java-sig-commits March 2021

java-sig-commits@lists.fedoraproject.org

1 participants
272 discussions

[Bug 1933809] New: CVE-2020-11987 batik: SSRF due to improper input validation by the NodePickerPanel [fedora-all]
by bugzilla＠redhat.com 19 Mar '21

19 Mar '21

https://bugzilla.redhat.com/show_bug.cgi?id=1933809 Bug ID: 1933809 Summary: CVE-2020-11987 batik: SSRF due to improper input validation by the NodePickerPanel [fedora-all] Product: Fedora Version: 33 Status: NEW Component: batik Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: mat.booth(a)redhat.com Reporter: gsuckevi(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: akurtako(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jvanek(a)redhat.com, mat.booth(a)redhat.com, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1918540] New: batik-1.14 is available
by bugzilla＠redhat.com 19 Mar '21

19 Mar '21

https://bugzilla.redhat.com/show_bug.cgi?id=1918540 Bug ID: 1918540 Summary: batik-1.14 is available Product: Fedora Version: rawhide Status: NEW Component: batik Keywords: FutureFeature, Triaged Assignee: mat.booth(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: akurtako(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jvanek(a)redhat.com, mat.booth(a)redhat.com, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora Latest upstream release: 1.14 Current version/release in rawhide: 1.13-1.fc34 URL: https://xmlgraphics.apache.org/batik/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/168/ -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1935927] CVE-2021-20289 resteasy: Error message exposes endpoint class information
by bugzilla＠redhat.com 17 Mar '21

17 Mar '21

https://bugzilla.redhat.com/show_bug.cgi?id=1935927 Pedro Sampaio <psampaio(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(psampaio(a)redhat.c | |om) | -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1758171] New: jackson-databind: Serialization gadgets in classes of the commons-configuration package
by bugzilla＠redhat.com 17 Mar '21

17 Mar '21

https://bugzilla.redhat.com/show_bug.cgi?id=1758171 Bug ID: 1758171 Summary: jackson-databind: Serialization gadgets in classes of the commons-configuration package Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, asoldano(a)redhat.com, atangrin(a)redhat.com, ataylor(a)redhat.com, avibelli(a)redhat.com, bbaranow(a)redhat.com, bbuckingham(a)redhat.com, bcourt(a)redhat.com, bgeorges(a)redhat.com, bkearney(a)redhat.com, bmaxwell(a)redhat.com, bmontgom(a)redhat.com, brian.stansberry(a)redhat.com, btotty(a)redhat.com, cbyrne(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, cmacedo(a)redhat.com, darran.lofthouse(a)redhat.com, dbecker(a)redhat.com, decathorpe(a)gmail.com, dffrench(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, drusso(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, ganandan(a)redhat.com, ggaughan(a)redhat.com, hhorak(a)redhat.com, hhudgeon(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jawilson(a)redhat.com, jbalunas(a)redhat.com, jburrell(a)redhat.com, jjoyce(a)redhat.com, jmadigan(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jolee(a)redhat.com, jorton(a)redhat.com, jpallich(a)redhat.com, jperkins(a)redhat.com, jschatte(a)redhat.com, jschluet(a)redhat.com, jshepherd(a)redhat.com, jstastny(a)redhat.com, kbasil(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, kwills(a)redhat.com, lef(a)fedoraproject.org, lgao(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com, mat.booth(a)redhat.com, mburns(a)redhat.com, mkolesni(a)redhat.com, mmccune(a)redhat.com, mnovotny(a)redhat.com, msochure(a)redhat.com, msvehla(a)redhat.com, mszynkie(a)redhat.com, ngough(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, paradhya(a)redhat.com, pdrozd(a)redhat.com, pgallagh(a)redhat.com, pmackay(a)redhat.com, psotirop(a)redhat.com, puntogil(a)libero.it, pwright(a)redhat.com, rchan(a)redhat.com, rguimara(a)redhat.com, rhcs-maint(a)redhat.com, rjerrido(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rsvoboda(a)redhat.com, rsynek(a)redhat.com, sclewis(a)redhat.com, scohen(a)redhat.com, sdaley(a)redhat.com, slinaber(a)redhat.com, smaestri(a)redhat.com, sponnaga(a)redhat.com, stewardship-sig(a)lists.fedoraproject.org, sthorger(a)redhat.com, swoodman(a)redhat.com, tbrisker(a)redhat.com, tom.jenkinson(a)redhat.com, trepel(a)redhat.com, trogers(a)redhat.com, twalsh(a)redhat.com, vhalbert(a)redhat.com Target Milestone: --- Classification: Other A flaw was found in jackson-databind before 2.9.10. New serialization gadgets were found regarding a class of the commons-configuration 1 and commons-configuration 2 packages which may help in exploiting deserialization issues. Upstream issue: https://github.com/FasterXML/jackson-databind/issues/2462 Upstream patch: https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8… https://github.com/FasterXML/jackson-databind/commit/819cdbcab51c6da9fb8963… References: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-yo… -- You are receiving this mail because: You are on the CC list for the bug.

1 34

[Bug 1935927] CVE-2021-20289 resteasy: Error message exposes endpoint class information
by bugzilla＠redhat.com 17 Mar '21

17 Mar '21

https://bugzilla.redhat.com/show_bug.cgi?id=1935927 --- Comment #9 from Ted (Jong Seok) Won <jwon(a)redhat.com> --- In reply to comment #8: > JFTR it doesn't look (from RESTEASY-2843) or the upstream repo that this CVE > is fixed in 4.6.0.Final as mentioned in the Doc Text. It looks like it will > be fixed in the upcoming release 4.7.0.Final. Thank you for pointing out it. We've fixed it. Thanks! -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1935927] CVE-2021-20289 resteasy: Error message exposes endpoint class information
by bugzilla＠redhat.com 17 Mar '21

17 Mar '21

https://bugzilla.redhat.com/show_bug.cgi?id=1935927 --- Doc Text *updated* by Ted (Jong Seok) Won <jwon(a)redhat.com> --- A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1755831] New: CVE-2019-16335 jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource
by bugzilla＠redhat.com 17 Mar '21

17 Mar '21

https://bugzilla.redhat.com/show_bug.cgi?id=1755831 Bug ID: 1755831 Summary: CVE-2019-16335 jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: darunesh(a)redhat.com CC: ahardin(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, asoldano(a)redhat.com, atangrin(a)redhat.com, ataylor(a)redhat.com, avibelli(a)redhat.com, bbaranow(a)redhat.com, bbuckingham(a)redhat.com, bcourt(a)redhat.com, bgeorges(a)redhat.com, bkearney(a)redhat.com, bleanhar(a)redhat.com, bmaxwell(a)redhat.com, brian.stansberry(a)redhat.com, btotty(a)redhat.com, cbyrne(a)redhat.com, ccoleman(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, cmacedo(a)redhat.com, darran.lofthouse(a)redhat.com, dbecker(a)redhat.com, decathorpe(a)gmail.com, dedgar(a)redhat.com, dffrench(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, drusso(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, ganandan(a)redhat.com, ggaughan(a)redhat.com, hhorak(a)redhat.com, hhudgeon(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jawilson(a)redhat.com, jbalunas(a)redhat.com, jgoulding(a)redhat.com, jjoyce(a)redhat.com, jmadigan(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jolee(a)redhat.com, jorton(a)redhat.com, jpallich(a)redhat.com, jperkins(a)redhat.com, jschatte(a)redhat.com, jschluet(a)redhat.com, jshepherd(a)redhat.com, jstastny(a)redhat.com, kbasil(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, kwills(a)redhat.com, lef(a)fedoraproject.org, lgao(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com, mat.booth(a)redhat.com, mburns(a)redhat.com, mchappel(a)redhat.com, mkolesni(a)redhat.com, mmccune(a)redhat.com, mnovotny(a)redhat.com, msochure(a)redhat.com, msvehla(a)redhat.com, mszynkie(a)redhat.com, ngough(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, paradhya(a)redhat.com, pdrozd(a)redhat.com, pgallagh(a)redhat.com, pmackay(a)redhat.com, psotirop(a)redhat.com, puntogil(a)libero.it, pwright(a)redhat.com, rchan(a)redhat.com, rguimara(a)redhat.com, rhcs-maint(a)redhat.com, rjerrido(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rsvoboda(a)redhat.com, rsynek(a)redhat.com, sclewis(a)redhat.com, scohen(a)redhat.com, sdaley(a)redhat.com, slinaber(a)redhat.com, smaestri(a)redhat.com, stewardship-sig(a)lists.fedoraproject.org, sthorger(a)redhat.com, swoodman(a)redhat.com, tbrisker(a)redhat.com, tom.jenkinson(a)redhat.com, trepel(a)redhat.com, trogers(a)redhat.com, twalsh(a)redhat.com, vhalbert(a)redhat.com Target Milestone: --- Classification: Other A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. Reference: https://github.com/FasterXML/jackson-databind/issues/2449 https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4… https://lists.apache.org/thread.html/40c00861b53bb611dee7d6f35f864aa7d1c1bd… -- You are receiving this mail because: You are on the CC list for the bug.

1 45

[Bug 1758167] New: jackson-databind: Serialization gadgets in classes of the ehcache package
by bugzilla＠redhat.com 17 Mar '21

17 Mar '21

https://bugzilla.redhat.com/show_bug.cgi?id=1758167 Bug ID: 1758167 Summary: jackson-databind: Serialization gadgets in classes of the ehcache package Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, asoldano(a)redhat.com, atangrin(a)redhat.com, ataylor(a)redhat.com, avibelli(a)redhat.com, bbaranow(a)redhat.com, bbuckingham(a)redhat.com, bcourt(a)redhat.com, bgeorges(a)redhat.com, bkearney(a)redhat.com, bmaxwell(a)redhat.com, bmontgom(a)redhat.com, brian.stansberry(a)redhat.com, btotty(a)redhat.com, cbyrne(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, cmacedo(a)redhat.com, darran.lofthouse(a)redhat.com, dbecker(a)redhat.com, decathorpe(a)gmail.com, dffrench(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, drusso(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, ganandan(a)redhat.com, ggaughan(a)redhat.com, hhorak(a)redhat.com, hhudgeon(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jawilson(a)redhat.com, jbalunas(a)redhat.com, jburrell(a)redhat.com, jjoyce(a)redhat.com, jmadigan(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jolee(a)redhat.com, jorton(a)redhat.com, jpallich(a)redhat.com, jperkins(a)redhat.com, jschatte(a)redhat.com, jschluet(a)redhat.com, jshepherd(a)redhat.com, jstastny(a)redhat.com, kbasil(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, kwills(a)redhat.com, lef(a)fedoraproject.org, lgao(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com, mat.booth(a)redhat.com, mburns(a)redhat.com, mkolesni(a)redhat.com, mmccune(a)redhat.com, mnovotny(a)redhat.com, msochure(a)redhat.com, msvehla(a)redhat.com, mszynkie(a)redhat.com, ngough(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, paradhya(a)redhat.com, pdrozd(a)redhat.com, pgallagh(a)redhat.com, pmackay(a)redhat.com, psotirop(a)redhat.com, puntogil(a)libero.it, pwright(a)redhat.com, rchan(a)redhat.com, rguimara(a)redhat.com, rhcs-maint(a)redhat.com, rjerrido(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rsvoboda(a)redhat.com, rsynek(a)redhat.com, sclewis(a)redhat.com, scohen(a)redhat.com, sdaley(a)redhat.com, slinaber(a)redhat.com, smaestri(a)redhat.com, sponnaga(a)redhat.com, stewardship-sig(a)lists.fedoraproject.org, sthorger(a)redhat.com, swoodman(a)redhat.com, tbrisker(a)redhat.com, tom.jenkinson(a)redhat.com, trepel(a)redhat.com, trogers(a)redhat.com, twalsh(a)redhat.com, vhalbert(a)redhat.com Target Milestone: --- Classification: Other A flaw was found in jackson-databind before 2.9.10. New serialization gadgets were found regarding a class of the ehcache package which may help in deserialization issues exploit. Upstream issue: https://github.com/FasterXML/jackson-databind/issues/2460 Upstream patch: https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77… References: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-yo… -- You are receiving this mail because: You are on the CC list for the bug.

1 40

[Bug 1775293] New: cve jackson-databind: default typing leads to code execution
by bugzilla＠redhat.com 17 Mar '21

17 Mar '21

https://bugzilla.redhat.com/show_bug.cgi?id=1775293 Bug ID: 1775293 Summary: cve jackson-databind: default typing leads to code execution Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: darunesh(a)redhat.com CC: aboyko(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, asoldano(a)redhat.com, atangrin(a)redhat.com, ataylor(a)redhat.com, avibelli(a)redhat.com, bbaranow(a)redhat.com, bbuckingham(a)redhat.com, bcourt(a)redhat.com, bgeorges(a)redhat.com, bkearney(a)redhat.com, bmaxwell(a)redhat.com, bmontgom(a)redhat.com, brian.stansberry(a)redhat.com, btotty(a)redhat.com, cbyrne(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, cmacedo(a)redhat.com, darran.lofthouse(a)redhat.com, decathorpe(a)gmail.com, dffrench(a)redhat.com, dkreling(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, drusso(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, ganandan(a)redhat.com, ggaughan(a)redhat.com, hhorak(a)redhat.com, hhudgeon(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jawilson(a)redhat.com, jbalunas(a)redhat.com, jburrell(a)redhat.com, jmadigan(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jorton(a)redhat.com, jpallich(a)redhat.com, jperkins(a)redhat.com, jshepherd(a)redhat.com, jstastny(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, kwills(a)redhat.com, lef(a)fedoraproject.org, lgao(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com, mat.booth(a)redhat.com, mmccune(a)redhat.com, mnovotny(a)redhat.com, msochure(a)redhat.com, msvehla(a)redhat.com, mszynkie(a)redhat.com, ngough(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, paradhya(a)redhat.com, pdrozd(a)redhat.com, pgallagh(a)redhat.com, pmackay(a)redhat.com, psotirop(a)redhat.com, puntogil(a)libero.it, pwright(a)redhat.com, rchan(a)redhat.com, rguimara(a)redhat.com, rhcs-maint(a)redhat.com, rjerrido(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rsvoboda(a)redhat.com, rsynek(a)redhat.com, sdaley(a)redhat.com, smaestri(a)redhat.com, sokeeffe(a)redhat.com, sponnaga(a)redhat.com, stewardship-sig(a)lists.fedoraproject.org, sthorger(a)redhat.com, swoodman(a)redhat.com, tbrisker(a)redhat.com, tom.jenkinson(a)redhat.com, trepel(a)redhat.com, trogers(a)redhat.com, twalsh(a)redhat.com Target Milestone: --- Classification: Other A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. Reference: https://github.com/FasterXML/jackson-databind/issues/2498 -- You are receiving this mail because: You are on the CC list for the bug.

1 49

[Bug 1935927] CVE-2021-20289 resteasy: Error message exposes endpoint class information
by bugzilla＠redhat.com 16 Mar '21

16 Mar '21

https://bugzilla.redhat.com/show_bug.cgi?id=1935927 Alexander Scheel <alexander.m.scheel(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(psampaio(a)redhat.c | |om) --- Comment #8 from Alexander Scheel <alexander.m.scheel(a)gmail.com> --- JFTR it doesn't look (from RESTEASY-2843) or the upstream repo that this CVE is fixed in 4.6.0.Final as mentioned in the Doc Text. It looks like it will be fixed in the upcoming release 4.7.0.Final. -- You are receiving this mail because: You are on the CC list for the bug.

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits March 2021