https://bugzilla.redhat.com/show_bug.cgi?id=1548284
Bug ID: 1548284
Summary: CVE-2018-1305 tomcat: Late application of security
constraints can lead to resource exposure for
unauthorised users [fedora-all]
Product: Fedora
Version: 27
Component: tomcat
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: ivan.afonichev(a)gmail.com
Reporter: sfowler(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: alee(a)redhat.com, csutherl(a)redhat.com,
ivan.afonichev(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
krzysztof.daniel(a)gmail.com, me(a)coolsvap.net
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1548909
errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
External Bug ID| |Red Hat Product Errata
| |RHSA-2018:0627
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1548909
--- Comment #24 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> ---
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7
Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5
Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6
Via RHSA-2018:0627 https://access.redhat.com/errata/RHSA-2018:0627
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1548909
errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
External Bug ID| |Red Hat Product Errata
| |RHSA-2018:0628
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1548909
--- Comment #23 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> ---
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6
Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7
Via RHSA-2018:0628 https://access.redhat.com/errata/RHSA-2018:0628
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1548909
errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
External Bug ID| |Red Hat Product Errata
| |RHSA-2018:0630
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1548909
errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
External Bug ID| |Red Hat Product Errata
| |RHSA-2018:0629
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1548909
--- Doc Text *updated* by Eric Christensen <sparks(a)redhat.com> ---
An XML deserialization vulnerability was discovered in slf4j's EventData which accepts anXML serialized string and can lead to arbitrary code execution.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1560603
Bug ID: 1560603
Summary: jenkins is unmaintained
Product: Fedora
Version: rawhide
Component: jenkins
Assignee: msrb(a)redhat.com
Reporter: msimacek(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
There are 24 open bugs for the component (not counting plugins).
There are 33 unfixed CVEs.
The latest upstream version is 2.107, while the package version in Fedora is
1.651
Most of the plugins are FTBFS for multiple Fedora releases.
The package is unmaintained. We should strive to avoid shipping broken
software.
If you don't have the time to maintain it, please orphan/retire it.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1548909
--- Comment #20 from Doran Moppert <dmoppert(a)redhat.com> ---
Statement:
Subscription Asset Manager is now in a reduced support phase receiving only
Critical impact security fixes. This issue has been rated as having a security
impact of Important, and is not currently planned to be addressed in future
updates.
This issue did not affect the versions of Candlepin as shipped with Red Hat
Satellite 6 as Candlepin uses slf4j-api and not the affected slf4j-ext (which
is not on the Candlepin classpath).
Red Hat Enterprise Virtualization Manager 4.1 is affected by this issue.
Updated packages that address this issue are available through the Red Hat
Enterprise Linux Server channels. Virtualization Manager hosts should be
subscribed to these channels and obtain the updates via `yum update`.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1556974
Bug ID: 1556974
Summary: Aliases don't behave correctly for plugins
Product: Fedora
Version: rawhide
Component: xmvn
Assignee: mizdebsk(a)redhat.com
Reporter: msimacek(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mat.booth(a)redhat.com, mizdebsk(a)redhat.com,
msimacek(a)redhat.com, msrb(a)redhat.com
Description of problem:
Plugins used via an alias don't work correctly.
For example: hawtjni recently renamed their maven-hawtjni-plugin to
hawtjni-maven-plugin. I added an alias:
%mvn_alias :hawtjni-maven-plugin :maven-hawtjni-plugin
The plugin works fine when used via the primary name (hawtjni-maven-plugin),
but doesn't work when used via the alias (maven-hawtjni-plugin). It resolves
fine, but executes the plugin with incorrect configuration.
Version-Release number of selected component (if applicable):
xmvn-minimal-3.0.0-13.fc28.noarch
maven-lib-3.5.3-1.fc29.noarch
How reproducible:
always
Steps to Reproduce:
1. Clone netty (commit a001671 = current master) and try to build it in f29
mock with -X passed to %mvn_build
2. Observe it fails
3. Add the following to %prep: sed -i
s/hawtjni-maven-plugin/maven-hawtjni-plugin/g `find -name pom.xml`
4. Observe it succeeds and was executed with different config (now contains
generatedNativeSourceDirectory key)
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1557543
Bug ID: 1557543
Summary: CVE-2018-1324 apache-commons-compress: Infinite loop
via extra field parser in ZipFile and
ZipArchiveInputStream classes [fedora-all]
Product: Fedora
Version: 27
Component: apache-commons-compress
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: mizdebsk(a)redhat.com
Reporter: psampaio(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
sandro(a)mathys.io, SpikeFedora(a)gmail.com
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1501817
Bug ID: 1501817
Summary: jenkins: "Queue Item" remote API disclosed information
about inaccessible jobs (SECURITY-618)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dedgar(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
kseifried(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
The remote API at /queue/item/(ID)/api showed information about tasks in the
queue (typically builds waiting to start). This included information about
tasks that the current user otherwise has no access to, e.g. due to lack of
Job/Read permission.
External References:
https://jenkins.io/security/advisory/2017-10-11/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1501816
Bug ID: 1501816
Summary: jenkins: "Computer" remote API disclosed information
about inaccessible jobs (SECURITY-611)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dedgar(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
kseifried(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
The remote API at /computer/(agent-name)/api showed information about tasks
(typically builds) currently running on that agent. This included information
about tasks that the current user otherwise has no access to, e.g. due to lack
of Job/Read permission.
External References:
https://jenkins.io/security/advisory/2017-10-11/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1501814
Bug ID: 1501814
Summary: jenkins: "User" remote API disclosed users' email
addresses (SECURITY-514)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dedgar(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
kseifried(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
Information about Jenkins user accounts is generally available to anyone with
Overall/Read permissions via the /user/(username)/api remote API. This included
e.g. Jenkins users' email addresses if the Mailer Plugin is installed.
External References:
https://jenkins.io/security/advisory/2017-10-11/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1501820
Bug ID: 1501820
Summary: jenkins: Jenkins core bundled vulnerable version of
the commons-httpclient library (SECURITY-555)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dedgar(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
kseifried(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
Jenkins bundled a version of the commons-httpclient library with the
vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making
it susceptible to man-in-the-middle attacks.
External References:
https://jenkins.io/security/advisory/2017-10-11/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1501818
Bug ID: 1501818
Summary: jenkins: "Job" remote API disclosed information about
inaccessible upstream/downstream jobs (SECURITY-617)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dedgar(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
kseifried(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
The remote API at /job/(job-name)/api contained information about upstream and
downstream projects. This included information about tasks that the current
user otherwise has no access to, e.g. due to lack of Job/Read permission.
External References:
https://jenkins.io/security/advisory/2017-10-11/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1434338
Bug ID: 1434338
Summary: CVE-2017-2651 jenkins-mailer-plugin: Emails were sent
to addresses not associated with actual users of
Jenkins by Mailer Plugin
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dedgar(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
joelsmith(a)redhat.com, kseifried(a)redhat.com,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
msrb(a)redhat.com, tdawson(a)redhat.com
The Mailer and Email Extension Plugins are able to send emails to a dynamically
created list of users based on the changelogs, like authors of SCM changes
since the last successful build.
This could in some cases result in emails being sent to people who have no user
account in Jenkins, and in rare cases even people who were not involved in
whatever project was being built, due to some mapping based on the local-part
of email addresses.
Affected versions: up to and including version 1.19
External Reference:
https://jenkins.io/security/advisory/2017-03-20/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1501812
Bug ID: 1501812
Summary: jenkins: Arbitrary shell command execution on master
by users with Agent-related permissions (SECURITY-478)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dedgar(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
kseifried(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
Users with permission to create or configure agents in Jenkins could configure
a launch method called Launch agent via execution of command on master. This
allowed them to run arbitrary shell commands on the master node whenever the
agent was supposed to be launched.
External References:
https://jenkins.io/security/advisory/2017-10-11/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1501813
Bug ID: 1501813
Summary: jenkins: Jenkins core bundled vulnerable version of
the commons-fileupload library (SECURITY-490)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dedgar(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
kseifried(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
Jenkins bundled a version of the commons-fileupload library with the
denial-of-service vulnerability known as CVE-2016-3092.
External References:
https://jenkins.io/security/advisory/2017-10-11/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1549276
Bug 1549276 depends on bug 1549279, which changed state.
Bug 1549279 Summary: CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1549279
What |Removed |Added
----------------------------------------------------------------------------
Status|ON_QA |CLOSED
Resolution|--- |ERRATA
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1549279
Bug ID: 1549279
Summary: CVE-2018-7489 jackson-databind: incomplete fix for
CVE-2017-7525 permits unsafe serialization via c3p0
libraries [fedora-all]
Product: Fedora
Version: 27
Component: jackson-databind
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: puntogil(a)libero.it
Reporter: psampaio(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
lef(a)fedoraproject.org, puntogil(a)libero.it
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1558764
Bug ID: 1558764
Summary: jetty-9.4.9.v20180320 is available
Product: Fedora
Version: rawhide
Component: jetty
Keywords: FutureFeature, Triaged
Assignee: mizdebsk(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
jjohnstn(a)redhat.com, krzysztof.daniel(a)gmail.com,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
sochotni(a)redhat.com
Latest upstream release: 9.4.9.v20180320
Current version/release in rawhide: 9.4.8-4.v20171121.fc28
URL: http://www.eclipse.org/jetty
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/1447/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1508473
Bug ID: 1508473
Summary: 3.9.0 is available
Product: Fedora
Version: rawhide
Component: okhttp
Assignee: puntogil(a)libero.it
Reporter: mgansser(a)online.de
QA Contact: extras-qa(a)fedoraproject.org
CC: gerard(a)ryan.lt,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, puntogil(a)libero.it
3.9.0 of okhttp is available
https://github.com/square/okhttp
--
You are receiving this mail because:
You are on the CC list for the bug.