https://bugzilla.redhat.com/show_bug.cgi?id=1441538
Bug ID: 1441538
Summary: XStream: DoS when unmarshalling void type
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: abhgupta(a)redhat.com, aileenc(a)redhat.com,
alazarot(a)redhat.com, bkearney(a)redhat.com,
bmcclain(a)redhat.com, cbillett(a)redhat.com,
chazlett(a)redhat.com, dblechte(a)redhat.com,
eedri(a)redhat.com, etirelli(a)redhat.com,
gklein(a)redhat.com, gvarsami(a)redhat.com,
java-maint(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jcoleman(a)redhat.com, jmatthew(a)redhat.com,
kconner(a)redhat.com, kseifried(a)redhat.com,
kverlaen(a)redhat.com, ldimaggi(a)redhat.com,
lpetrovi(a)redhat.com, lsurette(a)redhat.com,
mbaluch(a)redhat.com, mgoldboi(a)redhat.com,
michal.skrivanek(a)redhat.com, mizdebsk(a)redhat.com,
mmccune(a)redhat.com, msimacek(a)redhat.com,
msrb(a)redhat.com, mwinkler(a)redhat.com,
nwallace(a)redhat.com, ohadlevy(a)redhat.com,
pavelp(a)redhat.com, rbalakri(a)redhat.com,
Rhev-m-bugs(a)redhat.com, rrajasek(a)redhat.com,
rwagner(a)redhat.com, rzhang(a)redhat.com,
sherold(a)redhat.com, srevivo(a)redhat.com,
tcunning(a)redhat.com, tiwillia(a)redhat.com,
tjay(a)redhat.com, tkirby(a)redhat.com,
tlestach(a)redhat.com, tsanders(a)redhat.com,
ydary(a)redhat.com, ykaul(a)redhat.com
A vulnerability was found in XStream. Parsing a maliciously crafted file could
cause the application to crash.
The processed stream at unmarshalling type contains type information to
recreate the formerly written objects. XStream creates therefore new instances
based on these type information. The crash occurrs if this information advices
XStream to create an instance of the primitive type 'void'. This situation can
only happen if an attacker was able to manipulate the incoming data, since such
an instance does not exist.
References:
http://seclists.org/oss-sec/2017/q2/9
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1441542
Bug ID: 1441542
Summary: XStream: DoS when unmarshalling void type [fedora-all]
Product: Fedora
Version: 25
Component: xstream
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: mizdebsk(a)redhat.com
Reporter: anemec(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1564314
Bug ID: 1564314
Summary: maven-shade-plugin-3.1.1 is available
Product: Fedora
Version: rawhide
Component: maven-shade-plugin
Keywords: FutureFeature, Triaged
Assignee: mizdebsk(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: jaromir.capik(a)email.cz,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com
Latest upstream release: 3.1.1
Current version/release in rawhide: 3.1.0-1.fc28
URL: http://repo2.maven.org/maven2/org/apache/maven/plugins/maven-shade-plugin/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/1936/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1315067
Bug ID: 1315067
Summary: maven-project-info-reports-plugin-2.9 is available
Product: Fedora
Version: rawhide
Component: maven-project-info-reports-plugin
Keywords: FutureFeature, Triaged
Assignee: huwang(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: huwang(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com
Latest upstream release: 2.9
Current version/release in rawhide: 2.8.1-2.fc24
URL:
http://repo2.maven.org/maven2/org/apache/maven/plugins/maven-project-info-r…
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1549061
Bug ID: 1549061
Summary: ambari depends on removed /bin/env
Product: Fedora
Version: rawhide
Component: ambari
Priority: high
Assignee: pmackinn(a)redhat.com
Reporter: ignatenko(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
me(a)coolsvap.net, moceap(a)hotmail.com,
pmackinn(a)redhat.com
Latest coreutils in rawhide dropped old /bin/* provides, time to adjust your
package after 10 releases of Fedora.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1397307
Bug ID: 1397307
Summary: Gradle 3.1 is available
Product: Fedora
Version: 24
Component: gradle
Severity: medium
Assignee: mizdebsk(a)redhat.com
Reporter: kilian.holzinger(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com
Latest upstream version: 3.1
Current version in F24: 2.12.1
Current version in F25: 2.13
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1325583
Bug ID: 1325583
Summary: lucene-6.0.0 is available
Product: Fedora
Version: rawhide
Component: lucene
Keywords: FutureFeature, Triaged
Assignee: akurtako(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
hicham.haouari(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
jerboaa(a)gmail.com, krzysztof.daniel(a)gmail.com,
msimacek(a)redhat.com, puntogil(a)libero.it,
rgrunber(a)redhat.com
Latest upstream release: 6.0.0
Current version/release in rawhide: 5.5.0-1.fc25
URL: http://lucene.apache.org/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/7178/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1550853
Bug ID: 1550853
Summary: Some/All subpackages of jackson-dataformat-csv are
obeolsted by other packages
Product: Fedora
Version: rawhide
Component: jackson-dataformat-csv
Priority: high
Assignee: puntogil(a)libero.it
Reporter: ignatenko(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: dchen(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
puntogil(a)libero.it
See
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org…
for list of packages and respective Obsoletes.
If it's all your subpackages, please retire your package entirely (fedpkg
retire). If it's some of your subpackages, please remove them. Or coordinate
with maintainers of package which is obsoleting yours.
Thanks!
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1555899
Bug ID: 1555899
Summary: jackson-dataformat-yaml: FTBFS in F28
Product: Fedora
Version: 28
Component: jackson-dataformat-yaml
Assignee: puntogil(a)libero.it
Reporter: releng(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: dchen(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
lef(a)fedoraproject.org, mizdebsk(a)redhat.com,
msimacek(a)redhat.com, puntogil(a)libero.it
Blocks: 1555378
Your package jackson-dataformat-yaml failed to build from source in current
F28.
https://koji.fedoraproject.org/koji/taskinfo?taskID=24804308
For details on mass rebuild see
https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1555378
[Bug 1555378] (F28FTBFS) Fedora 28 Mass Rebuild FTBFS Tracker
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1539635
Bug ID: 1539635
Summary: Please retire jackson-dataformat-smile in rawhide
Product: Fedora
Version: rawhide
Component: jackson-dataformat-smile
Assignee: puntogil(a)libero.it
Reporter: mat.booth(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: dchen(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
lef(a)fedoraproject.org, puntogil(a)libero.it
In the latest versions of Jackson, the binary dataformat modules were merged
upstream into a single a repo, which I have packaged and built in Fedora:
https://koji.fedoraproject.org/koji/buildinfo?buildID=1020986
Consequently, the standalone modules jackson-dataformat-cbor and
jackson-dataformat-smile may now be retired from Rawhide (F28+)
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1550854
Bug ID: 1550854
Summary: Some/All subpackages of jackson-dataformat-smile are
obeolsted by other packages
Product: Fedora
Version: rawhide
Component: jackson-dataformat-smile
Priority: high
Assignee: puntogil(a)libero.it
Reporter: ignatenko(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: dchen(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
lef(a)fedoraproject.org, puntogil(a)libero.it
See
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org…
for list of packages and respective Obsoletes.
If it's all your subpackages, please retire your package entirely (fedpkg
retire). If it's some of your subpackages, please remove them. Or coordinate
with maintainers of package which is obsoleting yours.
Thanks!
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1540033
Bug ID: 1540033
Summary: CVE-2017-8030 springframework: spring-framework:
Improper URL path validation allows for bypassing of
security checks on static resources [fedora-all]
Product: Fedora
Version: 27
Component: springframework
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: puntogil(a)libero.it
Reporter: sfowler(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: dchen(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
lef(a)fedoraproject.org, puntogil(a)libero.it
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1557542
Bug ID: 1557542
Summary: CVE-2018-1324 apache-commons-compress: Infinite loop
via extra field parser in ZipFile and
ZipArchiveInputStream classes
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: bmcclain(a)redhat.com, dblechte(a)redhat.com,
eedri(a)redhat.com, hhorak(a)redhat.com,
java-maint(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jorton(a)redhat.com, mgoldboi(a)redhat.com,
michal.skrivanek(a)redhat.com, mizdebsk(a)redhat.com,
msimacek(a)redhat.com, sandro(a)mathys.io,
sbonazzo(a)redhat.com, sherold(a)redhat.com,
SpikeFedora(a)gmail.com, ykaul(a)redhat.com,
ylavi(a)redhat.com
A flaw was found in Apache Commons Compress versions 1.11 to 1.15. A specially
crafted ZIP archive can be used to cause an infinite loop inside of Apache
Commons Compress' extra field parser used by the ZipFile and
ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to
mount a denial of service attack against services that use Compress' zip
package.
Upstream patch:
https://git-wip-us.apache.org/repos/asf?p=commons-compress.git;a=blobdiff;f…
Upstream issue:
https://issues.apache.org/jira/browse/COMPRESS-432
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1557587
Bug ID: 1557587
Summary: maven-help-plugin-3.0.0 is available
Product: Fedora
Version: rawhide
Component: maven-help-plugin
Keywords: FutureFeature, Triaged
Assignee: yyang(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: huwang(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, yyang(a)redhat.com
Latest upstream release: 3.0.0
Current version/release in rawhide: 2.2-8.fc24
URL: http://repo2.maven.org/maven2/org/apache/maven/plugins/maven-help-plugin/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/1911/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1448247
Bug ID: 1448247
Summary: access-modifier-annotation--1.11 is available
Product: Fedora
Version: rawhide
Component: access-modifier-annotation
Keywords: FutureFeature, Triaged
Assignee: msrb(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Latest upstream release: -1.11
Current version/release in rawhide: 1.7-4.fc26
URL: https://github.com/kohsuke/access-modifier
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/13/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1532497
Bug ID: 1532497
Summary: CVE-2017-1000487 plexus-utils: Mishandled strings in
Commandline class allow for command injection
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: sfowler(a)redhat.com
CC: aileenc(a)redhat.com, alazarot(a)redhat.com,
anstephe(a)redhat.com, apevec(a)redhat.com,
bcourt(a)redhat.com, bdawidow(a)redhat.com,
bkearney(a)redhat.com, chazlett(a)redhat.com,
chrisw(a)redhat.com, drieden(a)redhat.com,
etirelli(a)redhat.com, fnasser(a)redhat.com,
gvarsami(a)redhat.com, hchiorea(a)redhat.com,
hghasemb(a)redhat.com, hhorak(a)redhat.com,
ibek(a)redhat.com, java-maint(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jcoleman(a)redhat.com, jjoyce(a)redhat.com,
jmatthew(a)redhat.com, jolee(a)redhat.com,
jorton(a)redhat.com, jschluet(a)redhat.com,
jstastny(a)redhat.com, kbasil(a)redhat.com,
kconner(a)redhat.com, kverlaen(a)redhat.com,
ldimaggi(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com,
lpetrovi(a)redhat.com, markmc(a)redhat.com,
mburns(a)redhat.com, mizdebsk(a)redhat.com,
mmccune(a)redhat.com, mrike(a)redhat.com,
msimacek(a)redhat.com, nwallace(a)redhat.com,
ohadlevy(a)redhat.com, paradhya(a)redhat.com,
pavelp(a)redhat.com, pdrozd(a)redhat.com,
pszubiak(a)redhat.com, rbryant(a)redhat.com,
rchan(a)redhat.com, rrajasek(a)redhat.com,
rsynek(a)redhat.com, rwagner(a)redhat.com,
rzhang(a)redhat.com, sclewis(a)redhat.com,
sdaley(a)redhat.com, slinaber(a)redhat.com,
sthorger(a)redhat.com, tcunning(a)redhat.com,
tdecacqu(a)redhat.com, tjay(a)redhat.com,
tkirby(a)redhat.com, tsanders(a)redhat.com,
vhalbert(a)redhat.com
The Commandline class in plexus-utils before 3.0.16 is vulnerable to command
injection because it does not correctly process the contents of double quoted
strings.
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-1000487https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312…https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31522
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1555109
Bug ID: 1555109
Summary: qdox-2.0-M8 is available
Product: Fedora
Version: rawhide
Component: qdox
Keywords: FutureFeature, Triaged
Assignee: akurtako(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com
Latest upstream release: 2.0-M8
Current version/release in rawhide: 2.0-0.12.M7.fc28
URL: https://github.com/paul-hammant/qdox
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/12832/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1508111
Bug ID: 1508111
Summary: CVE-2016-5002 xmlrpc: XML external entity
vulnerability SSRF via a crafted DTD [fedora-all]
Product: Fedora
Version: 26
Component: xmlrpc
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: mizdebsk(a)redhat.com
Reporter: psampaio(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: dbhole(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
krzysztof.daniel(a)gmail.com, mizdebsk(a)redhat.com,
msimacek(a)redhat.com, puntogil(a)libero.it,
sochotni(a)redhat.com
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1508124
Bug ID: 1508124
Summary: CVE-2016-5003 xmlrpc: Deserialization of untrusted
Java object through <ex:serializable> tag [fedora-all]
Product: Fedora
Version: 26
Component: xmlrpc
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: mizdebsk(a)redhat.com
Reporter: psampaio(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: dbhole(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
krzysztof.daniel(a)gmail.com, mizdebsk(a)redhat.com,
msimacek(a)redhat.com, puntogil(a)libero.it,
sochotni(a)redhat.com
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1511366
Bug ID: 1511366
Summary: CVE-2017-12197 libpam4j: Account check bypass
[fedora-all]
Product: Fedora
Version: 26
Component: libpam4j
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: msrb(a)redhat.com
Reporter: thoger(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1423759
Bug ID: 1423759
Summary: jenkins-antisamy-markup-formatter-plugin: FTBFS in
rawhide
Product: Fedora
Version: rawhide
Component: jenkins-antisamy-markup-formatter-plugin
Assignee: msrb(a)redhat.com
Reporter: releng(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
msrb(a)redhat.com
Blocks: 1423041
Your package jenkins-antisamy-markup-formatter-plugin failed to build from
source in current rawhide.
https://koji.fedoraproject.org/koji/taskinfo?taskID=17727505
For details on mass rebuild see
https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1423041
[Bug 1423041] Fedora 26 Mass Rebuild FTBFS Tracker
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1423763
Bug ID: 1423763
Summary: jenkins-external-monitor-job-plugin: FTBFS in rawhide
Product: Fedora
Version: rawhide
Component: jenkins-external-monitor-job-plugin
Assignee: msrb(a)redhat.com
Reporter: releng(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
msrb(a)redhat.com
Blocks: 1423041
Your package jenkins-external-monitor-job-plugin failed to build from source in
current rawhide.
https://koji.fedoraproject.org/koji/taskinfo?taskID=17727551
For details on mass rebuild see
https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1423041
[Bug 1423041] Fedora 26 Mass Rebuild FTBFS Tracker
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1423776
Bug ID: 1423776
Summary: jenkins-matrix-project-plugin: FTBFS in rawhide
Product: Fedora
Version: rawhide
Component: jenkins-matrix-project-plugin
Assignee: msrb(a)redhat.com
Reporter: releng(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
msrb(a)redhat.com
Blocks: 1423041
Your package jenkins-matrix-project-plugin failed to build from source in
current rawhide.
https://koji.fedoraproject.org/koji/taskinfo?taskID=17727671
For details on mass rebuild see
https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1423041
[Bug 1423041] Fedora 26 Mass Rebuild FTBFS Tracker
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1423779
Bug ID: 1423779
Summary: jenkins-script-security-plugin: FTBFS in rawhide
Product: Fedora
Version: rawhide
Component: jenkins-script-security-plugin
Assignee: msrb(a)redhat.com
Reporter: releng(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
msrb(a)redhat.com
Blocks: 1423041
Your package jenkins-script-security-plugin failed to build from source in
current rawhide.
https://koji.fedoraproject.org/koji/taskinfo?taskID=17727681
For details on mass rebuild see
https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1423041
[Bug 1423041] Fedora 26 Mass Rebuild FTBFS Tracker
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1423781
Bug ID: 1423781
Summary: jenkins-ssh-credentials-plugin: FTBFS in rawhide
Product: Fedora
Version: rawhide
Component: jenkins-ssh-credentials-plugin
Assignee: msrb(a)redhat.com
Reporter: releng(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
msrb(a)redhat.com
Blocks: 1423041
Your package jenkins-ssh-credentials-plugin failed to build from source in
current rawhide.
https://koji.fedoraproject.org/koji/taskinfo?taskID=17727688
For details on mass rebuild see
https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1423041
[Bug 1423041] Fedora 26 Mass Rebuild FTBFS Tracker
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1423917
Bug ID: 1423917
Summary: mahout-collection-codegen-plugin: FTBFS in rawhide
Product: Fedora
Version: rawhide
Component: mahout-collection-codegen-plugin
Assignee: besser82(a)fedoraproject.org
Reporter: releng(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: besser82(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
ml(a)lists.fedoraproject.org
Blocks: 1423041
Your package mahout-collection-codegen-plugin failed to build from source in
current rawhide.
https://koji.fedoraproject.org/koji/taskinfo?taskID=17736618
For details on mass rebuild see
https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1423041
[Bug 1423041] Fedora 26 Mass Rebuild FTBFS Tracker
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1423927
Bug ID: 1423927
Summary: maven-project-info-reports-plugin: FTBFS in rawhide
Product: Fedora
Version: rawhide
Component: maven-project-info-reports-plugin
Assignee: huwang(a)redhat.com
Reporter: releng(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: huwang(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com
Blocks: 1423041
Your package maven-project-info-reports-plugin failed to build from source in
current rawhide.
https://koji.fedoraproject.org/koji/taskinfo?taskID=17737259
For details on mass rebuild see
https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1423041
[Bug 1423041] Fedora 26 Mass Rebuild FTBFS Tracker
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1238497
Bug ID: 1238497
Summary: maven-invoker-plugin-2.0.0 is available
Product: Fedora
Version: rawhide
Component: maven-invoker-plugin
Keywords: FutureFeature, Triaged
Assignee: weli(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, weli(a)redhat.com
Latest upstream release: 2.0.0
Current version/release in rawhide: 1.10-2.fc23
URL:
http://repo2.maven.org/maven2/org/apache/maven/plugins/maven-invoker-plugin/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=szOtEqGNHo&a=cc_unsubscribe
https://bugzilla.redhat.com/show_bug.cgi?id=1220717
Bug ID: 1220717
Summary: springframework-retry: tests throw
org.springframework.beans.factory.NoSuchBeanDefinition
Exception
Product: Fedora
Version: rawhide
Component: springframework-retry
Assignee: msrb(a)redhat.com
Reporter: msrb(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
msrb(a)redhat.com
Description of problem:
Some of the tests in springframework-retry package throw
org.springframework.beans.factory.NoSuchBeanDefinitionException from some
reason. Investigate why.
Version-Release number of selected component (if applicable):
springframework-retry-1.1.1-2
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=LCNr7p1he2&a=cc_unsubscribe
https://bugzilla.redhat.com/show_bug.cgi?id=1333071
Bug ID: 1333071
Summary: morfologik-stemming-2.1.0 is available
Product: Fedora
Version: rawhide
Component: morfologik-stemming
Assignee: puntogil(a)libero.it
Reporter: puntogil(a)libero.it
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
puntogil(a)libero.it
Latest upstream release: 2.1.0
Current version/release in rawhide: 2.0.1-3.fc24
URL: https://github.com/morfologik/morfologik-stemming/tags
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1366907
Bug ID: 1366907
Summary: mysql-connector missing MysqlDataSourceFactory
Product: Fedora
Version: 24
Component: mysql-connector-java
Assignee: puntogil(a)libero.it
Reporter: arnaud.kleinveld(a)ybo.com.sg
QA Contact: extras-qa(a)fedoraproject.org
CC: hhorak(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jdornak(a)redhat.com, puntogil(a)libero.it,
xjakub(a)fi.muni.cz
Description of problem:
Version-Release number of selected component (if applicable): 5.1.38-3
How reproducible:
List contents of jar file and notice difference with distributed jar by MySQL
Steps to Reproduce:
1.jar -tvf /usr/share/java/mysql-connector-java.jar|grep MysqlDataSourceFactory
2.
3.
Actual results:
No output
Expected results:
3493 Wed Dec 02 09:01:44 ICT 2015
com/mysql/jdbc/jdbc2/optional/MysqlDataSourceFactory.class
Additional info:
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1375228
Bug ID: 1375228
Summary: lz4-java: Test failures on aarch64
Product: Fedora
Version: rawhide
Component: lz4-java
Assignee: puntogil(a)libero.it
Reporter: mizdebsk(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
puntogil(a)libero.it
Blocks: 245418 (ARMTracker)
%check tests are currently disabled on aarch64 because they fail.
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=245418
[Bug 245418] Tracker for ARM support
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1509010
Bug ID: 1509010
Summary: $ZOOCFGDIR needs to be added to classpath for
log4j.properties
Product: Fedora
Version: 26
Component: zookeeper
Assignee: tstclair(a)heptio.com
Reporter: shawn.bohrer(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: ctubbsii(a)fedoraproject.org, greg.hellings(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
mluscon(a)gmail.com, s(a)shk.io, tstclair(a)heptio.com
Description of problem:
When setting up zookeeper I found to problems with logging. The first was that
I needed to install:
slf4j-log4j12-1.7.22-4.fc26.noarch
I see that the zookeeper package depends on log4j12 and slf4j but not
slf4j-log4j12. Next, once I had that installed I received the following
warnings:
log4j:WARN No appenders could be found for logger
(org.apache.zookeeper.server.quorum.QuorumPeerConfig).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more
info.
This occurs because /etc/zookeeper needs to be added to the classpath, in order
to find /etc/zookeeper/log4j.properties. Interestingly in
/usr/libexec/zkEnv.sh there are the following lines:
ZOOCFGDIR="/etc/zookeeper"
...
#add the zoocfg dir to classpath
CLASSPATH="/usr/share/java/zookeeper/zookeeper.jar"
CLASSPATH="$CLASSPATH:/usr/share/java/zookeeper/zookeeper-ZooInspector.jar"
CLASSPATH="$CLASSPATH:/usr/share/java/zookeeper/zookeeper-tests.jar"
...
Despite that comment, it does not add $ZOOCFGDIR to the classpath which makes
me think that perhaps it was removed or maybe they wrote the comment and never
did it. There also does not appear to be any environment variables or similar
ways to add additional items to the classpath so you must edit
/usr/libexec/zkEnv.sh
Version-Release number of selected component (if applicable):
zookeeper-java-3.4.9-3.fc26.x86_64
zookeeper-3.4.9-3.fc26.x86_64
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1381310
Bug ID: 1381310
Summary: glassfish-servlet-api: 4.0.0-b01 is available
Product: Fedora
Version: rawhide
Component: glassfish-servlet-api
Assignee: davidx(a)fedoraproject.org
Reporter: puntogil(a)libero.it
QA Contact: extras-qa(a)fedoraproject.org
CC: davidx(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
puntogil(a)libero.it
Upstream released axiom 4.0.0-b01.
Currently, we still have version 3.1.0-11.fc25 in Rawhide.
URL: https://svn.java.net/svn/glassfish~svn/tags/javax.servlet-api-4.0.0-b01
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1395997
Bug ID: 1395997
Summary: jenkins-extras-memory-monitor: FTBFS in Fedora Rawhide
Product: Fedora
Version: rawhide
Component: jenkins-extras-memory-monitor
Assignee: msrb(a)redhat.com
Reporter: mizdebsk(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Description of problem:
Package jenkins-extras-memory-monitor fails to build from source in Fedora
Rawhide.
The build uses deprecated "attached" goal of maven-assembly-plugin, which was
removed in version 3.0.0. See:
https://maven.apache.org/components/plugins-archives/maven-assembly-plugin-…
Version-Release number of selected component (if applicable):
1.9-3.fc24
Steps to Reproduce:
koji build --scratch f26 jenkins-extras-memory-monitor-1.9-3.fc24.src.rpm
Additional info:
This package is tracked by Koschei. See:
http://apps.fedoraproject.org/koschei/package/jenkins-extras-memory-monitor
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1397462
Bug ID: 1397462
Summary: littleproxy-1.1.0 is available
Product: Fedora
Version: rawhide
Component: littleproxy
Assignee: puntogil(a)libero.it
Reporter: puntogil(a)libero.it
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
puntogil(a)libero.it
Latest upstream release: 1.1.0
Current version/release in rawhide: 0.5.3-3.fc25
URL: https://github.com/adamfisk/LittleProxy/tags
gradle 3.1 BuildRequires
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1548290
Bug ID: 1548290
Summary: CVE-2018-1304 tomcat: Incorrect handling of empty
string URL in security constraints can lead to
unitended exposure of resources [fedora-all]
Product: Fedora
Version: 27
Component: tomcat
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: ivan.afonichev(a)gmail.com
Reporter: sfowler(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: alee(a)redhat.com, csutherl(a)redhat.com,
ivan.afonichev(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
krzysztof.daniel(a)gmail.com, me(a)coolsvap.net
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1548291
Bug ID: 1548291
Summary: CVE-2018-1304 tomcat: Incorrect handling of empty
string URL in security constraints can lead to
unitended exposure of resources [epel-all]
Product: Fedora EPEL
Version: epel7
Component: tomcat
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: ivan.afonichev(a)gmail.com
Reporter: sfowler(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: alee(a)redhat.com, csutherl(a)redhat.com,
ivan.afonichev(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
krzysztof.daniel(a)gmail.com, me(a)coolsvap.net
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora EPEL. While
only one tracking bug has been filed, please correct all affected versions
at the same time. If you need to fix the versions independent of each
other, you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1298915
Bug ID: 1298915
Summary: fop-2.1 is available
Product: Fedora
Version: rawhide
Component: fop
Keywords: FutureFeature, Triaged
Assignee: r.landmann(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: c.david86(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
msrb(a)redhat.com, rhbugs(a)n-dimensional.de,
r.landmann(a)redhat.com
Latest upstream release: 2.1
Current version/release in rawhide: 2.0-2.fc24
URL: http://archive.apache.org/dist/xmlgraphics/fop/source/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1565926
Bug ID: 1565926
Summary: CVE-2018-1274 spring-data-commons: Unlimite path
depths in PropertyPath.java allow remote attackers to
cause a denial of service
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: sfowler(a)redhat.com
CC: dffrench(a)redhat.com, drusso(a)redhat.com,
hghasemb(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jmadigan(a)redhat.com, jshepherd(a)redhat.com,
lgriffin(a)redhat.com, ngough(a)redhat.com,
puntogil(a)libero.it, pwright(a)redhat.com,
rrajasek(a)redhat.com, tjay(a)redhat.com,
trepel(a)redhat.com
Blocks: 1565924
Spring Data Commons, versions 1.13 to 1.13.10 and 2.0 to 2.0.5, contain a
property path parser vulnerability caused by unlimited resource allocation. An
unauthenticated remote malicious user (or attacker) can issue requests against
Spring Data REST endpoints or endpoints using property path parsing which can
cause a denial of service (CPU and memory consumption).
External References:
https://pivotal.io/security/cve-2018-1274
Upstream Issue:
https://jira.spring.io/browse/DATACMNS-1285
Upstream Patches:
https://github.com/spring-projects/spring-data-commons/commit/371f6590c509c…https://github.com/spring-projects/spring-data-commons/commit/3d8576fe4e4e7…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1565923
Bug ID: 1565923
Summary: CVE-2018-1273 spring-data-commons: Improper
neutralization of special elements allow remote
attackers to execute code via crafted requests
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: urgent
Priority: urgent
Assignee: security-response-team(a)redhat.com
Reporter: sfowler(a)redhat.com
CC: dffrench(a)redhat.com, drusso(a)redhat.com,
hghasemb(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jmadigan(a)redhat.com, jshepherd(a)redhat.com,
lgriffin(a)redhat.com, ngough(a)redhat.com,
puntogil(a)libero.it, pwright(a)redhat.com,
rrajasek(a)redhat.com, tjay(a)redhat.com,
trepel(a)redhat.com
Spring Data Commons, versions 1.13 to 1.13.10 and 2.0 to 2.0.5, , contain a
property binder vulnerability caused by improper neutralization of special
elements. An unauthenticated remote malicious user (or attacker) can supply
specially crafted request parameters against Spring Data REST backed HTTP
resources or using Spring Data’s projection-based request payload binding hat
can lead to a remote code execution attack.
External References:
https://pivotal.io/security/cve-2018-1273
Upstream Issue:
https://jira.spring.io/browse/DATACMNS-1282
Upstream Patches:
https://github.com/spring-projects/spring-data-commons/commit/b1a20ae1e82a6…https://github.com/spring-projects/spring-data-commons/commit/ae1dd2741ce06…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1418731
Bug ID: 1418731
Summary: CVE-2017-2613 jenkins: User creation CSRF using GET by
admins (SECURITY-406)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: abhgupta(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
joelsmith(a)redhat.com, kseifried(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
tdawson(a)redhat.com, tiwillia(a)redhat.com
The following flaw was found in Jenkins:
When administrators accessed a URL like /user/example via HTTP GET, a user with
the ID example was created if it did not exist. While this user record was only
retained until restart in most cases, administrators' web browsers could be
manipulated to create a large number of user records.
Accessing these URLs now no longer results in a user record getting created,
Jenkins will respond with 404 Not Found if no such user exists. When using the
internal Jenkins user database, new users can be created via Manage Jenkins »
Manage Users. To restore the previous (unsafe) behavior, set the system
property hudson.model.User.allowUserCreationViaUrl to true as described on
Features controlled by system properties.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017…
Upstream patch:
https://github.com/jenkinsci/jenkins/commit/b88b20ec473200db35d0a0d29dcf192…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1418711
Bug ID: 1418711
Summary: CVE-2017-2602 jenkins: Pipeline metadata files not
blacklisted in agent-to-master security subsystem
(SECURITY-358)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: abhgupta(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
joelsmith(a)redhat.com, kseifried(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
tdawson(a)redhat.com, tiwillia(a)redhat.com
The following flaw was found in Jenkins:
The Pipeline suite of plugins stored build metadata in the file program.dat and
the directory workflow/. These were not blacklisted in the agent-to-master
security subsystem and could therefore be written to by malicious agents.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017…
Upstream patch:
https://github.com/jenkinsci/jenkins/commit/414ff7e30aba66bed18c4ee8a8660fb…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1529312
Bug ID: 1529312
Summary: CVE-2017-17810 nasm: Segfault via mishandled macro
calls in asm/preproc.c
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com
In Netwide Assembler (NASM) 2.14rc0, there is a "SEGV on unknown address" that
will cause a denial of service attack, because asm/preproc.c mishandles macro
calls that have the wrong number of arguments.
Upstream bug:
https://bugzilla.nasm.us/show_bug.cgi?id=3392431
Upstream patch:
http://repo.or.cz/nasm.git/commit/59ce1c67b16967c652765e62aa130b7e43f21dd4
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1524945
Bug ID: 1524945
Summary: jenkins-plugin-script-security: Arbitrary file read
vulnerability in Script Security Plugin (SECURITY-663)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dedgar(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
kseifried(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
Users with the ability to configure sandboxed Groovy and Pipeline scripts,
including those from SCM, are able to use a type coercion feature in Groovy to
create new File objects from strings. This allowed reading arbitrary files on
the Jenkins master file system.
Affected versions: Script Security Plugin up to and including 1.36
External References:
https://jenkins.io/security/advisory/2017-12-11/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Bug ID: 1459158
Summary: CVE-2017-5664 tomcat: Security constrained bypass in
error page mechanism
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: aileenc(a)redhat.com, alee(a)redhat.com,
apintea(a)redhat.com, bkundal(a)redhat.com,
bmaxwell(a)redhat.com, ccoleman(a)redhat.com,
cdewolf(a)redhat.com, chazlett(a)redhat.com,
csutherl(a)redhat.com, darran.lofthouse(a)redhat.com,
dedgar(a)redhat.com, dimitris(a)redhat.com,
dmcphers(a)redhat.com, dosoudil(a)redhat.com,
felias(a)redhat.com, fgavrilo(a)redhat.com,
gvarsami(a)redhat.com, gzaronik(a)redhat.com,
hchiorea(a)redhat.com, hhorak(a)redhat.com,
ivan.afonichev(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jclere(a)redhat.com,
jcoleman(a)redhat.com, jdoyle(a)redhat.com,
jgoulding(a)redhat.com, joelsmith(a)redhat.com,
jolee(a)redhat.com, jondruse(a)redhat.com,
jorton(a)redhat.com, jshepherd(a)redhat.com,
kconner(a)redhat.com, krzysztof.daniel(a)gmail.com,
ldimaggi(a)redhat.com, lgao(a)redhat.com,
loleary(a)redhat.com, mbabacek(a)redhat.com,
me(a)coolsvap.net, mizdebsk(a)redhat.com,
myarboro(a)redhat.com, nwallace(a)redhat.com,
pavelp(a)redhat.com, pgier(a)redhat.com,
pjurak(a)redhat.com, ppalaga(a)redhat.com,
psakar(a)redhat.com, pslavice(a)redhat.com,
rnetuka(a)redhat.com, rstancel(a)redhat.com,
rsvoboda(a)redhat.com, rwagner(a)redhat.com,
spinder(a)redhat.com, sstavrev(a)redhat.com,
tcunning(a)redhat.com, theute(a)redhat.com,
tkirby(a)redhat.com, trick(a)vanstaveren.us,
twalsh(a)redhat.com, vhalbert(a)redhat.com,
vtunka(a)redhat.com, weli(a)redhat.com
The error page mechanism of the Java Servlet Specification requires that, when
an error occurs and an error page is configured for the error that occurred,
the original request and response are forwarded to the error page. This means
that the request is presented to the error page with the original HTTP method.
If the error page is a static file, expected behaviour is to serve content of
the file as if processing a GET request, regardless of the actual HTT method.
Tomcat's Default Servlet did not do this. Depending on the original request
this could lead to unexpected and undesirable results for static error pages
including, if the DefaultServlet is configured to permit writes, the
replacement or removal of the custom error page.
Affects: 7.0.0 to 7.0.77, 8.0.0.RC1 to 8.0.43, 8.5.0 to 8.5.14
Upstream fixes:
Tomcat 7.x:
https://svn.apache.org/viewvc?view=revision&revision=1793471https://svn.apache.org/viewvc?view=revision&revision=1793491
Tomcat 8.0.x:
https://svn.apache.org/viewvc?view=revision&revision=1793470https://svn.apache.org/viewvc?view=revision&revision=1793489
Tomcat 8.5.x:
https://svn.apache.org/viewvc?view=revision&revision=1793469https://svn.apache.org/viewvc?view=revision&revision=1793488
External References:
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.78https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.44https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.15
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1508129
Bug ID: 1508129
Summary: CVE-2016-5004 xmlrpc: XSS in Content-Encoding HTTP
header of xmlrpc
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: abhgupta(a)redhat.com, bmcclain(a)redhat.com,
dbhole(a)redhat.com, dblechte(a)redhat.com,
dwalluck(a)redhat.com, eedri(a)redhat.com,
hhorak(a)redhat.com, java-maint(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jorton(a)redhat.com, krzysztof.daniel(a)gmail.com,
kseifried(a)redhat.com, mgoldboi(a)redhat.com,
michal.skrivanek(a)redhat.com, mizdebsk(a)redhat.com,
msimacek(a)redhat.com, puntogil(a)libero.it,
sbonazzo(a)redhat.com, sherold(a)redhat.com,
sochotni(a)redhat.com, tiwillia(a)redhat.com,
ykaul(a)redhat.com, ylavi(a)redhat.com
The Content-Encoding HTTP header feature in ws-xmlrpc 3.1.3 as used in Apache
Archiva allows remote attackers to cause a denial of service (resource
consumption) by decompressing a large file containing zeroes.
References:
http://www.openwall.com/lists/oss-security/2016/07/12/5https://0ang3el.blogspot.in/2016/07/beware-of-ws-xmlrpc-library-in-your.html
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1238245
Bug ID: 1238245
Summary: maven-ear-plugin-2.10.1 is available
Product: Fedora
Version: rawhide
Component: maven-ear-plugin
Keywords: FutureFeature, Triaged
Assignee: huwang(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: huwang(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org
Latest upstream release: 2.10.1
Current version/release in rawhide: 2.10-2.fc23
URL: http://repo2.maven.org/maven2/org/apache/maven/plugins/maven-ear-plugin/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=noRQkekdeg&a=cc_unsubscribe
https://bugzilla.redhat.com/show_bug.cgi?id=1444759
Bug ID: 1444759
Summary: CVE-2017-3523 mysql-connector-java: Connector/J
unspecified vulnerability (CPU Apr 2017)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: abhgupta(a)redhat.com, aileenc(a)redhat.com,
avibelli(a)redhat.com, chazlett(a)redhat.com,
coneill(a)redhat.com, databases-maint(a)redhat.com,
gsterlin(a)redhat.com, gvarsami(a)redhat.com,
hhorak(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jbalunas(a)redhat.com, jcoleman(a)redhat.com,
jshepherd(a)redhat.com, kconner(a)redhat.com,
kseifried(a)redhat.com, ldimaggi(a)redhat.com,
mmuzila(a)redhat.com, mschorm(a)redhat.com,
nwallace(a)redhat.com, puntogil(a)libero.it,
rrajasek(a)redhat.com, rwagner(a)redhat.com,
tcunning(a)redhat.com, tiwillia(a)redhat.com,
tjay(a)redhat.com, tkirby(a)redhat.com, xjakub(a)fi.muni.cz
Blocks: 1444415
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent:
Connector/J). Supported versions that are affected are 5.1.40 and eariler.
Difficult to exploit vulnerability allows low privileged attacker with network
access via multiple protocols to compromise MySQL Connectors. While the
vulnerability is in MySQL Connectors, attacks may significantly impact
additional products. Successful attacks of this vulnerability can result in
takeover of MySQL Connectors.
External References:
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1444406
Bug ID: 1444406
Summary: CVE-2017-3586 mysql-connector-java: Connector/J
unspecified vulnerability (CPU Apr 2017)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: abhgupta(a)redhat.com, aileenc(a)redhat.com,
avibelli(a)redhat.com, chazlett(a)redhat.com,
coneill(a)redhat.com, databases-maint(a)redhat.com,
gsterlin(a)redhat.com, gvarsami(a)redhat.com,
hhorak(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jbalunas(a)redhat.com, jcoleman(a)redhat.com,
jshepherd(a)redhat.com, kconner(a)redhat.com,
kseifried(a)redhat.com, ldimaggi(a)redhat.com,
mmuzila(a)redhat.com, mschorm(a)redhat.com,
nwallace(a)redhat.com, puntogil(a)libero.it,
rrajasek(a)redhat.com, rwagner(a)redhat.com,
tcunning(a)redhat.com, tiwillia(a)redhat.com,
tjay(a)redhat.com, tkirby(a)redhat.com, xjakub(a)fi.muni.cz
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent:
Connector/J). Supported versions that are affected are 5.1.41 and earlier.
Easily exploitable vulnerability allows low privileged attacker with network
access via multiple protocols to compromise MySQL Connectors. While the
vulnerability is in MySQL Connectors, attacks may significantly impact
additional products. Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of MySQL Connectors
accessible data as well as unauthorized read access to a subset of MySQL
Connectors accessible data.
External References:
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1444407
Bug ID: 1444407
Summary: CVE-2017-3589 mysql-connector-java: Connector/J
unspecified vulnerability (CPU Apr 2017)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: abhgupta(a)redhat.com, aileenc(a)redhat.com,
avibelli(a)redhat.com, chazlett(a)redhat.com,
coneill(a)redhat.com, databases-maint(a)redhat.com,
gsterlin(a)redhat.com, gvarsami(a)redhat.com,
hhorak(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jbalunas(a)redhat.com, jcoleman(a)redhat.com,
jshepherd(a)redhat.com, kconner(a)redhat.com,
kseifried(a)redhat.com, ldimaggi(a)redhat.com,
mmuzila(a)redhat.com, mschorm(a)redhat.com,
nwallace(a)redhat.com, puntogil(a)libero.it,
rrajasek(a)redhat.com, rwagner(a)redhat.com,
tcunning(a)redhat.com, tiwillia(a)redhat.com,
tjay(a)redhat.com, tkirby(a)redhat.com, xjakub(a)fi.muni.cz
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent:
Connector/J). Supported versions that are affected are 5.1.41 and earlier.
Easily exploitable vulnerability allows low privileged attacker with logon to
the infrastructure where MySQL Connectors executes to compromise MySQL
Connectors. Successful attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of MySQL Connectors accessible data.
External References:
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1291292
Bug ID: 1291292
Summary: CVE-2015-5254 activemq: unsafe deserialization
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: mprpic(a)redhat.com
CC: abhgupta(a)redhat.com, agrimm(a)redhat.com,
aileenc(a)redhat.com, ccoleman(a)redhat.com,
chazlett(a)redhat.com, dmcphers(a)redhat.com,
gvarsami(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jcoleman(a)redhat.com, jialiu(a)redhat.com,
joelsmith(a)redhat.com, jokerman(a)redhat.com,
kconner(a)redhat.com, kseifried(a)redhat.com,
ldimaggi(a)redhat.com, lmeyer(a)redhat.com,
mmccomas(a)redhat.com, nwallace(a)redhat.com,
pavelp(a)redhat.com, puntogil(a)libero.it,
rwagner(a)redhat.com,
soa-p-jira(a)post-office.corp.redhat.com, s(a)shk.io,
tcunning(a)redhat.com, tdawson(a)redhat.com,
tiwillia(a)redhat.com, tkirby(a)redhat.com
JMS Object messages depends on Java Serialization for marshaling/unmashaling of
the message payload. There are a couple of places inside the broker where
deserialization can occur, like web console or stomp object message
transformation. As deserialization of untrusted data can leaed to security
flaws as demonstrated in various reports, this leaves the broker vunerable to
this attack vector. Additionally, applications that consume ObjectMessage type
of messages can be vunerable as they deserlize objects on
ObjectMessage.getObject() calls.
This issue was fixed upstream in Apache ActiveMQ 5.13.0. Additionally, when
using ObjectMessage message type, you need to explicitly list trusted packages.
To see how to do that, please take a look at:
http://activemq.apache.org/objectmessage.html
External References:
http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcem…
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=gmTDQZJf60&a=cc_unsubscribe
https://bugzilla.redhat.com/show_bug.cgi?id=1538333
Bug ID: 1538333
Summary: CVE-2018-5968 jackson-databind: unsafe deserialization
due to incomplete blacklist (incomplete fix for the
CVE-2017-7525 and CVE-2017-17485) [fedora-all]
Product: Fedora
Version: 27
Component: jackson-databind
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: puntogil(a)libero.it
Reporter: lpardo(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
lef(a)fedoraproject.org, puntogil(a)libero.it
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1418717
Bug ID: 1418717
Summary: CVE-2017-2606 jenkins: Internal API allowed access to
item names that should not be visible (SECURITY-380)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: abhgupta(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
joelsmith(a)redhat.com, kseifried(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
tdawson(a)redhat.com, tiwillia(a)redhat.com
The following flaw was found in Jenkins:
The method Jenkins#getItems() included a performance optimization that resulted
in all items being returned if the Logged in users can do anything
authorization strategy was used, and no access was granted to anonymous users
(an option added in Jenkins 2.0). This only affects anonymous users (other
users legitimately have access) that were able to get a list of items via an
UnprotectedRootAction.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017…
Upstream patch:
https://github.com/jenkinsci/jenkins/commit/09cfbc9cd5c9df7c763bc976b7f5c51…
--
You are receiving this mail because:
You are on the CC list for the bug.