November 2022 - java-sig-commits - Fedora Mailing-Lists

[Bug 2134299] New: CVE-2022-40155 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks [epel-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2134299 Bug ID: 2134299 Summary: CVE-2022-40155 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks [epel-all] Product: Fedora EPEL Version: epel8 Status: NEW Component: xstream Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: fedoraproject.org(a)bluhm-de.com Reporter: pdelbell(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: didiksupriadi41(a)gmail.com, fedoraproject.org(a)bluhm-de.com, java-sig-commits(a)lists.fedoraproject.org, lkundrak(a)v3.sk, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of epel-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora EPEL. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2134299

1 year

1
3
0 / 0

[Bug 2134290] New: CVE-2022-40153 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2134290 Bug ID: 2134290 Summary: CVE-2022-40153 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: pdelbell(a)redhat.com CC: didiksupriadi41(a)gmail.com, fedoraproject.org(a)bluhm-de.com, java-sig-commits(a)lists.fedoraproject.org, lkundrak(a)v3.sk, mizdebsk(a)redhat.com Blocks: 2128414 Target Milestone: --- Classification: Other Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49858 https://github.com/x-stream/xstream/issues/304 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2134290

1 year

1
9
0 / 0

[Bug 2134301] New: CVE-2022-40153 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks [epel-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2134301 Bug ID: 2134301 Summary: CVE-2022-40153 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks [epel-all] Product: Fedora EPEL Version: epel8 Status: NEW Component: xstream Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: fedoraproject.org(a)bluhm-de.com Reporter: pdelbell(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: didiksupriadi41(a)gmail.com, fedoraproject.org(a)bluhm-de.com, java-sig-commits(a)lists.fedoraproject.org, lkundrak(a)v3.sk, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of epel-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora EPEL. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2134301

1 year

1
3
0 / 0

[Bug 2134303] New: CVE-2022-40152 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks [epel-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2134303 Bug ID: 2134303 Summary: CVE-2022-40152 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks [epel-all] Product: Fedora EPEL Version: epel8 Status: NEW Component: xstream Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: fedoraproject.org(a)bluhm-de.com Reporter: pdelbell(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: didiksupriadi41(a)gmail.com, fedoraproject.org(a)bluhm-de.com, java-sig-commits(a)lists.fedoraproject.org, lkundrak(a)v3.sk, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of epel-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora EPEL. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2134303

1 year

1
3
0 / 0

[Bug 2141333] New: CVE-2022-42252 tomcat: request smuggling [epel-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2141333 Bug ID: 2141333 Summary: CVE-2022-42252 tomcat: request smuggling [epel-all] Product: Fedora EPEL Version: epel8 Status: NEW Component: tomcat Keywords: Security, SecurityTracking Severity: low Priority: low Assignee: csutherl(a)redhat.com Reporter: pdelbell(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: alee(a)redhat.com, coolsvap(a)gmail.com, csutherl(a)redhat.com, gzaronikas(a)gmail.com, huwang(a)redhat.com, ivan.afonichev(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, krzysztof.daniel(a)gmail.com Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2141329 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2141333

1 year

1
4
0 / 0

[Bug 2130599] New: CVE-2021-43980: Apache Tomcat: Information disclosure

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2130599 Bug ID: 2130599 Summary: CVE-2021-43980: Apache Tomcat: Information disclosure Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: amctagga(a)redhat.com CC: alee(a)redhat.com, coolsvap(a)gmail.com, csutherl(a)redhat.com, gzaronikas(a)gmail.com, huwang(a)redhat.com, ivan.afonichev(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, krzysztof.daniel(a)gmail.com Target Milestone: --- Classification: Other Severity: important Description: The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client. Credit: Thanks to Adam Thomas, Richard Hernandez and Ryan Schmitt for discovering the issue and working with the Tomcat security team to identify the root cause and appropriate fix. References: https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2130599

1 year

1
15
0 / 0

[Bug 2133649] New: CVE-2021-43980 tomcat: : Apache Tomcat: Information disclosure [epel-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2133649 Bug ID: 2133649 Summary: CVE-2021-43980 tomcat: : Apache Tomcat: Information disclosure [epel-all] Product: Fedora EPEL Version: epel8 Status: NEW Component: tomcat Keywords: Security, SecurityTracking Severity: low Priority: low Assignee: csutherl(a)redhat.com Reporter: trathi(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: alee(a)redhat.com, coolsvap(a)gmail.com, csutherl(a)redhat.com, gzaronikas(a)gmail.com, huwang(a)redhat.com, ivan.afonichev(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, krzysztof.daniel(a)gmail.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of epel-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora EPEL. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2133649

1 year

1
4
0 / 0

[Bug 2131538] New: objectweb-asm-9.4 is available

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2131538 Bug ID: 2131538 Summary: objectweb-asm-9.4 is available Product: Fedora Version: rawhide Status: NEW Component: objectweb-asm Keywords: FutureFeature, Triaged Assignee: mizdebsk(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: dwalluck(a)redhat.com, fnasser(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jerboaa(a)gmail.com, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora Releases retrieved: 9.4 Upstream release that is considered latest: 9.4 Current version/release in rawhide: 9.3-3.fc38 URL: http://asm.ow2.org/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release... Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/7177/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/objectweb-asm -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2131538

1 year

1
2
0 / 0

[Bug 2051184] New: lancer fails to build with java-17-openjdk

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2051184 Bug ID: 2051184 Summary: lancer fails to build with java-17-openjdk Product: Fedora Version: rawhide Status: NEW Component: lancer Severity: high Assignee: willb(a)redhat.com Reporter: jvanek(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: didiksupriadi41(a)gmail.com, java-maint-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jhuttana(a)redhat.com, jvanek(a)redhat.com, pmikova(a)redhat.com, sgehwolf(a)redhat.com, willb(a)redhat.com Blocks: 2024265 Target Milestone: --- Classification: Fedora lancer fails to build with java-17-openjdk as sytem JDK. See https://fedoraproject.org/wiki/Changes/Java17 . See especially part about known failures: https://fedoraproject.org/wiki/Changes/Java17#common_issues_packagers_can... For the build logs, see: https://koji.fedoraproject.org/koji/taskinfo?taskID=82430359 https://kojipkgs.fedoraproject.org/work/tasks/374/82430374/mock_output.log https://kojipkgs.fedoraproject.org/work/tasks/374/82430374/hw_info.log https://kojipkgs.fedoraproject.org/work/tasks/374/82430374/state.log https://kojipkgs.fedoraproject.org/work/tasks/374/82430374/build.log https://kojipkgs.fedoraproject.org/work/tasks/374/82430374/root.log We run the rebuild in side tag f36-java17, but as fail ratio was small, we expect this side tag to be merged into rawhide 7 or 8 of February 2022. To reproduce before this date simply: fedpkg clone lancer; cd lancer; fedpkg build --target f36-java17; #The target is crucial. After this date the usual fedpkg build in f36 and up should do. We run two reruns your package failed both. We had also run the mass rebuilds in copr since November. We keep all encountered failures. See them here: https://copr.fedorainfracloud.org/coprs/jvanek/java17//package/lancer You may find interesting additional informations here. Also we were spamming maintainers regualrly, check you spam folder. We had tried aprox 500 packages, and aprox 65 had failed, so the java-17-openjdk will be system JDK in f36, and you should fix your package if you want to keep it alive. Usually the fix is simple, and best is to update the package to latest upstream version. There will be usual mass rebuild once f36 branches. You may got another FTBFS bug. Let us know here if you have any questions, here in bug, or at java-devel(a)lists.fedoraproject.org . We'd appreciate help from the people who know this package best, but if you don't want to work on this now, let us know so we can try to work around it on our side if needed. Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=2024265 [Bug 2024265] java-17-openjdk as system JDK in F36 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2051184

1 year, 1 month

1
3
0 / 0

[Bug 2130376] New: Apache httpcomponents-client package is missing httpmime.jar

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2130376 Bug ID: 2130376 Summary: Apache httpcomponents-client package is missing httpmime.jar Product: Fedora Version: 36 Status: NEW Component: httpcomponents-client Assignee: stuart(a)gathman.org Reporter: sima85307(a)mypacks.net QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, jerboaa(a)gmail.com, krzysztof.daniel(a)gmail.com, mizdebsk(a)redhat.com, stuart(a)gathman.org Target Milestone: --- Classification: Fedora Description of problem: The httpmime.jar build artifact is missing from the Apache httpcomponents-client package. Version-Release number of selected component (if applicable): If I recall correctly, this file went missing in the transition from Fedora 34 to 35. It is missing in all versions 35 onward. How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2130376

1 year, 1 month

1
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits November 2022