December 2020 - java-sig-commits - Fedora Mailing-Lists

[Bug 1887664] CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1887664 --- Comment #56 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat Data Grid 7.3.8 Via RHSA-2020:5410 https://access.redhat.com/errata/RHSA-2020:5410 -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 5 months

1
0
0 / 0

[Bug 1564408] CVE-2018-1272 spring-framework: Multipart content pollution

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1564408 Hardik Vyas <hvyas(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://issues.redhat.com/b | |rowse/ENTESB-7945, | |https://issues.redhat.com/b | |rowse/ENTESB-8585 -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 5 months

1
0
0 / 0

[Bug 1906462] New: javapackages-tools fails to build with Python 3.10: AssertionError: '<frozen importlib._bootstrap>:241: Runtim[147 chars]type' != 'Unsupported artifact type'

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1906462 Bug ID: 1906462 Summary: javapackages-tools fails to build with Python 3.10: AssertionError: '<frozen importlib._bootstrap>:241: Runtim[147 chars]type' != 'Unsupported artifact type' Product: Fedora Version: rawhide Status: NEW Component: javapackages-tools Assignee: mizdebsk(a)redhat.com Reporter: thrnciar(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mat.booth(a)redhat.com, mhroncok(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com, sochotni(a)redhat.com, thrnciar(a)redhat.com Blocks: 1890881 (PYTHON3.10) Target Milestone: --- Classification: Fedora javapackages-tools fails to build with Python 3.10.0a3. ====================================================================== FAIL: test_run_no_args (mvn_alias_test.TestMvnAlias) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builddir/build/BUILD/javapackages-5.3.0/test/test_common.py", line 122, in test_decorated fun(self, stdout, stderr, return_value) File "/builddir/build/BUILD/javapackages-5.3.0/test/mvn_alias_test.py", line 32, in test_run_no_args self.assertEqual("Usage:", stderr[:6]) AssertionError: 'Usage:' != '<froze' - Usage: + <froze ====================================================================== FAIL: test_run_no_args (mvn_compat_version_test.TestMvnCompatVersion) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builddir/build/BUILD/javapackages-5.3.0/test/test_common.py", line 122, in test_decorated fun(self, stdout, stderr, return_value) File "/builddir/build/BUILD/javapackages-5.3.0/test/mvn_compat_version_test.py", line 29, in test_run_no_args self.assertEqual("Usage:", stderr[:6]) AssertionError: 'Usage:' != '<froze' - Usage: + <froze ====================================================================== FAIL: test_run_no_args (mvn_config_test.TestMvnConfig) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builddir/build/BUILD/javapackages-5.3.0/test/test_common.py", line 122, in test_decorated fun(self, stdout, stderr, return_value) File "/builddir/build/BUILD/javapackages-5.3.0/test/mvn_config_test.py", line 29, in test_run_no_args self.assertEqual("Usage:", stderr[:6]) AssertionError: 'Usage:' != '<froze' - Usage: + <froze ====================================================================== FAIL: test_run_no_args (mvn_file_test.TestMvnFile) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builddir/build/BUILD/javapackages-5.3.0/test/test_common.py", line 122, in test_decorated fun(self, stdout, stderr, return_value) File "/builddir/build/BUILD/javapackages-5.3.0/test/mvn_file_test.py", line 29, in test_run_no_args self.assertEqual("Usage:", stderr[:6]) AssertionError: 'Usage:' != '<froze' - Usage: + <froze ====================================================================== FAIL: test_run_no_args (mvn_package_test.TestMvnPackage) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builddir/build/BUILD/javapackages-5.3.0/test/test_common.py", line 122, in test_decorated fun(self, stdout, stderr, return_value) File "/builddir/build/BUILD/javapackages-5.3.0/test/mvn_package_test.py", line 30, in test_run_no_args self.assertEqual("Usage:", stderr[:6]) AssertionError: 'Usage:' != '<froze' - Usage: + <froze ====================================================================== FAIL: test_unsupported_type (pm_request_test.PmRequestTest) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builddir/build/BUILD/javapackages-5.3.0/test/pm_request_test.py", line 80, in test_unsupported_type self.assertEqual(err.rstrip(), "Unsupported artifact type") AssertionError: '<frozen importlib._bootstrap>:241: Runtim[147 chars]type' != 'Unsupported artifact type' - <frozen importlib._bootstrap>:241: RuntimeWarning: builtins.type size changed, may indicate binary incompatibility. Expected 880 from C header, got 888 from PyObject Unsupported artifact type ====================================================================== FAIL: test_usage (pm_request_test.PmRequestTest) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builddir/build/BUILD/javapackages-5.3.0/test/pm_request_test.py", line 85, in test_usage self.assertEqual(err.rstrip(), "Usage: artifact-type artifact-coordinates") AssertionError: '<frozen importlib._bootstrap>:241: Runtim[163 chars]ates' != 'Usage: artifact-type artifact-coordinates' - <frozen importlib._bootstrap>:241: RuntimeWarning: builtins.type size changed, may indicate binary incompatibility. Expected 880 from C header, got 888 from PyObject Usage: artifact-type artifact-coordinates ---------------------------------------------------------------------- XML: /builddir/build/BUILD/javapackages-5.3.0/test/nosetests.xml ---------------------------------------------------------------------- Ran 422 tests in 44.010s FAILED (failures=7) For the build logs, see: https://copr-be.cloud.fedoraproject.org/results/%40python/python3.10/fedo... For all our attempts to build krita with Python 3.10, see: https://copr.fedorainfracloud.org/coprs/g/python/python3.10/package/javap... Testing and mass rebuild of packages is happening in copr. You can follow these instructions to test locally in mock if your package builds with Python 3.10: https://copr.fedorainfracloud.org/coprs/g/python/python3.10/ Let us know here if you have any questions. Python 3.10 will be included in Fedora 35. To make that update smoother, we're building Fedora packages with early pre-releases of Python 3.10. A build failure prevents us from testing all dependent packages (transitive [Build]Requires), so if this package is required a lot, it's important for us to get it fixed soon. We'd appreciate help from the people who know this package best, but if you don't want to work on this now, let us know so we can try to work around it on our side. Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1890881 [Bug 1890881] Python 3.10 tracker -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 5 months

1
2
0 / 0

[Bug 1845547] New: CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1845547 Bug ID: 1845547 Summary: CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class [fedora-all] Product: Fedora Version: 32 Status: NEW Component: resteasy Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: dmoluguw(a)redhat.com Reporter: cbuissar(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: alee(a)redhat.com, ascheel(a)redhat.com, dingyichen(a)gmail.com, dmoluguw(a)redhat.com, edewata(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, puntogil(a)libero.it, stewardship-sig(a)lists.fedoraproject.org, weli(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 5 months

1
9
0 / 0

[Bug 1730462] CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1730462 Bug 1730462 depends on bug 1845547, which changed state. Bug 1845547 Summary: CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1845547 What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 5 months

1
0
0 / 0

[Bug 1898907] CVE-2020-26217 XStream: remote code execution due to insecure XML deserialization when relying on blocklists

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1898907 Bug 1898907 depends on bug 1898944, which changed state. Bug 1898944 Summary: CVE-2020-26217 xstream: remote code execution due to insecure XML deserialization when relying on blocklists [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1898944 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 5 months

1
0
0 / 0

[Bug 1898944] New: CVE-2020-26217 xstream: remote code execution due to insecure XML deserialization when relying on blocklists [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1898944 Bug ID: 1898944 Summary: CVE-2020-26217 xstream: remote code execution due to insecure XML deserialization when relying on blocklists [fedora-all] Product: Fedora Version: 33 Status: NEW Component: xstream Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: dchen(a)redhat.com Reporter: mkaplan(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: dchen(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, lkundrak(a)v3.sk, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 5 months

1
3
0 / 0

[Bug 1887664] CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1887664 errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:5342 -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 5 months

1
0
0 / 0

[Bug 1887664] CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1887664 --- Comment #55 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2020:5342 https://access.redhat.com/errata/RHSA-2020:5342 -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 5 months

1
0
0 / 0

[Bug 1887664] CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1887664 errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:5341 -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 5 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits December 2020