March 2021 - eclipse-sig - Fedora Mailing-Lists

[Bug 1719748] New: jetty-9.4.19.v20190610 is available

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1719748 Bug ID: 1719748 Summary: jetty-9.4.19.v20190610 is available Product: Fedora Version: rawhide Status: NEW Component: jetty Keywords: FutureFeature, Triaged Assignee: mat.booth(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: eclipse-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jjohnstn(a)redhat.com, krzysztof.daniel(a)gmail.com, mat.booth(a)redhat.com, mizdebsk(a)redhat.com, sochotni(a)redhat.com Target Milestone: --- Classification: Fedora Latest upstream release: 9.4.19.v20190610 Current version/release in rawhide: 9.4.18-2.v20190429.fc31 URL: http://www.eclipse.org/jetty Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/1447/ -- You are receiving this mail because: You are on the CC list for the bug.

1 year, 6 months

1
24
0 / 0

[Bug 1934116] New: CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1934116 Bug ID: 1934116 Summary: CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: abenaiss(a)redhat.com, aboyko(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, ataylor(a)redhat.com, bibryam(a)redhat.com, bmontgom(a)redhat.com, chazlett(a)redhat.com, drieden(a)redhat.com, eclipse-sig(a)lists.fedoraproject.org, eparis(a)redhat.com, etirelli(a)redhat.com, ganandan(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gvarsami(a)redhat.com, hbraun(a)redhat.com, ibek(a)redhat.com, janstey(a)redhat.com, java-maint(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcoleman(a)redhat.com, jjohnstn(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, krzysztof.daniel(a)gmail.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, mat.booth(a)redhat.com, mcermak(a)redhat.com, mizdebsk(a)redhat.com, mnovotny(a)redhat.com, mprchlik(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, pantinor(a)redhat.com, patrickm(a)redhat.com, pbhattac(a)redhat.com, pdrozd(a)redhat.com, pjindal(a)redhat.com, rrajasek(a)redhat.com, rsynek(a)redhat.com, rwagner(a)redhat.com, sdaley(a)redhat.com, sd-operator-metering(a)redhat.com, sochotni(a)redhat.com, sponnaga(a)redhat.com, sthorger(a)redhat.com, tcunning(a)redhat.com, tflannag(a)redhat.com, tkirby(a)redhat.com, vbobade(a)redhat.com, vkadlcik(a)redhat.com Target Milestone: --- Classification: Other In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values. References: https://bugs.eclipse.org/bugs/show_bug.cgi?id=571128 https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8r... -- You are receiving this mail because: You are on the CC list for the bug.

1 year, 7 months

1
39
0 / 0

[Bug 1944888] New: CVE-2021-21409 netty: Request smuggling via content-length header

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1944888 Bug ID: 1944888 Summary: CVE-2021-21409 netty: Request smuggling via content-length header Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: aboyko(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, akurtako(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, andjrobins(a)gmail.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, asoldano(a)redhat.com, atangrin(a)redhat.com, ataylor(a)redhat.com, avibelli(a)redhat.com, bbaranow(a)redhat.com, bbuckingham(a)redhat.com, bcourt(a)redhat.com, bgeorges(a)redhat.com, bkearney(a)redhat.com, bmaxwell(a)redhat.com, bmontgom(a)redhat.com, brian.stansberry(a)redhat.com, btotty(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, clement.escoffier(a)redhat.com, dandread(a)redhat.com, darran.lofthouse(a)redhat.com, dbecker(a)redhat.com, dbhole(a)redhat.com, dkreling(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, ebaron(a)redhat.com, eclipse-sig(a)lists.fedoraproject.org, eleandro(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org, fjuma(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gsmet(a)redhat.com, hamadhan(a)redhat.com, hhudgeon(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcantril(a)redhat.com, jerboaa(a)gmail.com, jjohnstn(a)redhat.com, jjoyce(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jpallich(a)redhat.com, jperkins(a)redhat.com, jross(a)redhat.com, jschluet(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kaycoth(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, kwills(a)redhat.com, lef(a)fedoraproject.org, lgao(a)redhat.com, lhh(a)redhat.com, loleary(a)redhat.com, lpeer(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com, mat.booth(a)gmail.com, mburns(a)redhat.com, mkolesni(a)redhat.com, mmccune(a)redhat.com, mnovotny(a)redhat.com, msochure(a)redhat.com, msvehla(a)redhat.com, mszynkie(a)redhat.com, nmoumoul(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, pcreech(a)redhat.com, pdrozd(a)redhat.com, peholase(a)redhat.com, pgallagh(a)redhat.com, pjindal(a)redhat.com, pmackay(a)redhat.com, probinso(a)redhat.com, rchan(a)redhat.com, rgodfrey(a)redhat.com, rgrunber(a)redhat.com, rguimara(a)redhat.com, rjerrido(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rstancel(a)redhat.com, rsvoboda(a)redhat.com, rsynek(a)redhat.com, sbiarozk(a)redhat.com, sclewis(a)redhat.com, scohen(a)redhat.com, sdaley(a)redhat.com, sd-operator-metering(a)redhat.com, sdouglas(a)redhat.com, slinaber(a)redhat.com, smaestri(a)redhat.com, sochotni(a)redhat.com, sokeeffe(a)redhat.com, spinder(a)redhat.com, sponnaga(a)redhat.com, sthorger(a)redhat.com, swoodman(a)redhat.com, tbrisker(a)redhat.com, tflannag(a)redhat.com, theute(a)redhat.com, tom.jenkinson(a)redhat.com, yborgess(a)redhat.com Target Milestone: --- Classification: Other Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. References: https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38d... https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32 https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj -- You are receiving this mail because: You are on the CC list for the bug.

1 year, 9 months

1
55
0 / 0

[Bug 1937364] New: CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1937364 Bug ID: 1937364 Summary: CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: aboyko(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, akurtako(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, andjrobins(a)gmail.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, asoldano(a)redhat.com, atangrin(a)redhat.com, ataylor(a)redhat.com, avibelli(a)redhat.com, bbaranow(a)redhat.com, bbuckingham(a)redhat.com, bcourt(a)redhat.com, bgeorges(a)redhat.com, bkearney(a)redhat.com, bmaxwell(a)redhat.com, bmontgom(a)redhat.com, brian.stansberry(a)redhat.com, btotty(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, clement.escoffier(a)redhat.com, dandread(a)redhat.com, darran.lofthouse(a)redhat.com, dbecker(a)redhat.com, dbhole(a)redhat.com, decathorpe(a)gmail.com, dkreling(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, ebaron(a)redhat.com, eclipse-sig(a)lists.fedoraproject.org, eleandro(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org, fjuma(a)redhat.com, ganandan(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gsmet(a)redhat.com, hamadhan(a)redhat.com, hhudgeon(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcantril(a)redhat.com, jerboaa(a)gmail.com, jjohnstn(a)redhat.com, jjoyce(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jpallich(a)redhat.com, jperkins(a)redhat.com, jross(a)redhat.com, jschluet(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kaycoth(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, kwills(a)redhat.com, lef(a)fedoraproject.org, lgao(a)redhat.com, lhh(a)redhat.com, loleary(a)redhat.com, lpeer(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com, mat.booth(a)redhat.com, mburns(a)redhat.com, mkolesni(a)redhat.com, mmccune(a)redhat.com, mnovotny(a)redhat.com, msochure(a)redhat.com, msvehla(a)redhat.com, mszynkie(a)redhat.com, nmoumoul(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, pcreech(a)redhat.com, pdrozd(a)redhat.com, peholase(a)redhat.com, pgallagh(a)redhat.com, pjindal(a)redhat.com, pmackay(a)redhat.com, probinso(a)redhat.com, rchan(a)redhat.com, rgodfrey(a)redhat.com, rgrunber(a)redhat.com, rguimara(a)redhat.com, rjerrido(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rstancel(a)redhat.com, rsvoboda(a)redhat.com, rsynek(a)redhat.com, sbiarozk(a)redhat.com, sclewis(a)redhat.com, scohen(a)redhat.com, sdaley(a)redhat.com, sd-operator-metering(a)redhat.com, sdouglas(a)redhat.com, slinaber(a)redhat.com, smaestri(a)redhat.com, sochotni(a)redhat.com, sokeeffe(a)redhat.com, spinder(a)redhat.com, sponnaga(a)redhat.com, sthorger(a)redhat.com, swoodman(a)redhat.com, tbrisker(a)redhat.com, tflannag(a)redhat.com, theute(a)redhat.com, tom.jenkinson(a)redhat.com, yborgess(a)redhat.com Target Milestone: --- Classification: Other Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. Reference: https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj Upstream patch: https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2f... -- You are receiving this mail because: You are on the CC list for the bug.

1 year, 9 months

1
47
0 / 0

[Bug 1902826] New: CVE-2020-27218 jetty: buffer not correctly recycled in Gzip Request inflation

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1902826 Bug ID: 1902826 Summary: CVE-2020-27218 jetty: buffer not correctly recycled in Gzip Request inflation Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: abenaiss(a)redhat.com, aboyko(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, ataylor(a)redhat.com, bmontgom(a)redhat.com, btofel(a)redhat.com, chazlett(a)redhat.com, drieden(a)redhat.com, eclipse-sig(a)lists.fedoraproject.org, eparis(a)redhat.com, etirelli(a)redhat.com, ganandan(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gvarsami(a)redhat.com, ibek(a)redhat.com, janstey(a)redhat.com, java-maint(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcoleman(a)redhat.com, jjohnstn(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, krzysztof.daniel(a)gmail.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, mat.booth(a)redhat.com, mizdebsk(a)redhat.com, mnovotny(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, pbhattac(a)redhat.com, pdrozd(a)redhat.com, pjindal(a)redhat.com, rrajasek(a)redhat.com, rsynek(a)redhat.com, rwagner(a)redhat.com, sdaley(a)redhat.com, sd-operator-metering(a)redhat.com, sochotni(a)redhat.com, sponnaga(a)redhat.com, sthorger(a)redhat.com, tcunning(a)redhat.com, tkirby(a)redhat.com, vbobade(a)redhat.com Target Milestone: --- Classification: Other In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request. References: https://bugs.eclipse.org/bugs/show_bug.cgi?id=568892 https://github.com/eclipse/jetty.project/security/advisories/GHSA-86wm-rr... -- You are receiving this mail because: You are on the CC list for the bug.

2 years

1
37
0 / 0

[Bug 1933816] New: CVE-2020-11988 xmlgraphics-commons: SSRF due to improper input validation by the XMPParser

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1933816 Bug ID: 1933816 Summary: CVE-2020-11988 xmlgraphics-commons: SSRF due to improper input validation by the XMPParser Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: aileenc(a)redhat.com, akoufoud(a)redhat.com, akurtako(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, andjrobins(a)gmail.com, anstephe(a)redhat.com, bibryam(a)redhat.com, chazlett(a)redhat.com, dbhole(a)redhat.com, drieden(a)redhat.com, ebaron(a)redhat.com, eclipse-sig(a)lists.fedoraproject.org, etirelli(a)redhat.com, ganandan(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, hbraun(a)redhat.com, ibek(a)redhat.com, janstey(a)redhat.com, java-maint(a)redhat.com, jerboaa(a)gmail.com, jjohnstn(a)redhat.com, jkang(a)redhat.com, jochrist(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, lef(a)fedoraproject.org, mat.booth(a)redhat.com, mcermak(a)redhat.com, mizdebsk(a)redhat.com, mnovotny(a)redhat.com, mprchlik(a)redhat.com, pantinor(a)redhat.com, patrickm(a)redhat.com, pjindal(a)redhat.com, rgrunber(a)redhat.com, rlandman(a)redhat.com, rrajasek(a)redhat.com, rsynek(a)redhat.com, sdaley(a)redhat.com, vkadlcik(a)redhat.com Target Milestone: --- Classification: Other Apache XmlGraphics Commons 2.4 is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. References: https://xmlgraphics.apache.org/security.html https://www.openwall.com/lists/oss-security/2021/02/24/1 -- You are receiving this mail because: You are on the CC list for the bug.

2 years, 4 months

1
18
0 / 0

[Bug 1933808] New: CVE-2020-11987 batik: SSRF due to improper input validation by the NodePickerPanel

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1933808 Bug ID: 1933808 Summary: CVE-2020-11987 batik: SSRF due to improper input validation by the NodePickerPanel Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: aileenc(a)redhat.com, akurtako(a)redhat.com, andjrobins(a)gmail.com, chazlett(a)redhat.com, dbhole(a)redhat.com, drieden(a)redhat.com, ebaron(a)redhat.com, eclipse-sig(a)lists.fedoraproject.org, ggaughan(a)redhat.com, gmalinko(a)redhat.com, janstey(a)redhat.com, java-maint(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jerboaa(a)gmail.com, jjohnstn(a)redhat.com, jkang(a)redhat.com, jochrist(a)redhat.com, jvanek(a)redhat.com, jwon(a)redhat.com, lef(a)fedoraproject.org, mat.booth(a)redhat.com, mizdebsk(a)redhat.com, rgrunber(a)redhat.com Target Milestone: --- Classification: Other Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. References: https://xmlgraphics.apache.org/security.html https://www.openwall.com/lists/oss-security/2021/02/24/2 -- You are receiving this mail because: You are on the CC list for the bug.

2 years, 4 months

1
13
0 / 0

[Bug 1937440] New: CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1937440 Bug ID: 1937440 Summary: CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: aboyko(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, akurtako(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, andjrobins(a)gmail.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, asoldano(a)redhat.com, atangrin(a)redhat.com, ataylor(a)redhat.com, bbaranow(a)redhat.com, bibryam(a)redhat.com, bmaxwell(a)redhat.com, bmontgom(a)redhat.com, brian.stansberry(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, darran.lofthouse(a)redhat.com, dbhole(a)redhat.com, decathorpe(a)gmail.com, devrim(a)gunduz.org, dkreling(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, ebaron(a)redhat.com, eclipse-sig(a)lists.fedoraproject.org, eleandro(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, fjuma(a)redhat.com, ganandan(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gvarsami(a)redhat.com, hbraun(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com, janstey(a)redhat.com, java-maint(a)redhat.com, java-maint-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcantril(a)redhat.com, jcoleman(a)redhat.com, jerboaa(a)gmail.com, jjohnstn(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jolee(a)redhat.com, jperkins(a)redhat.com, jross(a)redhat.com, jschatte(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, kwills(a)redhat.com, ldimaggi(a)redhat.com, lef(a)fedoraproject.org, lgao(a)redhat.com, loleary(a)redhat.com, mat.booth(a)redhat.com, mizdebsk(a)redhat.com, mnovotny(a)redhat.com, msochure(a)redhat.com, msvehla(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, pantinor(a)redhat.com, pjindal(a)redhat.com, pmackay(a)redhat.com, rgrunber(a)redhat.com, rguimara(a)redhat.com, rhcs-maint(a)redhat.com, rrajasek(a)redhat.com, rstancel(a)redhat.com, rsvoboda(a)redhat.com, rsynek(a)redhat.com, rwagner(a)redhat.com, sdaley(a)redhat.com, sd-operator-metering(a)redhat.com, smaestri(a)redhat.com, sochotni(a)redhat.com, spinder(a)redhat.com, sponnaga(a)redhat.com, tcunning(a)redhat.com, tflannag(a)redhat.com, theute(a)redhat.com, tkirby(a)redhat.com, tom.jenkinson(a)redhat.com, yborgess(a)redhat.com Target Milestone: --- Classification: Other An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2. References: https://lists.apache.org/thread.html/r01043f584cbd47959fabe18fff64de940f8... http://www.openwall.com/lists/oss-security/2021/03/10/1 -- You are receiving this mail because: You are on the CC list for the bug.

2 years, 4 months

1
40
0 / 0

[Bug 1900374] New: M2E plugin stop works after upgrade

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1900374 Bug ID: 1900374 Summary: M2E plugin stop works after upgrade Product: Fedora Version: 33 Hardware: x86_64 OS: Linux Status: NEW Component: eclipse-m2e-core Severity: urgent Assignee: mat.booth(a)redhat.com Reporter: danielsun3164(a)gmail.com QA Contact: extras-qa(a)fedoraproject.org CC: eclipse-sig(a)lists.fedoraproject.org, gerard(a)ryan.lt, mat.booth(a)redhat.com, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora Created attachment 1732101 --> https://bugzilla.redhat.com/attachment.cgi?id=1732101&action=edit .metadata/.log in new workspace Description of problem: I upgraded several eclipse packages today and M2E plugin stopped works. Version-Release number of selected component (if applicable): $ rpm -q eclipse-platform eclipse-m2e-core lucene eclipse-platform-4.17-3.fc33.x86_64 eclipse-m2e-core-1.16.2-1.fc33.noarch lucene-8.6.3-1.fc33.noarch How reproducible: Everytime Steps to Reproduce: 1. Open eclipse in a new workspace 2. Create a new Maven Project Actual results: A dialog as following was displayed: title: Multiple problems have occurred Message: The selected wizard could not be started. Problem Opening Wizard (Details: The selected wizard could not be started. Plug-in org.eclipse.m2e.core.ui was unable to load class org.eclipse.m2e.core.ui.internal.wizards.MavenProjectWizard. An error occurred while automatically activating bundle org.eclipse.m2e.core.ui (5821).) Updaing Maven Dependencies (Details: An internal error occurred during: "Updating Maven Dependencies". org/eclipse/m2e/core/internal/embedder/MavenExecutionContext) Expected results: M2E plugin should works without errors. Additional info: Openning an existing workspace with maven project got the same "Updaing Maven Dependencies" error. -- You are receiving this mail because: You are on the CC list for the bug.

2 years, 4 months

1
12
0 / 0

[Bug 1889417] New: Eclipse Repository loader constraint violation after adding JBoss Developer Tools 4.16

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1889417 Bug ID: 1889417 Summary: Eclipse Repository loader constraint violation after adding JBoss Developer Tools 4.16 Product: Fedora Version: 33 Status: NEW Component: eclipse-m2e-core Assignee: mat.booth(a)redhat.com Reporter: shihping.chan(a)gmail.com QA Contact: extras-qa(a)fedoraproject.org CC: eclipse-sig(a)lists.fedoraproject.org, gerard(a)ryan.lt, mat.booth(a)redhat.com, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora Description of problem: After adding the rest of JBoss Developer Tools 4.16.0 to a relatively clean eclipse get An internal error occurred during: "Repository registry initialization". loader constraint violation: when resolving interface method 'org.apache.maven.index.context.IndexingContext org.apache.maven.index.NexusIndexer.addIndexingContextForced(java.lang.String, java.lang.String, java.io.File, org.apache.lucene.store.Directory, java.lang.String, java.lang.String, java.util.List)' the class loader org.eclipse.osgi.internal.loader.EquinoxClassLoader @ca944c6 of the current class, org/eclipse/m2e/core/internal/index/nexus/NexusIndexManager, and the class loader org.eclipse.osgi.internal.loader.EquinoxClassLoader @34e347a5 for the method's defining class, org/apache/maven/index/NexusIndexer, have different Class objects for the type org/apache/lucene/store/Directory used in the signature (org.eclipse.m2e.core.internal.index.nexus.NexusIndexManager is in unnamed module of loader org.eclipse.osgi.internal.loader.EquinoxClassLoader @ca944c6, parent loader 'platform'; org.apache.maven.index.NexusIndexer is in unnamed module of loader org.eclipse.osgi.internal.loader.EquinoxClassLoader @34e347a5, parent loader 'platform') Version-Release number of selected component (if applicable): eclipse-emf-core-2.22.0-2.fc33.noarch eclipse-usage-4.16.0-2.fc33.noarch eclipse-swt-4.16-13.fc33.x86_64 eclipse-m2e-workspace-0.4.0-16.fc33.noarch eclipse-equinox-osgi-4.16-13.fc33.x86_64 eclipse-ecf-core-3.14.8-5.fc33.noarch eclipse-platform-4.16-13.fc33.x86_64 eclipse-jdt-4.16-13.fc33.noarch eclipse-emf-runtime-2.22.0-2.fc33.noarch eclipse-gef-3.11.0-13.fc33.noarch eclipse-webtools-common-3.18.0-5.fc33.noarch eclipse-p2-discovery-4.16-13.fc33.noarch eclipse-webtools-servertools-3.18.0-5.fc33.noarch eclipse-emf-xsd-2.22.0-2.fc33.noarch eclipse-webtools-sourceediting-3.18.0-5.fc33.noarch eclipse-m2e-core-1.16.1-2.fc33.noarch eclipse-mpc-1.8.3-2.fc33.noarch eclipse-pydev-7.7.0-1.fc33.x86_64 How reproducible: Always Steps to Reproduce: 1. Remove ~/.eclipse 2. Note: part of JBoss Developer Tools 4.16.0 comes installed 3. Got to Marketplace, install every feature of 4.16.0. Actual results: On restart the following mesage An internal error occurred during: "Repository registry initialization". loader constraint violation: when resolving interface method 'org.apache.maven.index.context.IndexingContext org.apache.maven.index.NexusIndexer.addIndexingContextForced(java.lang.String, java.lang.String, java.io.File, org.apache.lucene.store.Directory, java.lang.String, java.lang.String, java.util.List)' the class loader org.eclipse.osgi.internal.loader.EquinoxClassLoader @ca944c6 of the current class, org/eclipse/m2e/core/internal/index/nexus/NexusIndexManager, and the class loader org.eclipse.osgi.internal.loader.EquinoxClassLoader @34e347a5 for the method's defining class, org/apache/maven/index/NexusIndexer, have different Class objects for the type org/apache/lucene/store/Directory used in the signature (org.eclipse.m2e.core.internal.index.nexus.NexusIndexManager is in unnamed module of loader org.eclipse.osgi.internal.loader.EquinoxClassLoader @ca944c6, parent loader 'platform'; org.apache.maven.index.NexusIndexer is in unnamed module of loader org.eclipse.osgi.internal.loader.EquinoxClassLoader @34e347a5, parent loader 'platform') Expected results: Features are added with no errors Additional info: -- You are receiving this mail because: You are on the CC list for the bug.

2 years, 4 months

1
9
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

eclipse-sig March 2021