https://bugzilla.redhat.com/show_bug.cgi?id=1490329
Bug ID: 1490329
Summary: Please update to junit 5
Product: Fedora
Version: rawhide
Component: junit4
Assignee: extras-orphan(a)fedoraproject.org
Reporter: akurtako(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: dwalluck(a)redhat.com, extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org
Please update to JUnit 5 or add it as new package. Eclipse upstream gained
dependency on it and we will need it for future updates.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1408164
Bug ID: 1408164
Summary: CVE-2016-9878 Spring Framework: Directory Traversal in
the Spring Framework ResourceServlet
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: abhgupta(a)redhat.com, aileenc(a)redhat.com,
alazarot(a)redhat.com, aszczucz(a)redhat.com,
avibelli(a)redhat.com, awels(a)redhat.com,
bazulay(a)redhat.com, bdawidow(a)redhat.com,
bmcclain(a)redhat.com, chazlett(a)redhat.com,
coneill(a)redhat.com, dandread(a)redhat.com,
dblechte(a)redhat.com, dmcphers(a)redhat.com,
eedri(a)redhat.com, epp-bugs(a)redhat.com,
etirelli(a)redhat.com, felias(a)redhat.com,
fnasser(a)redhat.com, gklein(a)redhat.com,
gsterlin(a)redhat.com, gvarsami(a)redhat.com,
hchiorea(a)redhat.com, hfnukal(a)redhat.com,
huwang(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jbalunas(a)redhat.com, jbpapp-maint(a)redhat.com,
jcoleman(a)redhat.com, jialiu(a)redhat.com,
jokerman(a)redhat.com, jolee(a)redhat.com,
jpallich(a)redhat.com, jshepherd(a)redhat.com,
kconner(a)redhat.com, kseifried(a)redhat.com,
kverlaen(a)redhat.com, ldimaggi(a)redhat.com,
lgao(a)redhat.com, lmeyer(a)redhat.com,
lpetrovi(a)redhat.com, lsurette(a)redhat.com,
mbaluch(a)redhat.com, mgoldboi(a)redhat.com,
michal.skrivanek(a)redhat.com, mmccomas(a)redhat.com,
mweiler(a)redhat.com, mwinkler(a)redhat.com,
myarboro(a)redhat.com, nthomas(a)redhat.com,
nwallace(a)redhat.com, oourfali(a)redhat.com,
pavelp(a)redhat.com, puntogil(a)libero.it,
rbalakri(a)redhat.com, Rhev-m-bugs(a)redhat.com,
rrajasek(a)redhat.com, rwagner(a)redhat.com,
rzhang(a)redhat.com, sankarshan(a)redhat.com,
sbonazzo(a)redhat.com, sherold(a)redhat.com,
sisharma(a)redhat.com,
soa-p-jira(a)post-office.corp.redhat.com,
srevivo(a)redhat.com, tcunning(a)redhat.com,
theute(a)redhat.com, tiwillia(a)redhat.com,
tjay(a)redhat.com, tkirby(a)redhat.com, twalsh(a)redhat.com,
vhalbert(a)redhat.com, ydary(a)redhat.com,
ykaul(a)redhat.com
It was found that paths provided to the ResourceServlet were not properly
sanitized and as a result exposed to directory traversal attacks.
Upstream bug:
https://jira.spring.io/browse/SPR-14946
Upstream patches:
https://github.com/spring-projects/spring-framework/commit/e2d6e709c3c65a49…https://github.com/spring-projects/spring-framework/commit/43bf008fbcd0d794…https://github.com/spring-projects/spring-framework/commit/a7dc48534ea50152…
External References:
https://pivotal.io/security/cve-2016-9878
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1404645
Bug ID: 1404645
Summary: CVE-2016-681 activemq: Cross-site scripting in web
based administration console
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: abhgupta(a)redhat.com, agrimm(a)gmail.com,
aileenc(a)redhat.com, ccoleman(a)redhat.com,
chazlett(a)redhat.com, dedgar(a)redhat.com,
dmcphers(a)redhat.com, gvarsami(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jcoleman(a)redhat.com, jgoulding(a)redhat.com,
jialiu(a)redhat.com, joelsmith(a)redhat.com,
jokerman(a)redhat.com, kconner(a)redhat.com,
kseifried(a)redhat.com, ldimaggi(a)redhat.com,
lmeyer(a)redhat.com, mmccomas(a)redhat.com,
nwallace(a)redhat.com, pavelp(a)redhat.com,
puntogil(a)libero.it, rwagner(a)redhat.com,
soa-p-jira(a)post-office.corp.redhat.com, s(a)shk.io,
tcunning(a)redhat.com, tdawson(a)redhat.com,
tiwillia(a)redhat.com, tkirby(a)redhat.com
An instance of a cross-site scripting vulnerability was identified to be
present in the web based administration console. The root cause of this issue
is improper user data output validation.
Affected versions: ActiveMQ 5.0.0 - 5.14.1
External Reference:
http://activemq.apache.org/security-advisories.data/CVE-2016-6810-announcem…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1438104
Bug ID: 1438104
Summary: bridge-method-injector-1.15 is available
Product: Fedora
Version: rawhide
Component: bridge-method-injector
Keywords: FutureFeature, Triaged
Assignee: msrb(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Latest upstream release: 1.15
Current version/release in rawhide: 1.14-6.fc26
URL: https://github.com/infradna/bridge-method-injector
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/218/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1495241
Bug ID: 1495241
Summary: [tomcat] zip -u in spec file causes race condition
Product: Fedora
Version: rawhide
Component: tomcat
Assignee: ivan.afonichev(a)gmail.com
Reporter: tdawson(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com, alee(a)redhat.com,
csutherl(a)redhat.com, ivan.afonichev(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
krzysztof.daniel(a)gmail.com, me(a)coolsvap.net
Description of problem:
zip -u is being used to update META-INF/MANIFEST.MF in jar files
zip -u will "Update existing entries if newer on the file system"
Unfortunately zip is only looking at the minute that a file is updated. We are
finding on fast test machines that the content of the jar, and the new
META-INF/MANIFEST.MF, are being created in the same minute. Thus when the zip
-u is ran, the MANIFEST.MF isn't updated, zip returns a non 0 error code, and
the build fails.
"zip -u" should be changed to "zip", which changes the zip command from
"update" to "add"
zip (add) will "Update existing entries and add new files. ... This is the
default mode."
If you can change your spec files to use just "zip" instead of "zip -u", that
will solve this race condition
Version-Release number of selected component (if applicable):
tomcat-8.0.46-1.fc28
How reproducible:
5-95% - depending on the speed of the machine.
Steps to Reproduce:
1. koji build
2.
3.
Actual results:
+ zip -u build/lib/<jar-name>.jar META-INF/MANIFEST.MF
RPM build errors:
error: Bad exit status from /var/tmp/rpm-tmp.oh6WeU (%build)
Bad exit status from /var/tmp/rpm-tmp.oh6WeU (%build)
Child return code was: 1
Expected results:
...
+ zip -u build/lib/<jar-name>.jar META-INF/MANIFEST.MF
updating: META-INF/MANIFEST.MF (deflated 56%)
...
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1493800
Bug ID: 1493800
Summary: joda-convert-v1.9.2 is available
Product: Fedora
Version: rawhide
Component: joda-convert
Keywords: FutureFeature, Triaged
Assignee: mizdebsk(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
SpikeFedora(a)gmail.com
Latest upstream release: v1.9.2
Current version/release in rawhide: 1.8.3-1.fc28
URL: https://github.com/JodaOrg/joda-convert
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/1465/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1442391
Bug ID: 1442391
Summary: gradle-3.5.0 is available
Product: Fedora
Version: rawhide
Component: gradle
Keywords: FutureFeature, Triaged
Assignee: mizdebsk(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com
Latest upstream release: 3.5.0
Current version/release in rawhide: 2.13-7.fc26
URL: http://www.gradle.org/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/6088/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1497365
Bug ID: 1497365
Summary: aqute-bnd-3.5.0 is available
Product: Fedora
Version: rawhide
Component: aqute-bnd
Keywords: FutureFeature, Triaged
Assignee: msimacek(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: jaromir.capik(a)email.cz,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com
Latest upstream release: 3.5.0
Current version/release in rawhide: 3.4.0-2.fc28
URL: http://bnd.bndtools.org/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/98/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1494295
Bug ID: 1494295
Summary: log4j-2.9.1 is available
Product: Fedora
Version: rawhide
Component: log4j
Keywords: FutureFeature, Triaged
Assignee: mizdebsk(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: devrim(a)gunduz.org,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com
Latest upstream release: 2.9.1
Current version/release in rawhide: 2.9.0-1.fc28
URL: http://www.apache.org/dist/logging/log4j
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/1836/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1495231
Bug ID: 1495231
Summary: [lucene3] zip -u in spec file causes race condition
Product: Fedora
Version: rawhide
Component: lucene3
Assignee: puntogil(a)libero.it
Reporter: tdawson(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mgoldman(a)redhat.com, puntogil(a)libero.it
Description of problem:
zip -u is being used to update META-INF/MANIFEST.MF in jar files
zip -u will "Update existing entries if newer on the file system"
Unfortunately zip is only looking at the minute that a file is updated. We are
finding on fast test machines that the content of the jar, and the new
META-INF/MANIFEST.MF, are being created in the same minute. Thus when the zip
-u is ran, the MANIFEST.MF isn't updated, zip returns a non 0 error code, and
the build fails.
"zip -u" should be changed to "zip", which changes the zip command from
"update" to "add"
zip (add) will "Update existing entries and add new files. ... This is the
default mode."
If you can change your spec files to use just "zip" instead of "zip -u", that
will solve this race condition
Version-Release number of selected component (if applicable):
lucene3-3.6.2-11.fc28
How reproducible:
5-95% - depending on the speed of the machine.
Steps to Reproduce:
1. koji build
2.
3.
Actual results:
+ zip -u build/lib/<jar-name>.jar META-INF/MANIFEST.MF
RPM build errors:
error: Bad exit status from /var/tmp/rpm-tmp.oh6WeU (%build)
Bad exit status from /var/tmp/rpm-tmp.oh6WeU (%build)
Child return code was: 1
Expected results:
...
+ zip -u build/lib/<jar-name>.jar META-INF/MANIFEST.MF
updating: META-INF/MANIFEST.MF (deflated 56%)
...
--
You are receiving this mail because:
You are on the CC list for the bug.