzysztof.daniel(a)gmail.com, lgao(a)redhat.com, lmeyer(a)redhat.com, mbabacek(a)redhat.com, mbaluch(a)redhat.com, me(a)coolsvap.net, miburman(a)redhat.com, mizdebsk(a)redhat.com, mmccomas(a)redhat.com, mnewsome(a)redhat.com, mweiler(a)redhat.com, myarboro(a)redhat.com, nwallace(a)redhat.com, ohudlick(a)redhat.com, pavelp(a)redhat.com, pgier(a)redhat.com, psakar(a)redhat.com, pslavice(a)redhat.com, rnetuka(a)redhat.com, rsvoboda(a)redhat.com, rzima(a)redhat.com, spinder(a)redhat.com, theute(a)redhat.com, trick(a)vanstaveren.us, ttarrant(a)redhat.com, twalsh(a)redhat.com, vhalbert(a)redhat.com, vtunka(a)redhat.com, weli(a)redhat.com It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. References: http://seclists.org/bugtraq/2016/Sep/26 -- You are receiving this mail because: You are on the CC list for the bug.

2 31

[Bug 1382979] New: jenkins-ant-plugin-1.4 is available
by Red Hat Bugzilla 22 Jan '18

22 Jan '18

https://bugzilla.redhat.com/show_bug.cgi?id=1382979 Bug ID: 1382979 Summary: jenkins-ant-plugin-1.4 is available Product: Fedora Version: rawhide Component: jenkins-ant-plugin Keywords: FutureFeature, Triaged Assignee: msrb(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msimacek(a)redhat.com, msrb(a)redhat.com Latest upstream release: 1.4 Current version/release in rawhide: 1.2-6.fc24 URL: https://wiki.jenkins-ci.org/display/JENKINS/Ant+Plugin Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/6326/ -- You are receiving this mail because: You are on the CC list for the bug.

2 4

[Bug 1424418] New: sbt: FTBFS in rawhide
by bugzilla＠redhat.com 16 Jan '18

16 Jan '18

https://bugzilla.redhat.com/show_bug.cgi?id=1424418 Bug ID: 1424418 Summary: sbt: FTBFS in rawhide Product: Fedora Version: rawhide Component: sbt Assignee: willb(a)redhat.com Reporter: releng(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, s(a)shk.io, willb(a)redhat.com Blocks: 1423041 Your package sbt failed to build from source in current rawhide. https://koji.fedoraproject.org/koji/taskinfo?taskID=17791279 For details on mass rebuild see https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1423041 [Bug 1423041] Fedora 26 Mass Rebuild FTBFS Tracker -- You are receiving this mail because: You are on the CC list for the bug.

1 6

[Bug 1469356] New: aether-ant-tasks: Port to XMvn 3.0.0
by bugzilla＠redhat.com 11 Jan '18

11 Jan '18

https://bugzilla.redhat.com/show_bug.cgi?id=1469356 Bug ID: 1469356 Summary: aether-ant-tasks: Port to XMvn 3.0.0 Product: Fedora Version: rawhide Component: aether-ant-tasks Assignee: mizdebsk(a)redhat.com Reporter: mizdebsk(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: eclipse-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msimacek(a)redhat.com aether-ant-tasks needs porting to XMvn 3.0.0 (or retiring). aether-ant-tasks has broken dependencies in the rawhide tree: aether-ant-tasks-1.0.1-6.fc26.noarch requires xmvn-launcher -- You are receiving this mail because: You are on the CC list for the bug.

1 6

[Bug 958733] New: plexus-utils: suspicious shell quoting in org.codehaus.plexus.util.cli
by Red Hat Bugzilla 09 Jan '18

09 Jan '18

Product: Fedora https://bugzilla.redhat.com/show_bug.cgi?id=958733 Bug ID: 958733 Summary: plexus-utils: suspicious shell quoting in org.codehaus.plexus.util.cli Product: Fedora Version: 18 Component: plexus-utils Severity: unspecified Priority: unspecified Assignee: fnasser(a)redhat.com Reporter: fweimer(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: fnasser(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com Blocks: 958220 Category: --- The shell quoting logic in this package (and the org.codehaus.plexus.util.cli.shell) package looks fairly dangerous. It appears to be mostly dead code. Client code should be migrated to java.lang.ProcessBuilder. The different quoting options (single quotes, double quotes) are difficult to get right, and the reference to StringUtils is not particularly helpful because the caller has to provide the correct set of characters to be escaped, which is platform-dependent. -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=JhGrfK5sg6&a=cc_unsubscribe

2 10

[Bug 1492259] New: maven-surefire-2.20.1 is available
by bugzilla＠redhat.com 05 Jan '18

05 Jan '18

https://bugzilla.redhat.com/show_bug.cgi?id=1492259 Bug ID: 1492259 Summary: maven-surefire-2.20.1 is available Product: Fedora Version: rawhide Component: maven-surefire Keywords: FutureFeature, Triaged Assignee: mizdebsk(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: akurtako(a)redhat.com, jaromir.capik(a)email.cz, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msimacek(a)redhat.com Latest upstream release: 2.20.1 Current version/release in rawhide: 2.20-1.fc28 URL: http://repo2.maven.org/maven2/org/apache/maven/surefire/surefire/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/1944/ -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1268242] New: solr-5.3.1 is available
by Red Hat Bugzilla 12 Dec '17

12 Dec '17

https://bugzilla.redhat.com/show_bug.cgi?id=1268242 Bug ID: 1268242 Summary: solr-5.3.1 is available Product: Fedora Version: rawhide Component: solr Assignee: puntogil(a)libero.it Reporter: puntogil(a)libero.it QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, puntogil(a)libero.it Latest upstream release: 5.3.1 Current version/release in rawhide: 5.3.0-1.fc24 URL: http://www.apache.org/dist/lucene/solr Please, consider upgrading -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=FSln2KmW6z&a=cc_unsubscribe

2 32

[Bug 1327883] New: spatial4j-0.6 is available
by Red Hat Bugzilla 12 Dec '17

12 Dec '17

https://bugzilla.redhat.com/show_bug.cgi?id=1327883 Bug ID: 1327883 Summary: spatial4j-0.6 is available Product: Fedora Version: rawhide Component: spatial4j Assignee: puntogil(a)libero.it Reporter: puntogil(a)libero.it QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, puntogil(a)libero.it Latest upstream release: 0.6 Current version/release in rawhide: 0.5.0-3.fc25 URL: https://github.com/locationtech/spatial4j/tags -- You are receiving this mail because: You are on the CC list for the bug.

2 5

[Bug 1335748] New: jenkins-xstream: bundles XStream
by Red Hat Bugzilla 12 Dec '17

12 Dec '17

https://bugzilla.redhat.com/show_bug.cgi?id=1335748 Bug ID: 1335748 Summary: jenkins-xstream: bundles XStream Product: Fedora Version: rawhide Component: jenkins-xstream Assignee: msrb(a)redhat.com Reporter: mizdebsk(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, msrb(a)redhat.com Description of problem: Package jenknis-xstream bundles XStream library: /usr/share/java/jenkins-xstream/xstream.jar Version-Release number of selected component (if applicable): jenkins-xstream-1.4.7-8.jenkins1.fc24.noarch -- You are receiving this mail because: You are on the CC list for the bug.

2 7

← Newer
1
...
13
14
15
16
17
18
19
...
29
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits September 2017