April 2018 - java-sig-commits - Fedora mailing-lists

[Bug 1493189] New: CVE-2017-14228 nasm: NULL pointer dereference in the paste_tokens function
by bugzilla＠redhat.com 03 May '18

03 May '18

https://bugzilla.redhat.com/show_bug.cgi?id=1493189 Bug ID: 1493189 Summary: CVE-2017-14228 nasm: NULL pointer dereference in the paste_tokens function Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: anemec(a)redhat.com CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msimacek(a)redhat.com In Netwide Assembler (NASM) 2.14rc0, there is an illegal address access in the function paste_tokens() in preproc.c, aka a NULL pointer dereference. It will lead to a denial of service. Upstream issue: https://bugzilla.nasm.us/show_bug.cgi?id=3392423 -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1493190] New: CVE-2017-14228 nasm: NULL pointer dereference in the paste_tokens function [fedora-all]
by bugzilla＠redhat.com 03 May '18

03 May '18

https://bugzilla.redhat.com/show_bug.cgi?id=1493190 Bug ID: 1493190 Summary: CVE-2017-14228 nasm: NULL pointer dereference in the paste_tokens function [fedora-all] Product: Fedora Version: 26 Component: nasm Keywords: Security, SecurityTracking Severity: low Priority: low Assignee: mizdebsk(a)redhat.com Reporter: anemec(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msimacek(a)redhat.com This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1541043] New: [specfile] Use 'urw-base35-fonts' requirement instead of 'urw-fonts'
by bugzilla＠redhat.com 02 May '18

02 May '18

https://bugzilla.redhat.com/show_bug.cgi?id=1541043 Bug ID: 1541043 Summary: [specfile] Use 'urw-base35-fonts' requirement instead of 'urw-fonts' Product: Fedora Version: rawhide Component: pdf-renderer Keywords: Bugfix, EasyFix, Patch Severity: medium Priority: medium Assignee: puntogil(a)libero.it Reporter: dkaspar(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, jochen(a)herr-schmitt.de, oget.fedora(a)gmail.com, puntogil(a)libero.it Blocks: 1494563 Description of problem: The 'urw-fonts' package is now obsolete and has been replaced with new 'urw-base35-fonts', which is being kept up-to-date. 'urw-fonts' will be dropped at the end-of-life of Fedora 27. Please, update your specfile and make sure your package builds/works properly with new version of the (URW)++ fonts. In case you find some problem, open a new BZ for your component and put me into CC so I try to help you deal with that issue. Thank you! :) -------------------------------------------------------------------- Associated pull-request: https://src.fedoraproject.org/rpms/pdf-renderer/pull-request/1 Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1494563 [Bug 1494563] [Tracking BZ] Update specfiles to use 'urw-base35-fonts' instead of 'urw-fonts' -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1557507] New: tomcat-9.0.6 is available
by bugzilla＠redhat.com 01 May '18

01 May '18

https://bugzilla.redhat.com/show_bug.cgi?id=1557507 Bug ID: 1557507 Summary: tomcat-9.0.6 is available Product: Fedora Version: rawhide Component: tomcat Keywords: FutureFeature, Triaged Assignee: ivan.afonichev(a)gmail.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: alee(a)redhat.com, csutherl(a)redhat.com, ivan.afonichev(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, krzysztof.daniel(a)gmail.com, me(a)coolsvap.net Latest upstream release: 9.0.6 Current version/release in rawhide: 8.5.29-1.fc29 URL: http://tomcat.apache.org/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/17032/ -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1572708] New: NPE when running tests on JDK 10
by bugzilla＠redhat.com 30 Apr '18

30 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1572708 Bug ID: 1572708 Summary: NPE when running tests on JDK 10 Product: Fedora Version: 28 Component: maven-surefire Assignee: mizdebsk(a)redhat.com Reporter: sgehwolf(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: akurtako(a)redhat.com, dbhole(a)redhat.com, jaromir.capik(a)email.cz, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msimacek(a)redhat.com, sochotni(a)redhat.com Description of problem: Running any tests on surefire 2.20 with JDK 10 results in NPE. See: https://issues.apache.org/jira/browse/SUREFIRE-1439 This causes a build failure of trying to build byteman 4.0.2 in fedora: https://koji.fedoraproject.org/koji/taskinfo?taskID=26592984 Byteman 4.x needs JDK 9+ to build for modular JDK support. Version-Release number of selected component (if applicable): maven-surefire-2.20.1-3.fc28 How reproducible: 100% Steps to Reproduce: 1. Rebuild srpm from task above. (may need some build overrides: java-openjdk-10.0.1.10-2.fc28, xmvn-3.0.0-15.fc28) Actual results: NPE and build failure. Expected results: Build proceeds. Additional info: In a local mock I got this detail trace: [ERROR] Failed to execute goal org.apache.maven.plugins:maven-failsafe-plugin:2.20.1:integration-test (javaops.TestArithmetic) on project byteman-agent: Execution javaops.TestArithmetic of goal org.apache.maven.plugins:maven-failsafe-plugin:2.20.1:integration-test failed. NullPointerException -> [Help 1] org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.apache.maven.plugins:maven-failsafe-plugin:2.20.1:integration-test (javaops.TestArithmetic) on project byteman-agent: Execution javaops.TestArithmetic of goal org.apache.maven.plugins:maven-failsafe-plugin:2.20.1:integration-test failed. at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:213) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:154) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:146) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:51) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:309) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:194) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:107) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:955) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:290) at org.apache.maven.cli.MavenCli.main (MavenCli.java:194) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:564) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:289) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:229) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:415) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:356) Caused by: org.apache.maven.plugin.PluginExecutionException: Execution javaops.TestArithmetic of goal org.apache.maven.plugins:maven-failsafe-plugin:2.20.1:integration-test failed. at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:145) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:208) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:154) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:146) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:51) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:309) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:194) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:107) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:955) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:290) at org.apache.maven.cli.MavenCli.main (MavenCli.java:194) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:564) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:289) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:229) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:415) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:356) Caused by: java.lang.NullPointerException at org.apache.maven.surefire.shade.org.apache.commons.lang3.SystemUtils.isJavaVersionAtLeast (SystemUtils.java:1642) at org.apache.maven.plugin.surefire.AbstractSurefireMojo.getEffectiveJvm (AbstractSurefireMojo.java:2107) at org.apache.maven.plugin.surefire.AbstractSurefireMojo.getForkConfiguration (AbstractSurefireMojo.java:1976) at org.apache.maven.plugin.surefire.AbstractSurefireMojo.executeProvider (AbstractSurefireMojo.java:1111) at org.apache.maven.plugin.surefire.AbstractSurefireMojo.executeAfterPreconditionsChecked (AbstractSurefireMojo.java:954) at org.apache.maven.plugin.surefire.AbstractSurefireMojo.execute (AbstractSurefireMojo.java:832) at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:134) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:208) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:154) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:146) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:51) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:309) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:194) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:107) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:955) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:290) at org.apache.maven.cli.MavenCli.main (MavenCli.java:194) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:564) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:289) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:229) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:415) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:356) [ERROR] [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/PluginExecutionException [ERROR] [ERROR] After correcting the problems, you can resume the build with the command [ERROR] mvn <goals> -rf :byteman-agent Note this is not an issue in maven surefire plugin 2.21 as it's been fixed there. -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1567453] New: jetty-9.4.10.RC0 is available
by bugzilla＠redhat.com 30 Apr '18

30 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1567453 Bug ID: 1567453 Summary: jetty-9.4.10.RC0 is available Product: Fedora Version: rawhide Component: jetty Keywords: FutureFeature, Triaged Assignee: mizdebsk(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, jjohnstn(a)redhat.com, krzysztof.daniel(a)gmail.com, mizdebsk(a)redhat.com, msimacek(a)redhat.com, sochotni(a)redhat.com Latest upstream release: 9.4.10.RC0 Current version/release in rawhide: 9.4.9-2.v20180320.fc29 URL: http://www.eclipse.org/jetty Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/1447/ -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1556207] New: ecc-25519-java: FTBFS in F28
by bugzilla＠redhat.com 29 Apr '18

29 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1556207 Bug ID: 1556207 Summary: ecc-25519-java: FTBFS in F28 Product: Fedora Version: 28 Component: ecc-25519-java Assignee: puntogil(a)libero.it Reporter: releng(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, puntogil(a)libero.it Blocks: 1555378 Your package ecc-25519-java failed to build from source in current F28. https://koji.fedoraproject.org/koji/taskinfo?taskID=24875581 For details on mass rebuild see https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1555378 [Bug 1555378] (F28FTBFS) Fedora 28 Mass Rebuild FTBFS Tracker -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1555711] New: eclipse-m2e-antlr: FTBFS in F28
by bugzilla＠redhat.com 29 Apr '18

29 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1555711 Bug ID: 1555711 Summary: eclipse-m2e-antlr: FTBFS in F28 Product: Fedora Version: 28 Component: eclipse-m2e-antlr Assignee: mizdebsk(a)redhat.com Reporter: releng(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msimacek(a)redhat.com Blocks: 1555378 Your package eclipse-m2e-antlr failed to build from source in current F28. https://koji.fedoraproject.org/koji/taskinfo?taskID=24781982 For details on mass rebuild see https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1555378 [Bug 1555378] (F28FTBFS) Fedora 28 Mass Rebuild FTBFS Tracker -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1555718] New: eclipse-m2e-tycho: FTBFS in F28
by bugzilla＠redhat.com 29 Apr '18

29 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1555718 Bug ID: 1555718 Summary: eclipse-m2e-tycho: FTBFS in F28 Product: Fedora Version: 28 Component: eclipse-m2e-tycho Assignee: mizdebsk(a)redhat.com Reporter: releng(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msimacek(a)redhat.com Blocks: 1555378 Your package eclipse-m2e-tycho failed to build from source in current F28. https://koji.fedoraproject.org/koji/taskinfo?taskID=24782045 For details on mass rebuild see https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1555378 [Bug 1555378] (F28FTBFS) Fedora 28 Mass Rebuild FTBFS Tracker -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1555715] New: eclipse-m2e-modello: FTBFS in F28
by bugzilla＠redhat.com 29 Apr '18

29 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1555715 Bug ID: 1555715 Summary: eclipse-m2e-modello: FTBFS in F28 Product: Fedora Version: 28 Component: eclipse-m2e-modello Assignee: mizdebsk(a)redhat.com Reporter: releng(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msimacek(a)redhat.com Blocks: 1555378 Your package eclipse-m2e-modello failed to build from source in current F28. https://koji.fedoraproject.org/koji/taskinfo?taskID=24782015 For details on mass rebuild see https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1555378 [Bug 1555378] (F28FTBFS) Fedora 28 Mass Rebuild FTBFS Tracker -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1555714] New: eclipse-m2e-mavendev: FTBFS in F28
by bugzilla＠redhat.com 29 Apr '18

29 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1555714 Bug ID: 1555714 Summary: eclipse-m2e-mavendev: FTBFS in F28 Product: Fedora Version: 28 Component: eclipse-m2e-mavendev Assignee: mizdebsk(a)redhat.com Reporter: releng(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msimacek(a)redhat.com Blocks: 1555378 Your package eclipse-m2e-mavendev failed to build from source in current F28. https://koji.fedoraproject.org/koji/taskinfo?taskID=24782012 For details on mass rebuild see https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1555378 [Bug 1555378] (F28FTBFS) Fedora 28 Mass Rebuild FTBFS Tracker -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1555712] New: eclipse-m2e-cxf: FTBFS in F28
by bugzilla＠redhat.com 29 Apr '18

29 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1555712 Bug ID: 1555712 Summary: eclipse-m2e-cxf: FTBFS in F28 Product: Fedora Version: 28 Component: eclipse-m2e-cxf Assignee: mizdebsk(a)redhat.com Reporter: releng(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msimacek(a)redhat.com Blocks: 1555378 Your package eclipse-m2e-cxf failed to build from source in current F28. https://koji.fedoraproject.org/koji/taskinfo?taskID=24781997 For details on mass rebuild see https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1555378 [Bug 1555378] (F28FTBFS) Fedora 28 Mass Rebuild FTBFS Tracker -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1555713] New: eclipse-m2e-egit: FTBFS in F28
by bugzilla＠redhat.com 29 Apr '18

29 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1555713 Bug ID: 1555713 Summary: eclipse-m2e-egit: FTBFS in F28 Product: Fedora Version: 28 Component: eclipse-m2e-egit Assignee: mizdebsk(a)redhat.com Reporter: releng(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msimacek(a)redhat.com Blocks: 1555378 Your package eclipse-m2e-egit failed to build from source in current F28. https://koji.fedoraproject.org/koji/taskinfo?taskID=24782000 For details on mass rebuild see https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1555378 [Bug 1555378] (F28FTBFS) Fedora 28 Mass Rebuild FTBFS Tracker -- You are receiving this mail because: You are on the CC list for the bug.

1 7

[Bug 1555716] New: eclipse-m2e-sourcelookup: FTBFS in F28
by bugzilla＠redhat.com 29 Apr '18

29 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1555716 Bug ID: 1555716 Summary: eclipse-m2e-sourcelookup: FTBFS in F28 Product: Fedora Version: 28 Component: eclipse-m2e-sourcelookup Assignee: mizdebsk(a)redhat.com Reporter: releng(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msimacek(a)redhat.com Blocks: 1555378 Your package eclipse-m2e-sourcelookup failed to build from source in current F28. https://koji.fedoraproject.org/koji/taskinfo?taskID=24782034 For details on mass rebuild see https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1555378 [Bug 1555378] (F28FTBFS) Fedora 28 Mass Rebuild FTBFS Tracker -- You are receiving this mail because: You are on the CC list for the bug.

1 7

[Bug 1556210] New: eclipse-m2e-sisu: FTBFS in F28
by bugzilla＠redhat.com 29 Apr '18

29 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1556210 Bug ID: 1556210 Summary: eclipse-m2e-sisu: FTBFS in F28 Product: Fedora Version: 28 Component: eclipse-m2e-sisu Assignee: mizdebsk(a)redhat.com Reporter: releng(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msimacek(a)redhat.com Blocks: 1555378 Your package eclipse-m2e-sisu failed to build from source in current F28. https://koji.fedoraproject.org/koji/taskinfo?taskID=24875591 For details on mass rebuild see https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1555378 [Bug 1555378] (F28FTBFS) Fedora 28 Mass Rebuild FTBFS Tracker -- You are receiving this mail because: You are on the CC list for the bug.

1 7

[Bug 1556209] New: eclipse-m2e-plexus: FTBFS in F28
by bugzilla＠redhat.com 29 Apr '18

29 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1556209 Bug ID: 1556209 Summary: eclipse-m2e-plexus: FTBFS in F28 Product: Fedora Version: 28 Component: eclipse-m2e-plexus Assignee: mizdebsk(a)redhat.com Reporter: releng(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msimacek(a)redhat.com Blocks: 1555378 Your package eclipse-m2e-plexus failed to build from source in current F28. https://koji.fedoraproject.org/koji/taskinfo?taskID=24875587 For details on mass rebuild see https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1555378 [Bug 1555378] (F28FTBFS) Fedora 28 Mass Rebuild FTBFS Tracker -- You are receiving this mail because: You are on the CC list for the bug.

1 7

[Bug 1530012] New: maven-site-plugin-3.7 is available
by bugzilla＠redhat.com 28 Apr '18

28 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1530012 Bug ID: 1530012 Summary: maven-site-plugin-3.7 is available Product: Fedora Version: rawhide Component: maven-site-plugin Keywords: FutureFeature, Triaged Assignee: mizdebsk(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: akurtako(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msimacek(a)redhat.com Latest upstream release: 3.7 Current version/release in rawhide: 3.6-3.fc27 URL: http://repo2.maven.org/maven2/org/apache/maven/plugins/maven-site-plugin/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/1937/ -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1340386] New: CVE-2016-4434 tika: XML External Entity vulnerability
by Red Hat Bugzilla 28 Apr '18

28 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1340386 Bug ID: 1340386 Summary: CVE-2016-4434 tika: XML External Entity vulnerability Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: anemec(a)redhat.com CC: alazarot(a)redhat.com, aszczucz(a)redhat.com, bdawidow(a)redhat.com, bgollahe(a)redhat.com, bkearney(a)redhat.com, brms-jira(a)redhat.com, chazlett(a)redhat.com, epp-bugs(a)redhat.com, etirelli(a)redhat.com, felias(a)redhat.com, hchiorea(a)redhat.com, hfnukal(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jcoleman(a)redhat.com, jolee(a)redhat.com, jpallich(a)redhat.com, kanderso(a)redhat.com, lpetrovi(a)redhat.com, mbaluch(a)redhat.com, meissner(a)suse.de, mweiler(a)redhat.com, mwinkler(a)redhat.com, nwallace(a)redhat.com, ohudlick(a)redhat.com, pavelp(a)redhat.com, puntogil(a)libero.it, rrajasek(a)redhat.com, rzhang(a)redhat.com, rzima(a)redhat.com, taw(a)redhat.com, theute(a)redhat.com, thomas(a)suse.de, tkasparek(a)redhat.com, tkirby(a)redhat.com, tlestach(a)redhat.com, vhalbert(a)redhat.com Apache Tika parses XML within numerous file formats. In some instances, such as spreadsheets in OOXML files, XMP in PDF, and other file formats, the initialization of the XML parser or the choice of handlers did not protect against XML External Entity (XXE) vulnerabilities. References: http://seclists.org/oss-sec/2016/q2/413 -- You are receiving this mail because: You are on the CC list for the bug.

2 28

[Bug 1340387] New: CVE-2016-4434 tika: XML External Entity vulnerability [ fedora-all]
by Red Hat Bugzilla 28 Apr '18

28 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1340387 Bug ID: 1340387 Summary: CVE-2016-4434 tika: XML External Entity vulnerability [fedora-all] Product: Fedora Version: 23 Component: tika Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: puntogil(a)libero.it Reporter: anemec(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, puntogil(a)libero.it Blocks: 1340386 (CVE-2016-4434) This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. [bug automatically created by: add-tracking-bugs] Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1340386 [Bug 1340386] CVE-2016-4434 tika: XML External Entity vulnerability -- You are receiving this mail because: You are on the CC list for the bug.

2 22

[Bug 1394156] CVE-2016-6809 tika: Native deserialization of Java objects in matlab files
by bugzilla＠redhat.com 28 Apr '18

28 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1394156 Bug 1394156 depends on bug 1394157, which changed state. Bug 1394157 Summary: CVE-2016-6809 tika: Native deserialization of Java objects in matlab files [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1394157 What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1394157] New: CVE-2016-6809 tika: Native deserialization of Java objects in matlab files [fedora-all]
by Red Hat Bugzilla 28 Apr '18

28 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1394157 Bug ID: 1394157 Summary: CVE-2016-6809 tika: Native deserialization of Java objects in matlab files [fedora-all] Product: Fedora Version: 24 Component: tika Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: puntogil(a)libero.it Reporter: amaris(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, puntogil(a)libero.it Blocks: 1394156 (CVE-2016-6809) This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. [bug automatically created by: add-tracking-bugs] Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1394156 [Bug 1394156] CVE-2016-6809 tika: Native deserialization of Java objects in matlab files -- You are receiving this mail because: You are on the CC list for the bug.

2 10

[Bug 1572463] CVE-2017-15691 uima: XML external entity expansion (XXE) can allow attackers to execute arbitrary code
by bugzilla＠redhat.com 27 Apr '18

27 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1572463 --- Comment #3 from Kurt Seifried <kseifried(a)redhat.com> --- Statement: This issue affects the versions of lucene (which contains an embedded copy of uima) as shipped with Red Hat Satellite 6.0 and 6.1. Red Hat Satellite 6.2 and later do not include lucene and are not vulnerable to this issue. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1572463] CVE-2017-15691 uima: XML external entity expansion (XXE) can allow attackers to execute arbitrary code
by bugzilla＠redhat.com 27 Apr '18

27 Apr '18

1 0

[Bug 1572418] New: CVE-2018-1335 tika: Command injection in tika-server can allow remote attackers to execute arbitrary commands via crafted headers [fedora-all]
by bugzilla＠redhat.com 27 Apr '18

27 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1572418 Bug ID: 1572418 Summary: CVE-2018-1335 tika: Command injection in tika-server can allow remote attackers to execute arbitrary commands via crafted headers [fedora-all] Product: Fedora Version: 27 Component: tika Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: puntogil(a)libero.it Reporter: sfowler(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, lef(a)fedoraproject.org, puntogil(a)libero.it This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1572463] CVE-2017-15691 uima: XML external entity expansion (XXE) can allow attackers to execute arbitrary code
by bugzilla＠redhat.com 27 Apr '18

27 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1572463 Sam Fowler <sfowler(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1572467 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1572463] CVE-2017-15691 uima: XML external entity expansion (XXE) can allow attackers to execute arbitrary code
by bugzilla＠redhat.com 27 Apr '18

27 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1572463 Sam Fowler <sfowler(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1572465, 1572464 --- Comment #1 from Sam Fowler <sfowler(a)redhat.com> --- Created uimaj tracking bugs for this issue: Affects: fedora-all [bug 1572464] Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1572464 [Bug 1572464] CVE-2017-15691 uimaj: uima: XML external entity expansion (XXE) can allow attackers to execute arbitrary code [fedora-all] -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1555596] New: apache-commons-primitives: FTBFS in F28
by bugzilla＠redhat.com 27 Apr '18

27 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1555596 Bug ID: 1555596 Summary: apache-commons-primitives: FTBFS in F28 Product: Fedora Version: 28 Component: apache-commons-primitives Assignee: puntogil(a)libero.it Reporter: releng(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, puntogil(a)libero.it Blocks: 1555378 Your package apache-commons-primitives failed to build from source in current F28. https://koji.fedoraproject.org/koji/taskinfo?taskID=24767145 For details on mass rebuild see https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1555378 [Bug 1555378] (F28FTBFS) Fedora 28 Mass Rebuild FTBFS Tracker -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1396487] New: pdfbox-2.0.3 is available
by Red Hat Bugzilla 27 Apr '18

27 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1396487 Bug ID: 1396487 Summary: pdfbox-2.0.3 is available Product: Fedora Version: rawhide Component: pdfbox Assignee: puntogil(a)libero.it Reporter: puntogil(a)libero.it QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, orion(a)cora.nwra.com, puntogil(a)libero.it Latest upstream release: 2.0.3 Current version/release in rawhide: 1.8.12-2.fc26 URL: http://www.apache.org/dist/pdfbox/ Used by Apache Tika >= 1.13 -- You are receiving this mail because: You are on the CC list for the bug.

2 7

[Bug 1556537] New: weld-core: FTBFS in F28
by bugzilla＠redhat.com 27 Apr '18

27 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1556537 Bug ID: 1556537 Summary: weld-core: FTBFS in F28 Product: Fedora Version: 28 Component: weld-core Assignee: mgoldman(a)redhat.com Reporter: releng(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, lef(a)fedoraproject.org, mgoldman(a)redhat.com, puntogil(a)libero.it Blocks: 1555378 Your package weld-core failed to build from source in current F28. https://koji.fedoraproject.org/koji/taskinfo?taskID=24902172 For details on mass rebuild see https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1555378 [Bug 1555378] (F28FTBFS) Fedora 28 Mass Rebuild FTBFS Tracker -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1539990] New: CVE-2017-12626 apache-poi: poi: Parsing of multiple file types can cause a denial of service via infinite loop or out of memory exception [fedora-all]
by bugzilla＠redhat.com 27 Apr '18

27 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1539990 Bug ID: 1539990 Summary: CVE-2017-12626 apache-poi: poi: Parsing of multiple file types can cause a denial of service via infinite loop or out of memory exception [fedora-all] Product: Fedora Version: 27 Component: apache-poi Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: mat.booth(a)redhat.com Reporter: sfowler(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, lef(a)fedoraproject.org, mat.booth(a)redhat.com This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

1 6

[Bug 1443585] New: CVE-2017-5661 fop: XML external entity processing vulnerability
by bugzilla＠redhat.com 26 Apr '18

26 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1443585 Bug ID: 1443585 Summary: CVE-2017-5661 fop: XML external entity processing vulnerability Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: anemec(a)redhat.com CC: bmcclain(a)redhat.com, c.david86(a)gmail.com, dblechte(a)redhat.com, eedri(a)redhat.com, gklein(a)redhat.com, java-maint(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, lsurette(a)redhat.com, mgoldboi(a)redhat.com, michal.skrivanek(a)redhat.com, mizdebsk(a)redhat.com, msimacek(a)redhat.com, rbalakri(a)redhat.com, rhbugs(a)n-dimensional.de, Rhev-m-bugs(a)redhat.com, r.landmann(a)redhat.com, sbonazzo(a)redhat.com, sherold(a)redhat.com, srevivo(a)redhat.com, ydary(a)redhat.com, ykaul(a)redhat.com In Apache FOP before 2.2, files lying on the filesystem of the server which uses FOP can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack. References: https://xmlgraphics.apache.org/security.html http://seclists.org/oss-sec/2017/q2/86 -- You are receiving this mail because: You are on the CC list for the bug.

1 12

[Bug 1443592] New: CVE-2017-5662 batik: XML external entity processing vulnerability
by bugzilla＠redhat.com 26 Apr '18

26 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1443592 Bug ID: 1443592 Summary: CVE-2017-5662 batik: XML external entity processing vulnerability Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: anemec(a)redhat.com CC: bmcclain(a)redhat.com, c.david86(a)gmail.com, dblechte(a)redhat.com, eedri(a)redhat.com, hhorak(a)redhat.com, java-maint(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jorton(a)redhat.com, jvanek(a)redhat.com, mgoldboi(a)redhat.com, michal.skrivanek(a)redhat.com, mizdebsk(a)redhat.com, msimacek(a)redhat.com, sbonazzo(a)redhat.com, sherold(a)redhat.com, ydary(a)redhat.com, ykaul(a)redhat.com In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack. References: https://xmlgraphics.apache.org/security.html http://seclists.org/oss-sec/2017/q2/85 -- You are receiving this mail because: You are on the CC list for the bug.

1 19

[Bug 1550671] CVE-2018-1067 undertow: HTTP header injection using CRLF with UTF-8 Encoding ( incomplete fix of CVE-2016-4993)
by bugzilla＠redhat.com 25 Apr '18

25 Apr '18

1 0

[Bug 1550671] CVE-2018-1067 undertow: HTTP header injection using CRLF with UTF-8 Encoding ( incomplete fix of CVE-2016-4993)
by bugzilla＠redhat.com 25 Apr '18

25 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1550671 --- Comment #7 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:1251 https://access.redhat.com/errata/RHSA-2018:1251 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1548909] CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
by bugzilla＠redhat.com 25 Apr '18

25 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1548909 errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2018:1251 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1548909] CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
by bugzilla＠redhat.com 25 Apr '18

25 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1548909 --- Comment #29 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:1251 https://access.redhat.com/errata/RHSA-2018:1251 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1550671] CVE-2018-1067 undertow: HTTP header injection using CRLF with UTF-8 Encoding ( incomplete fix of CVE-2016-4993)
by bugzilla＠redhat.com 25 Apr '18

25 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1550671 errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2018:1249 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1550671] CVE-2018-1067 undertow: HTTP header injection using CRLF with UTF-8 Encoding ( incomplete fix of CVE-2016-4993)
by bugzilla＠redhat.com 25 Apr '18

25 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1550671 --- Comment #6 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:1249 https://access.redhat.com/errata/RHSA-2018:1249 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1548909] CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
by bugzilla＠redhat.com 25 Apr '18

25 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1548909 errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2018:1249 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1548909] CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
by bugzilla＠redhat.com 25 Apr '18

25 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1548909 --- Comment #28 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:1249 https://access.redhat.com/errata/RHSA-2018:1249 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1550671] CVE-2018-1067 undertow: HTTP header injection using CRLF with UTF-8 Encoding ( incomplete fix of CVE-2016-4993)
by bugzilla＠redhat.com 25 Apr '18

25 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1550671 errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2018:1247 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1550671] CVE-2018-1067 undertow: HTTP header injection using CRLF with UTF-8 Encoding ( incomplete fix of CVE-2016-4993)
by bugzilla＠redhat.com 25 Apr '18

25 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1550671 --- Comment #5 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2018:1247 https://access.redhat.com/errata/RHSA-2018:1247 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1548909] CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
by bugzilla＠redhat.com 25 Apr '18

25 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1548909 errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2018:1247 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1548909] CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
by bugzilla＠redhat.com 25 Apr '18

25 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1548909 --- Comment #27 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2018:1247 https://access.redhat.com/errata/RHSA-2018:1247 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1550671] CVE-2018-1067 undertow: HTTP header injection using CRLF with UTF-8 Encoding ( incomplete fix of CVE-2016-4993)
by bugzilla＠redhat.com 25 Apr '18

25 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1550671 errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2018:1248 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1550671] CVE-2018-1067 undertow: HTTP header injection using CRLF with UTF-8 Encoding ( incomplete fix of CVE-2016-4993)
by bugzilla＠redhat.com 25 Apr '18

25 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1550671 --- Comment #4 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:1248 https://access.redhat.com/errata/RHSA-2018:1248 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1548909] CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
by bugzilla＠redhat.com 25 Apr '18

25 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1548909 errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2018:1248 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1548909] CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
by bugzilla＠redhat.com 25 Apr '18

25 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1548909 --- Comment #26 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:1248 https://access.redhat.com/errata/RHSA-2018:1248 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1550671] CVE-2018-1067 undertow: HTTP header injection using CRLF with UTF-8 Encoding ( incomplete fix of CVE-2016-4993)
by bugzilla＠redhat.com 25 Apr '18

25 Apr '18

1 0

[Bug 1550671] CVE-2018-1067 undertow: HTTP header injection using CRLF with UTF-8 Encoding ( incomplete fix of CVE-2016-4993)
by bugzilla＠redhat.com 25 Apr '18

25 Apr '18

1 0

[Bug 1570495] New: CVE-2018-10254 nasm: Stack-based buffer over-read in disasm/disasm.c:disasm() can allow attackers to cause a denial of service
by bugzilla＠redhat.com 25 Apr '18

25 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1570495 Bug ID: 1570495 Summary: CVE-2018-10254 nasm: Stack-based buffer over-read in disasm/disasm.c:disasm() can allow attackers to cause a denial of service Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: sfowler(a)redhat.com CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msimacek(a)redhat.com Netwide Assembler (nasm) through version 2.13 is vulnerable to a stack-based buffer over-read in the disasm/disasm.c:disasm() function. An attacker could exploit this to cause a crash or other unspecified impact via a crafted ELF file. Upstream Issue: https://sourceforge.net/p/nasm/bugs/561/ -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1562174] New: New upstream version available
by bugzilla＠redhat.com 25 Apr '18

25 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1562174 Bug ID: 1562174 Summary: New upstream version available Product: Fedora Version: 27 Component: apache-commons-jcs Assignee: puntogil(a)libero.it Reporter: fedora(a)genodeftest.de QA Contact: extras-qa(a)fedoraproject.org CC: cedric.olivier(a)free.fr, java-sig-commits(a)lists.fedoraproject.org, puntogil(a)libero.it Description of problem: Upstream has seen a few updates missing here. Version-Release number of selected component (if applicable): Upstream: 2.2 Fedora: 2.0 Beta 5/6 -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 977249] New: htmlcleaner-2.5 is available
by Red Hat Bugzilla 24 Apr '18

24 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=977249 Bug ID: 977249 Summary: htmlcleaner-2.5 is available Product: Fedora Version: rawhide Component: htmlcleaner Keywords: FutureFeature, Triaged Severity: unspecified Priority: unspecified Assignee: Marcin.Dulak(a)gmail.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: bjoern.esser(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, Marcin.Dulak(a)gmail.com Latest upstream release: 2.5 Current version/release in Fedora Rawhide: 2.2.1-2.fc20 URL: http://sourceforge.net/api/file/index/project-name/htmlcleaner/mtime/desc/l… Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=B0wPSZFa2g&a=cc_unsubscribe

2 46

[Bug 1508110] CVE-2016-5002 xmlrpc: XML external entity vulnerability SSRF via a crafted DTD
by bugzilla＠redhat.com 24 Apr '18

24 Apr '18

1 0

[Bug 1465573] CVE-2017-7536 hibernate-validator: Privilege escalation when running under the security manager
by bugzilla＠redhat.com 24 Apr '18

24 Apr '18

1 0

[Bug 1465573] CVE-2017-7536 hibernate-validator: Privilege escalation when running under the security manager
by bugzilla＠redhat.com 24 Apr '18

24 Apr '18

1 0

[Bug 1464158] New: CVE-2017-9735 jetty: Timing channel attack in util/ security/Password.java
by bugzilla＠redhat.com 24 Apr '18

24 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1464158 Bug ID: 1464158 Summary: CVE-2017-9735 jetty: Timing channel attack in util/security/Password.java Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: anemec(a)redhat.com CC: eclipse-sig(a)lists.fedoraproject.org, hhorak(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jjohnstn(a)redhat.com, jorton(a)redhat.com, krzysztof.daniel(a)gmail.com, mizdebsk(a)redhat.com, msimacek(a)redhat.com Jetty is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords. Upstream issue: https://github.com/eclipse/jetty.project/issues/1556 Upstream patch: https://github.com/eclipse/jetty.project/commit/042f325f1cd6e7891d72c7e668f… -- You are receiving this mail because: You are on the CC list for the bug.

1 10

[Bug 1570970] New: CVE-2018-5429 jasperreports: arbitrary code execution in analytic reports that contain scripting
by bugzilla＠redhat.com 23 Apr '18

23 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1570970 Bug ID: 1570970 Summary: CVE-2018-5429 jasperreports: arbitrary code execution in analytic reports that contain scripting Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: lpardo(a)redhat.com CC: java-sig-commits(a)lists.fedoraproject.org, lef(a)fedoraproject.org, puntogil(a)libero.it, rhel8-maint(a)redhat.com A vulnerability in the report scripting component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS, TIBCO Jaspersoft Studio, TIBCO Jaspersoft Studio Community Edition, and TIBCO Jaspersoft Studio for ActiveMatrix BPM may allow analytic reports that contain scripting to perform arbitrary code execution. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2;6.3.3; 6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO JasperReports Library: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.1; 6.4.2, TIBCO JasperReports Library Community Edition: versions up to and including 6.4.3, TIBCO JasperReports Library for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2, TIBCO Jaspersoft Studio: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.2, TIBCO Jaspersoft Studio Community Edition: versions up to and including 6.4.3, TIBCO Jaspersoft Studio for ActiveMatrix BPM: versions up to and including 6.4.2. References: https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-ap… -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1570973] New: CVE-2018-5430 jasperreports: read-only access to the contents of the web application for authenticated user
by bugzilla＠redhat.com 23 Apr '18

23 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1570973 Bug ID: 1570973 Summary: CVE-2018-5430 jasperreports: read-only access to the contents of the web application for authenticated user Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: lpardo(a)redhat.com CC: java-sig-commits(a)lists.fedoraproject.org, lef(a)fedoraproject.org, puntogil(a)libero.it, rhel8-maint(a)redhat.com The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3;6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2. References: https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-ap… -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1570974] New: CVE-2018-5431 jasperreports: persisted cross-site scripting (XSS) in the context of a non-default permissions configuration
by bugzilla＠redhat.com 23 Apr '18

23 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1570974 Bug ID: 1570974 Summary: CVE-2018-5431 jasperreports: persisted cross-site scripting (XSS) in the context of a non-default permissions configuration Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: lpardo(a)redhat.com CC: java-sig-commits(a)lists.fedoraproject.org, lef(a)fedoraproject.org, puntogil(a)libero.it, rhel8-maint(a)redhat.com The domain designer component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a vulnerability which may allow, in the context of a non-default permissions configuration, persisted cross-site scripting (XSS) attacks. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3; 6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2. References: https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-ap… -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1508110] CVE-2016-5002 xmlrpc: XML external entity vulnerability SSRF via a crafted DTD
by bugzilla＠redhat.com 23 Apr '18

23 Apr '18

1 0

[Bug 1508110] CVE-2016-5002 xmlrpc: XML external entity vulnerability SSRF via a crafted DTD
by bugzilla＠redhat.com 23 Apr '18

23 Apr '18

1 0

[Bug 1508110] CVE-2016-5002 xmlrpc: XML external entity vulnerability SSRF via a crafted DTD
by bugzilla＠redhat.com 23 Apr '18

23 Apr '18

1 0

[Bug 1553565] New: spring-security: LdapUserDetailsManager.java: changePassword() allows for direct modificiation of user passwords, bypassing the security configuration
by bugzilla＠redhat.com 23 Apr '18

23 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1553565 Bug ID: 1553565 Summary: spring-security: LdapUserDetailsManager.java:changePassword() allows for direct modificiation of user passwords, bypassing the security configuration Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: sfowler(a)redhat.com CC: aileenc(a)redhat.com, apevec(a)redhat.com, chazlett(a)redhat.com, chrisw(a)redhat.com, gvarsami(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jcoleman(a)redhat.com, jjoyce(a)redhat.com, jschluet(a)redhat.com, kbasil(a)redhat.com, kconner(a)redhat.com, ldimaggi(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com, markmc(a)redhat.com, mburns(a)redhat.com, mkolesni(a)redhat.com, nwallace(a)redhat.com, nyechiel(a)redhat.com, pavelp(a)redhat.com, puntogil(a)libero.it, rbryant(a)redhat.com, rwagner(a)redhat.com, sclewis(a)redhat.com, slinaber(a)redhat.com, tcunning(a)redhat.com, tdecacqu(a)redhat.com, tkirby(a)redhat.com Spring Security through version 5.0.3, allows for direct modification of user passwords in the LdapUserDetailsManager.java:changePassword() function, which conflicts with RFC 3062 and allows for security configuration bypass. Upstream Issue: https://github.com/spring-projects/spring-security/issues/3392 -- You are receiving this mail because: You are on the CC list for the bug.

1 8

[Bug 1372129] New: CVE-2016-6348 RESTEasy: Use of JacksonJsonpInterceptor in RESTEasy can lead to Cross Site Script Inclusion attack
by Red Hat Bugzilla 20 Apr '18

20 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1372129 Bug ID: 1372129 Summary: CVE-2016-6348 RESTEasy: Use of JacksonJsonpInterceptor in RESTEasy can lead to Cross Site Script Inclusion attack Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: jshepherd(a)redhat.com CC: aileenc(a)redhat.com, alazarot(a)redhat.com, alee(a)redhat.com, aszczucz(a)redhat.com, bazulay(a)redhat.com, bbaranow(a)redhat.com, bdawidow(a)redhat.com, bkearney(a)redhat.com, bmaxwell(a)redhat.com, bmcclain(a)redhat.com, cbillett(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, csutherl(a)redhat.com, dandread(a)redhat.com, darran.lofthouse(a)redhat.com, dblechte(a)redhat.com, dosoudil(a)redhat.com, eedri(a)redhat.com, epp-bugs(a)redhat.com, etirelli(a)redhat.com, felias(a)redhat.com, fnasser(a)redhat.com, gklein(a)redhat.com, gvarsami(a)redhat.com, hchiorea(a)redhat.com, hfnukal(a)redhat.com, huwang(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jawilson(a)redhat.com, jboss-set(a)redhat.com, jbpapp-maint(a)redhat.com, jcoleman(a)redhat.com, jdg-bugs(a)redhat.com, jmatthew(a)redhat.com, jolee(a)redhat.com, jpallich(a)redhat.com, jshepherd(a)redhat.com, katello-bugs(a)redhat.com, kconner(a)redhat.com, kseifried(a)redhat.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lgao(a)redhat.com, lpetrovi(a)redhat.com, lsurette(a)redhat.com, mbaluch(a)redhat.com, mgoldboi(a)redhat.com, mgoldman(a)redhat.com, miburman(a)redhat.com, michal.skrivanek(a)redhat.com, mmccune(a)redhat.com, mweiler(a)redhat.com, mwinkler(a)redhat.com, myarboro(a)redhat.com, nwallace(a)redhat.com, ohadlevy(a)redhat.com, oourfali(a)redhat.com, pavelp(a)redhat.com, pgier(a)redhat.com, pkliczew(a)redhat.com, psakar(a)redhat.com, pslavice(a)redhat.com, puntogil(a)libero.it, rcernich(a)redhat.com, Rhev-m-bugs(a)redhat.com, rnetuka(a)redhat.com, rrajasek(a)redhat.com, rsvoboda(a)redhat.com, rwagner(a)redhat.com, rzhang(a)redhat.com, satellite6-bugs(a)redhat.com, sherold(a)redhat.com, soa-p-jira(a)post-office.corp.redhat.com, spinder(a)redhat.com, tcunning(a)redhat.com, theute(a)redhat.com, tjay(a)redhat.com, tkirby(a)redhat.com, tlestach(a)redhat.com, tomckay(a)redhat.com, tsanders(a)redhat.com, ttarrant(a)redhat.com, twalsh(a)redhat.com, vhalbert(a)redhat.com, vtunka(a)redhat.com, weli(a)redhat.com, ydary(a)redhat.com, ykaul(a)redhat.com It was found that in some configurations the JacksonJsonpInterceptor is activated by default in RESTEasy. An attacker could use this flaw to launch a Cross Site Scripting Inclusion attack. -- You are receiving this mail because: You are on the CC list for the bug.

2 13

[Bug 1372117] New: CVE-2016-6345 RESTEasy: Insufficient use of random values in RESTEasy async jobs could lead to loss of data confidentiality
by Red Hat Bugzilla 20 Apr '18

20 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1372117 Bug ID: 1372117 Summary: CVE-2016-6345 RESTEasy: Insufficient use of random values in RESTEasy async jobs could lead to loss of data confidentiality Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: jshepherd(a)redhat.com CC: aileenc(a)redhat.com, alazarot(a)redhat.com, alee(a)redhat.com, aszczucz(a)redhat.com, bazulay(a)redhat.com, bbaranow(a)redhat.com, bdawidow(a)redhat.com, bkearney(a)redhat.com, bmaxwell(a)redhat.com, bmcclain(a)redhat.com, cbillett(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, csutherl(a)redhat.com, dandread(a)redhat.com, darran.lofthouse(a)redhat.com, dblechte(a)redhat.com, dosoudil(a)redhat.com, eedri(a)redhat.com, epp-bugs(a)redhat.com, etirelli(a)redhat.com, felias(a)redhat.com, fnasser(a)redhat.com, gklein(a)redhat.com, gvarsami(a)redhat.com, hchiorea(a)redhat.com, hfnukal(a)redhat.com, huwang(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jawilson(a)redhat.com, jboss-set(a)redhat.com, jbpapp-maint(a)redhat.com, jcoleman(a)redhat.com, jdg-bugs(a)redhat.com, jmatthew(a)redhat.com, jolee(a)redhat.com, jpallich(a)redhat.com, jshepherd(a)redhat.com, katello-bugs(a)redhat.com, kconner(a)redhat.com, kseifried(a)redhat.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lgao(a)redhat.com, lpetrovi(a)redhat.com, lsurette(a)redhat.com, mbaluch(a)redhat.com, mgoldboi(a)redhat.com, mgoldman(a)redhat.com, miburman(a)redhat.com, michal.skrivanek(a)redhat.com, mmccune(a)redhat.com, mweiler(a)redhat.com, mwinkler(a)redhat.com, myarboro(a)redhat.com, nwallace(a)redhat.com, ohadlevy(a)redhat.com, oourfali(a)redhat.com, pavelp(a)redhat.com, pgier(a)redhat.com, pkliczew(a)redhat.com, psakar(a)redhat.com, pslavice(a)redhat.com, puntogil(a)libero.it, rcernich(a)redhat.com, Rhev-m-bugs(a)redhat.com, rnetuka(a)redhat.com, rrajasek(a)redhat.com, rsvoboda(a)redhat.com, rwagner(a)redhat.com, rzhang(a)redhat.com, satellite6-bugs(a)redhat.com, sherold(a)redhat.com, soa-p-jira(a)post-office.corp.redhat.com, spinder(a)redhat.com, tcunning(a)redhat.com, theute(a)redhat.com, tjay(a)redhat.com, tkirby(a)redhat.com, tlestach(a)redhat.com, tomckay(a)redhat.com, tsanders(a)redhat.com, ttarrant(a)redhat.com, twalsh(a)redhat.com, vhalbert(a)redhat.com, vtunka(a)redhat.com, weli(a)redhat.com, ydary(a)redhat.com, ykaul(a)redhat.com It was found that there was insufficient use of randam values in RESTEasy async jobs. An attacker could use this flaw to steal user data. -- You are receiving this mail because: You are on the CC list for the bug.

2 21

[Bug 1372124] CVE-2016-6347 RESTEasy: Use of the default exception handler in RESTEasy can lead to reflected XSS attack
by bugzilla＠redhat.com 20 Apr '18

20 Apr '18

1 0

[Bug 1372124] CVE-2016-6347 RESTEasy: Use of the default exception handler in RESTEasy can lead to reflected XSS attack
by bugzilla＠redhat.com 20 Apr '18

20 Apr '18

1 0

[Bug 1559663] New: xbean-4.7 is available
by bugzilla＠redhat.com 19 Apr '18

19 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1559663 Bug ID: 1559663 Summary: xbean-4.7 is available Product: Fedora Version: rawhide Component: xbean Keywords: FutureFeature, Triaged Assignee: mizdebsk(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, krzysztof.daniel(a)gmail.com, mizdebsk(a)redhat.com, msimacek(a)redhat.com, sochotni(a)redhat.com Latest upstream release: 4.7 Current version/release in rawhide: 4.6-1.fc29 URL: http://repo2.maven.org/maven2/org/apache/xbean/xbean/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/5162/ -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1567675] New: jsoup-1.11.3 is available
by bugzilla＠redhat.com 19 Apr '18

19 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1567675 Bug ID: 1567675 Summary: jsoup-1.11.3 is available Product: Fedora Version: rawhide Component: jsoup Keywords: FutureFeature, Triaged Assignee: msimacek(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: jaromir.capik(a)email.cz, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msimacek(a)redhat.com Latest upstream release: 1.11.3 Current version/release in rawhide: 1.11.2-2.fc28 URL: http://jsoup.org/download Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/1479/ -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1564408] CVE-2018-1272 spring-framework: Multipart content pollution
by bugzilla＠redhat.com 19 Apr '18

19 Apr '18

1 0

[Bug 1340421] New: apache-poi-3.15-beta1-20160409 is available
by Red Hat Bugzilla 18 Apr '18

18 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1340421 Bug ID: 1340421 Summary: apache-poi-3.15-beta1-20160409 is available Product: Fedora Version: rawhide Component: apache-poi Assignee: mat.booth(a)redhat.com Reporter: puntogil(a)libero.it QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mat.booth(a)redhat.com, puntogil(a)libero.it Latest upstream release: 3.15-beta1-20160409 Current version/release in rawhide: 3.14-1.fc25 URL: http://www.apache.org/dist/poi/dev/src/ http://www.apache.org/dist/poi/release/src Please, consider upgrading -- You are receiving this mail because: You are on the CC list for the bug.

2 5

[Bug 1549276] CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries
by bugzilla＠redhat.com 17 Apr '18

17 Apr '18

1 0

[Bug 1549276] CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries
by bugzilla＠redhat.com 17 Apr '18

17 Apr '18

1 0

[Bug 1564408] CVE-2018-1272 spring-framework: Multipart content pollution
by bugzilla＠redhat.com 17 Apr '18

17 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1564408 Yasuhiro Ozone <yozone(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |yozone(a)redhat.com -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1443635] New: CVE-2017-5645 log4j: Socket receiver deserialization vulnerability
by bugzilla＠redhat.com 16 Apr '18

16 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1443635 Bug ID: 1443635 Summary: CVE-2017-5645 log4j: Socket receiver deserialization vulnerability Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: anemec(a)redhat.com CC: aileenc(a)redhat.com, alazarot(a)redhat.com, aortega(a)redhat.com, apevec(a)redhat.com, avibelli(a)redhat.com, ayoung(a)redhat.com, bkearney(a)redhat.com, bmcclain(a)redhat.com, cbillett(a)redhat.com, chazlett(a)redhat.com, chrisw(a)redhat.com, coneill(a)redhat.com, csutherl(a)redhat.com, cvsbot-xmlrpc(a)redhat.com, dandread(a)redhat.com, dblechte(a)redhat.com, devrim(a)gunduz.org, dwalluck(a)redhat.com, eedri(a)redhat.com, etirelli(a)redhat.com, gklein(a)redhat.com, gsterlin(a)redhat.com, gvarsami(a)redhat.com, gzaronik(a)redhat.com, hhorak(a)redhat.com, huwang(a)redhat.com, java-maint(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jbalunas(a)redhat.com, jclere(a)redhat.com, jcoleman(a)redhat.com, jjoyce(a)redhat.com, jorton(a)redhat.com, jschluet(a)redhat.com, jshepherd(a)redhat.com, kbasil(a)redhat.com, kconner(a)redhat.com, kseifried(a)redhat.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lgao(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com, lpetrovi(a)redhat.com, lsurette(a)redhat.com, markmc(a)redhat.com, mbabacek(a)redhat.com, mbaluch(a)redhat.com, meissner(a)suse.de, mgoldboi(a)redhat.com, michal.skrivanek(a)redhat.com, mizdebsk(a)redhat.com, msimacek(a)redhat.com, mwinkler(a)redhat.com, myarboro(a)redhat.com, nwallace(a)redhat.com, pavelp(a)redhat.com, rbalakri(a)redhat.com, rbryant(a)redhat.com, Rhev-m-bugs(a)redhat.com, rrajasek(a)redhat.com, rwagner(a)redhat.com, rzhang(a)redhat.com, sclewis(a)redhat.com, sherold(a)redhat.com, spinder(a)redhat.com, srevivo(a)redhat.com, taw(a)redhat.com, tcunning(a)redhat.com, tdecacqu(a)redhat.com, theute(a)redhat.com, thomas(a)suse.de, tjay(a)redhat.com, tkirby(a)redhat.com, tlestach(a)redhat.com, tomckay(a)redhat.com, twalsh(a)redhat.com, weli(a)redhat.com, ydary(a)redhat.com, ykaul(a)redhat.com When using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. References: http://seclists.org/oss-sec/2017/q2/78 Upstream bug: https://issues.apache.org/jira/browse/LOG4J2-1863 -- You are receiving this mail because: You are on the CC list for the bug.

1 72

[Bug 1559905] New: CVE-2018-8881 nasm: Heap overflow in function tokenize in asm/preproc.c
by bugzilla＠redhat.com 16 Apr '18

16 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1559905 Bug ID: 1559905 Summary: CVE-2018-8881 nasm: Heap overflow in function tokenize in asm/preproc.c Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: lpardo(a)redhat.com CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msimacek(a)redhat.com Netwide Assembler (NASM) 2.13.02rc2 has a heap-based buffer over-read in the function tokenize in asm/preproc.c, related to an unterminated string. References: https://bugzilla.nasm.us/show_bug.cgi?id=3392446 Patch: https://github.com/cyrillos/nasm/commit/3144e84add8b152cc7a71e44617ce6f21da… -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1567720] CVE-2018-10016 nasm: Divide-by-zero asm/eval.c:expr5() allows for crash via crafted file [fedora-all]
by bugzilla＠redhat.com 16 Apr '18

16 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1567720 Sam Fowler <sfowler(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1567719 (CVE-2018-10016) Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1567719 [Bug 1567719] CVE-2018-10016 nasm: Divide-by-zero asm/eval.c:expr5() allows for crash via crafted file -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1567720] CVE-2018-10016 nasm: Divide-by-zero asm/eval.c:expr5() allows for crash via crafted file [fedora-all]
by bugzilla＠redhat.com 16 Apr '18

16 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1567720 --- Comment #1 from Sam Fowler <sfowler(a)redhat.com> --- Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # testing, stable request=testing # Bug numbers: 1234,9876 bugs=1567719,1567720 # Description of your update notes=Security fix for [PUT CVEs HERE] # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi web interface to submit updates: https://bodhi.fedoraproject.org/updates/new -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1462702] CVE-2017-7525 jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper
by bugzilla＠redhat.com 16 Apr '18

16 Apr '18

1 0

[Bug 1566947] New: jenkins: CLI leaked existence of views and agents with attacker-specified names to users without Overall /Read permission (SECURITY-754)
by bugzilla＠redhat.com 13 Apr '18

13 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1566947 Bug ID: 1566947 Summary: jenkins: CLI leaked existence of views and agents with attacker-specified names to users without Overall/Read permission (SECURITY-754) Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: amaris(a)redhat.com CC: ahardin(a)redhat.com, bleanhar(a)redhat.com, ccoleman(a)redhat.com, dedgar(a)redhat.com, dmcphers(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jgoulding(a)redhat.com, jokerman(a)redhat.com, kseifried(a)redhat.com, mchappel(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com The Jenkins CLI sent different error responses for commands with view and agent arguments depending on the existence of the specified views or agents to unauthorized users. This allowed attackers to determine whether views or agents with specified names exist. External References: https://jenkins.io/security/advisory/2018-04-11/ -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1566950] New: jenkins: Cross-site scripting vulnerability in confirmation dialogs displaying item names (SECURITY-759)
by bugzilla＠redhat.com 13 Apr '18

13 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1566950 Bug ID: 1566950 Summary: jenkins: Cross-site scripting vulnerability in confirmation dialogs displaying item names (SECURITY-759) Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: amaris(a)redhat.com CC: ahardin(a)redhat.com, bleanhar(a)redhat.com, ccoleman(a)redhat.com, dedgar(a)redhat.com, dmcphers(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jgoulding(a)redhat.com, jokerman(a)redhat.com, kseifried(a)redhat.com, mchappel(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com Some JavaScript confirmation dialogs included the item name in an unsafe manner, resulting in a possible cross-site scripting vulnerability exploitable by users with permission to create or configure items. External References: https://jenkins.io/security/advisory/2018-04-11/ -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1548909] CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
by bugzilla＠redhat.com 12 Apr '18

12 Apr '18

1 0

[Bug 1565390] New: maven-jar-plugin-3.1.0 is available
by bugzilla＠redhat.com 11 Apr '18

11 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1565390 Bug ID: 1565390 Summary: maven-jar-plugin-3.1.0 is available Product: Fedora Version: rawhide Component: maven-jar-plugin Keywords: FutureFeature, Triaged Assignee: mizdebsk(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: akurtako(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com Latest upstream release: 3.1.0 Current version/release in rawhide: 3.0.2-4.fc27 URL: http://repo2.maven.org/maven2/org/apache/maven/plugins/maven-jar-plugin/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/1917/ -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1510896] New: Problem to start tomcat with a user whose group has a name different to the user
by bugzilla＠redhat.com 10 Apr '18

10 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1510896 Bug ID: 1510896 Summary: Problem to start tomcat with a user whose group has a name different to the user Product: Fedora Version: rawhide Component: tomcat Severity: medium Assignee: ivan.afonichev(a)gmail.com Reporter: csutherl(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: alee(a)redhat.com, aneelica(a)redhat.com, csutherl(a)redhat.com, djorm(a)redhat.com, dknox(a)redhat.com, etienne.carriere(a)finances.gouv.fr, hajek(a)oakland.edu, ivan.afonichev(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, jclere(a)redhat.com, jonderka(a)redhat.com, krzysztof.daniel(a)gmail.com, lnovich(a)redhat.com, luvilla(a)redhat.com, mbabacek(a)redhat.com, mczernek(a)redhat.com, me(a)coolsvap.net, mhasko(a)redhat.com, rhatlapa(a)redhat.com, tfonteyn(a)redhat.com, tomcat-qe(a)redhat.com Depends On: 1505762, 915447 Blocks: 835616 Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=915447 [Bug 915447] Problem to start tomcat with a user whose group has a name different to the user https://bugzilla.redhat.com/show_bug.cgi?id=1505762 [Bug 1505762] Problem to start tomcat with a user whose group has a name different to the user -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1564408] CVE-2018-1272 spring-framework: Multipart content pollution
by bugzilla＠redhat.com 10 Apr '18

10 Apr '18

1 0

[Bug 1564408] CVE-2018-1272 spring-framework: Multipart content pollution
by bugzilla＠redhat.com 10 Apr '18

10 Apr '18

1 0

[Bug 1545904] New: CVE-2018-6356 jenkins: Path traversal allows access to files outside plugin resources
by bugzilla＠redhat.com 09 Apr '18

09 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1545904 Bug ID: 1545904 Summary: CVE-2018-6356 jenkins: Path traversal allows access to files outside plugin resources Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: lpardo(a)redhat.com CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com, dedgar(a)redhat.com, dmcphers(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jgoulding(a)redhat.com, jkeck(a)redhat.com, kseifried(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com A flaw was found in Jenkins weekly up to and including 2.106 and Jenkins LTS up to and including 2.89.3. Jenkins did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded. References: https://jenkins.io/security/advisory/2018-02-14/ -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1545899] New: jenkins: Improperly secured form validation for proxy configuration allows Server-Side Request Forgery
by bugzilla＠redhat.com 09 Apr '18

09 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1545899 Bug ID: 1545899 Summary: jenkins: Improperly secured form validation for proxy configuration allows Server-Side Request Forgery Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: lpardo(a)redhat.com CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com, dedgar(a)redhat.com, dmcphers(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jgoulding(a)redhat.com, jkeck(a)redhat.com, kseifried(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com A flaw was found in Jenkins weekly up to and including 2.106 and Jenkins LTS up to and including 2.89.3. The form validation for the proxy configuration form did not check the permission of the user accessing it, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL, optionally with a specified proxy configuration. If that request’s HTTP response code indicates success, the form validation is returning a generic success message, otherwise the HTTP status code is returned. It was not possible to reuse an existing proxy configuration to send those requests; that configuration had to be provided by the attacker. References: https://jenkins.io/security/advisory/2018-02-14/ -- You are receiving this mail because: You are on the CC list for the bug.

1 7

[Bug 1526596] New: jenkins: CSRF protection delayed after startup
by bugzilla＠redhat.com 09 Apr '18

09 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1526596 Bug ID: 1526596 Summary: jenkins: CSRF protection delayed after startup Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com, dedgar(a)redhat.com, dmcphers(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jgoulding(a)redhat.com, jkeck(a)redhat.com, kseifried(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com A race condition during Jenkins startup could result in the wrong order of execution of commands during initialization. There’s a very short window of time after startup during which Jenkins may no longer show the "Please wait while Jenkins is getting ready to work" message, but Cross-Site Request Forgery (CSRF) protection may not yet be effective. External references: https://jenkins.io/security/advisory/2017-12-14/ -- You are receiving this mail because: You are on the CC list for the bug.

1 6

[Bug 1561287] New: CVE-2018-8718 jenkins-plugin-mailer: Missing permissions check in Mailer.java:doSendTestMail() allows unauthorised users to send mail
by bugzilla＠redhat.com 09 Apr '18

09 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1561287 Bug ID: 1561287 Summary: CVE-2018-8718 jenkins-plugin-mailer: Missing permissions check in Mailer.java:doSendTestMail() allows unauthorised users to send mail Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: sfowler(a)redhat.com CC: ahardin(a)redhat.com, bleanhar(a)redhat.com, ccoleman(a)redhat.com, dbaker(a)redhat.com, dedgar(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jgoulding(a)redhat.com, jokerman(a)redhat.com, kseifried(a)redhat.com, mchappel(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com The Jenkins Mailer Plugin through version 1.20 is missing a permissions check in the Mailer.java:doSendTestMail() function. Users with Overall/Read access are able to connect to a user-specified mail server with user-specified credentials to send a test email to a user-specified email address. The email subject and body could not be changed. This could result in DoS if, for example, specifying a valid mail server but invalid credentials. As the same URL did not require POST to be used, it also was vulnerable to cross-site request forgery. Upstream Advisory: https://jenkins.io/security/advisory/2018-03-26/ Upstream Patch: https://github.com/jenkinsci/mailer-plugin/commit/98e79cf904769907f83894e29… -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1522902] New: jenkins: Stored XSS vulnerability in tool names exploitable by administrators ( SECURITY-624)
by bugzilla＠redhat.com 09 Apr '18

09 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1522902 Bug ID: 1522902 Summary: jenkins: Stored XSS vulnerability in tool names exploitable by administrators (SECURITY-624) Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: amaris(a)redhat.com CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com, dedgar(a)redhat.com, dmcphers(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jgoulding(a)redhat.com, jkeck(a)redhat.com, kseifried(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com Jenkins administrators can configure tools, such as JDK, Maven, or Ant, that will be available in job configurations for use by build scripts. Some tool names are not properly escaped on job configuration forms, resulting in a stored cross-site scripting vulnerability. Tools confirmed to be affected are: JDK (provided by Jenkins core) Ant (provided by Ant plugin) Others may also be affected by this. This vulnerability can only be exploited by Jenkins administrators, as they’re the only ones able to define tools. In the vast majority of Jenkins configurations, administrators are able to run any code and install any plugin. Therefore this vulnerability only really affects installations that don’t grant administrators the Run Scripts, Configure Update Sites, and Install Plugins permissions. The Jenkins project has prepared a plugin preventing the configuration of unsafe tool names at https://github.com/jenkinsci-cert/security624 as a workaround. External References: https://jenkins.io/security/advisory/2017-12-05/ -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1538332] CVE-2018-5968 jackson-databind: unsafe deserialization due to incomplete blacklist ( incomplete fix for CVE-2017-7525 and CVE-2017-17485)
by bugzilla＠redhat.com 09 Apr '18

09 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1538332 Kurt Seifried <kseifried(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1565285 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1538332] CVE-2018-5968 jackson-databind: unsafe deserialization due to incomplete blacklist ( incomplete fix for CVE-2017-7525 and CVE-2017-17485)
by bugzilla＠redhat.com 09 Apr '18

09 Apr '18

1 0

[Bug 1549276] CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries
by bugzilla＠redhat.com 09 Apr '18

09 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1549276 kat <kbost(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kbost(a)redhat.com -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1564408] CVE-2018-1272 spring-framework: Multipart content pollution
by bugzilla＠redhat.com 06 Apr '18

06 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1564408 Andrej Nemec <anemec(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1564412 -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1564408] CVE-2018-1272 spring-framework: Multipart content pollution
by bugzilla＠redhat.com 06 Apr '18

06 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1564408 Andrej Nemec <anemec(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1564409 --- Comment #1 from Andrej Nemec <anemec(a)redhat.com> --- Created springframework tracking bugs for this issue: Affects: fedora-all [bug 1564409] Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1564409 [Bug 1564409] CVE-2018-1270 CVE-2018-1272 springframework: various flaws [fedora-all] -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1564364] New: CVE-2018-1315 hive: 'COPY FROM FTP' feature allows malicious FTP server to write arbitrary files to the cluster
by bugzilla＠redhat.com 06 Apr '18

06 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1564364 Bug ID: 1564364 Summary: CVE-2018-1315 hive: 'COPY FROM FTP' feature allows malicious FTP server to write arbitrary files to the cluster Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: sfowler(a)redhat.com CC: extras-orphan(a)fedoraproject.org, hghasemb(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, me(a)coolsvap.net, moceap(a)hotmail.com, pmackinn(a)redhat.com Blocks: 1564360 Apache Hive through version 2.3.2 has a vulnerability in the 'COPY FROM FTP' feature. When 'COPY FROM FTP' statement is run using HPL/SQL extension to Hive, a compromised/malicious FTP server can cause the file to be written to an arbitrary location on the cluster where the command is run from. This is because FTP client code in HPL/SQL does not verify the destination location of the downloaded file. This does not affect hive cli user and hiveserver2 user as hplsql is a separate command line script and needs to be invoked differently. External References: https://lists.apache.org/thread.html/d5da94ef60312c01a8d2348466680d1b5fb707… Upstream Issue: https://issues.apache.org/jira/browse/HIVE-18815 Upstream Patches: https://issues.apache.org/jira/secure/attachment/12912330/HIVE-18815.1.patch https://issues.apache.org/jira/secure/attachment/12912689/HIVE-18815.1-bran… -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1564361] New: CVE-2018-1282 hive: Improper input validation in jdbc/ HivePreparedStatement.java allows for SQL injection
by bugzilla＠redhat.com 06 Apr '18

06 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1564361 Bug ID: 1564361 Summary: CVE-2018-1282 hive: Improper input validation in jdbc/HivePreparedStatement.java allows for SQL injection Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: sfowler(a)redhat.com CC: extras-orphan(a)fedoraproject.org, hghasemb(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, me(a)coolsvap.net, moceap(a)hotmail.com, pmackinn(a)redhat.com Blocks: 1564360 Apache Hive through version 2.3.2 is vulnerable to SQL injection in the JDBC driver due to improper input sanitization in jdbc/HivePreparedStatement.java. External References: https://lists.apache.org/thread.html/74bd2bff1827febb348dfb323986fa340d3bb9… Upstream Issue: https://issues.apache.org/jira/browse/HIVE-18788 Upstream Patches: https://issues.apache.org/jira/secure/attachment/12911779/HIVE-18788.1.patch https://issues.apache.org/jira/secure/attachment/12911868/HIVE-18788.2.patch https://issues.apache.org/jira/secure/attachment/12911921/HIVE-18788.3.patch https://issues.apache.org/jira/secure/attachment/12912687/HIVE-18788.3-bran… -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1564357] New: CVE-2018-1284 hive: Mishandled input in UDFXPathUtil.java allows users to access arbitrary files via crafted XML
by bugzilla＠redhat.com 06 Apr '18

06 Apr '18

https://bugzilla.redhat.com/show_bug.cgi?id=1564357 Bug ID: 1564357 Summary: CVE-2018-1284 hive: Mishandled input in UDFXPathUtil.java allows users to access arbitrary files via crafted XML Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: sfowler(a)redhat.com CC: extras-orphan(a)fedoraproject.org, hghasemb(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, me(a)coolsvap.net, moceap(a)hotmail.com, pmackinn(a)redhat.com Apache Hive through version 2.3.2 is vulnerable to the mishandling of xpath UDFs in UDFXPathUtil.java. An attacker could exploit this by passing crafted XML to access arbitrary files. External References: https://lists.apache.org/thread.html/29184dbce4a37be2af36e539ecb479b1d27868… Upstream Issue: https://issues.apache.org/jira/browse/HIVE-18879 Upstream Patches: https://issues.apache.org/jira/secure/attachment/12913270/HIVE-18879.1.patch https://issues.apache.org/jira/secure/attachment/12913453/HIVE-18879.1-bran… -- You are receiving this mail because: You are on the CC list for the bug.

1 3

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits April 2018