[Bug 1937440] New: CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
Bug ID: 1937440
Summary: CVE-2020-13936 velocity: arbitrary code execution when
attacker is able to modify templates
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: aboyko(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, akurtako(a)redhat.com,
alazarot(a)redhat.com, almorale(a)redhat.com,
andjrobins(a)gmail.com, anstephe(a)redhat.com,
aos-bugs(a)redhat.com, asoldano(a)redhat.com,
atangrin(a)redhat.com, ataylor(a)redhat.com,
bbaranow(a)redhat.com, bibryam(a)redhat.com,
bmaxwell(a)redhat.com, bmontgom(a)redhat.com,
brian.stansberry(a)redhat.com, cdewolf(a)redhat.com,
chazlett(a)redhat.com, darran.lofthouse(a)redhat.com,
dbhole(a)redhat.com, decathorpe(a)gmail.com,
devrim(a)gunduz.org, dkreling(a)redhat.com,
dosoudil(a)redhat.com, drieden(a)redhat.com,
ebaron(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eleandro(a)redhat.com, eparis(a)redhat.com,
etirelli(a)redhat.com, fjuma(a)redhat.com,
ganandan(a)redhat.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, gvarsami(a)redhat.com,
hbraun(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com,
janstey(a)redhat.com, java-maint(a)redhat.com,
java-maint-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcantril(a)redhat.com,
jcoleman(a)redhat.com, jerboaa(a)gmail.com,
jjohnstn(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jolee(a)redhat.com,
jperkins(a)redhat.com, jross(a)redhat.com,
jschatte(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kconner(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
kwills(a)redhat.com, ldimaggi(a)redhat.com,
lef(a)fedoraproject.org, lgao(a)redhat.com,
loleary(a)redhat.com, mat.booth(a)redhat.com,
mizdebsk(a)redhat.com, mnovotny(a)redhat.com,
msochure(a)redhat.com, msvehla(a)redhat.com,
nstielau(a)redhat.com, nwallace(a)redhat.com,
pantinor(a)redhat.com, pjindal(a)redhat.com,
pmackay(a)redhat.com, rgrunber(a)redhat.com,
rguimara(a)redhat.com, rhcs-maint(a)redhat.com,
rrajasek(a)redhat.com, rstancel(a)redhat.com,
rsvoboda(a)redhat.com, rsynek(a)redhat.com,
rwagner(a)redhat.com, sdaley(a)redhat.com,
sd-operator-metering(a)redhat.com, smaestri(a)redhat.com,
sochotni(a)redhat.com, spinder(a)redhat.com,
sponnaga(a)redhat.com, tcunning(a)redhat.com,
tflannag(a)redhat.com, theute(a)redhat.com,
tkirby(a)redhat.com, tom.jenkinson(a)redhat.com,
yborgess(a)redhat.com
Target Milestone: ---
Classification: Other
An attacker that is able to modify Velocity templates may execute arbitrary
Java code or run arbitrary system commands with the same privileges as the
account running the Servlet container. This applies to applications that allow
untrusted users to upload/modify velocity templates running Apache Velocity
Engine versions up to 2.2.
References:
https://lists.apache.org/thread.html/r01043f584cbd47959fabe18fff64de940f8...
http://www.openwall.com/lists/oss-security/2021/03/10/1
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years, 5 months
[Bug 1900374] New: M2E plugin stop works after upgrade
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1900374
Bug ID: 1900374
Summary: M2E plugin stop works after upgrade
Product: Fedora
Version: 33
Hardware: x86_64
OS: Linux
Status: NEW
Component: eclipse-m2e-core
Severity: urgent
Assignee: mat.booth(a)redhat.com
Reporter: danielsun3164(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: eclipse-sig(a)lists.fedoraproject.org, gerard(a)ryan.lt,
mat.booth(a)redhat.com, mizdebsk(a)redhat.com
Target Milestone: ---
Classification: Fedora
Created attachment 1732101
--> https://bugzilla.redhat.com/attachment.cgi?id=1732101&action=edit
.metadata/.log in new workspace
Description of problem:
I upgraded several eclipse packages today and M2E plugin stopped works.
Version-Release number of selected component (if applicable):
$ rpm -q eclipse-platform eclipse-m2e-core lucene
eclipse-platform-4.17-3.fc33.x86_64
eclipse-m2e-core-1.16.2-1.fc33.noarch
lucene-8.6.3-1.fc33.noarch
How reproducible:
Everytime
Steps to Reproduce:
1. Open eclipse in a new workspace
2. Create a new Maven Project
Actual results:
A dialog as following was displayed:
title: Multiple problems have occurred
Message: The selected wizard could not be started.
Problem Opening Wizard
(Details:
The selected wizard could not be started.
Plug-in org.eclipse.m2e.core.ui was unable to load class
org.eclipse.m2e.core.ui.internal.wizards.MavenProjectWizard.
An error occurred while automatically activating bundle org.eclipse.m2e.core.ui
(5821).)
Updaing Maven Dependencies
(Details:
An internal error occurred during: "Updating Maven Dependencies".
org/eclipse/m2e/core/internal/embedder/MavenExecutionContext)
Expected results:
M2E plugin should works without errors.
Additional info:
Openning an existing workspace with maven project got the same "Updaing Maven
Dependencies" error.
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years, 5 months
[Bug 1889417] New: Eclipse Repository loader constraint violation after adding JBoss Developer Tools 4.16
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1889417
Bug ID: 1889417
Summary: Eclipse Repository loader constraint violation after
adding JBoss Developer Tools 4.16
Product: Fedora
Version: 33
Status: NEW
Component: eclipse-m2e-core
Assignee: mat.booth(a)redhat.com
Reporter: shihping.chan(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: eclipse-sig(a)lists.fedoraproject.org, gerard(a)ryan.lt,
mat.booth(a)redhat.com, mizdebsk(a)redhat.com
Target Milestone: ---
Classification: Fedora
Description of problem:
After adding the rest of JBoss Developer Tools 4.16.0 to a relatively clean
eclipse
get
An internal error occurred during: "Repository registry initialization".
loader constraint violation: when resolving interface method
'org.apache.maven.index.context.IndexingContext
org.apache.maven.index.NexusIndexer.addIndexingContextForced(java.lang.String,
java.lang.String, java.io.File, org.apache.lucene.store.Directory,
java.lang.String, java.lang.String, java.util.List)' the class loader
org.eclipse.osgi.internal.loader.EquinoxClassLoader @ca944c6 of the current
class, org/eclipse/m2e/core/internal/index/nexus/NexusIndexManager, and the
class loader org.eclipse.osgi.internal.loader.EquinoxClassLoader @34e347a5 for
the method's defining class, org/apache/maven/index/NexusIndexer, have
different Class objects for the type org/apache/lucene/store/Directory used in
the signature (org.eclipse.m2e.core.internal.index.nexus.NexusIndexManager is
in unnamed module of loader org.eclipse.osgi.internal.loader.EquinoxClassLoader
@ca944c6, parent loader 'platform'; org.apache.maven.index.NexusIndexer is in
unnamed module of loader org.eclipse.osgi.internal.loader.EquinoxClassLoader
@34e347a5, parent loader 'platform')
Version-Release number of selected component (if applicable):
eclipse-emf-core-2.22.0-2.fc33.noarch
eclipse-usage-4.16.0-2.fc33.noarch
eclipse-swt-4.16-13.fc33.x86_64
eclipse-m2e-workspace-0.4.0-16.fc33.noarch
eclipse-equinox-osgi-4.16-13.fc33.x86_64
eclipse-ecf-core-3.14.8-5.fc33.noarch
eclipse-platform-4.16-13.fc33.x86_64
eclipse-jdt-4.16-13.fc33.noarch
eclipse-emf-runtime-2.22.0-2.fc33.noarch
eclipse-gef-3.11.0-13.fc33.noarch
eclipse-webtools-common-3.18.0-5.fc33.noarch
eclipse-p2-discovery-4.16-13.fc33.noarch
eclipse-webtools-servertools-3.18.0-5.fc33.noarch
eclipse-emf-xsd-2.22.0-2.fc33.noarch
eclipse-webtools-sourceediting-3.18.0-5.fc33.noarch
eclipse-m2e-core-1.16.1-2.fc33.noarch
eclipse-mpc-1.8.3-2.fc33.noarch
eclipse-pydev-7.7.0-1.fc33.x86_64
How reproducible:
Always
Steps to Reproduce:
1. Remove ~/.eclipse
2. Note: part of JBoss Developer Tools 4.16.0 comes installed
3. Got to Marketplace, install every feature of 4.16.0.
Actual results:
On restart the following mesage
An internal error occurred during: "Repository registry initialization".
loader constraint violation: when resolving interface method
'org.apache.maven.index.context.IndexingContext
org.apache.maven.index.NexusIndexer.addIndexingContextForced(java.lang.String,
java.lang.String, java.io.File, org.apache.lucene.store.Directory,
java.lang.String, java.lang.String, java.util.List)' the class loader
org.eclipse.osgi.internal.loader.EquinoxClassLoader @ca944c6 of the current
class, org/eclipse/m2e/core/internal/index/nexus/NexusIndexManager, and the
class loader org.eclipse.osgi.internal.loader.EquinoxClassLoader @34e347a5 for
the method's defining class, org/apache/maven/index/NexusIndexer, have
different Class objects for the type org/apache/lucene/store/Directory used in
the signature (org.eclipse.m2e.core.internal.index.nexus.NexusIndexManager is
in unnamed module of loader org.eclipse.osgi.internal.loader.EquinoxClassLoader
@ca944c6, parent loader 'platform'; org.apache.maven.index.NexusIndexer is in
unnamed module of loader org.eclipse.osgi.internal.loader.EquinoxClassLoader
@34e347a5, parent loader 'platform')
Expected results:
Features are added with no errors
Additional info:
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years, 5 months
[Bug 1891132] New: CVE-2020-27216 jetty: local temporary directory hijacking vulnerability
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1891132
Bug ID: 1891132
Summary: CVE-2020-27216 jetty: local temporary directory
hijacking vulnerability
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: abenaiss(a)redhat.com, aboyko(a)redhat.com,
aileenc(a)redhat.com, akoufoud(a)redhat.com,
alazarot(a)redhat.com, almorale(a)redhat.com,
anstephe(a)redhat.com, aos-bugs(a)redhat.com,
ataylor(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, drieden(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eparis(a)redhat.com, etirelli(a)redhat.com,
ganandan(a)redhat.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, gvarsami(a)redhat.com,
ibek(a)redhat.com, janstey(a)redhat.com,
java-maint(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcoleman(a)redhat.com,
jjohnstn(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kconner(a)redhat.com,
krathod(a)redhat.com, krzysztof.daniel(a)gmail.com,
kverlaen(a)redhat.com, ldimaggi(a)redhat.com,
mat.booth(a)redhat.com, mizdebsk(a)redhat.com,
mnovotny(a)redhat.com, nstielau(a)redhat.com,
nwallace(a)redhat.com, pbhattac(a)redhat.com,
pdrozd(a)redhat.com, pjindal(a)redhat.com,
rrajasek(a)redhat.com, rsynek(a)redhat.com,
rwagner(a)redhat.com, sdaley(a)redhat.com,
sochotni(a)redhat.com, sponnaga(a)redhat.com,
sthorger(a)redhat.com, tcunning(a)redhat.com,
tkirby(a)redhat.com, vbobade(a)redhat.com
Target Milestone: ---
Classification: Other
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru
10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the
system's temporary directory is shared between all users on that system. A
collocated user can observe the process of creating a temporary sub directory
in the shared temporary directory and race to complete the creation of the
temporary subdirectory. If the attacker wins the race then they will have read
and write permission to the subdirectory used to unpack web applications,
including their WEB-INF/lib jar files and JSP files. If any code is ever
executed out of this temporary directory, this can lead to a local privilege
escalation vulnerability.
References:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921
https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6m...
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years, 8 months
[Bug 1857369] New: CVE-2019-17637 eclipse-webtools: XML external entity vulnerability in DTD Parser/Validator
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1857369
Bug ID: 1857369
Summary: CVE-2019-17637 eclipse-webtools: XML external entity
vulnerability in DTD Parser/Validator
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: eclipse-sig(a)lists.fedoraproject.org, gerard(a)ryan.lt,
mat.booth(a)redhat.com
Target Milestone: ---
Classification: Other
In all versions of Eclipse Web Tools Platform through release 3.18 (2020-06),
XML and DTD files referring to external entities could be exploited to send the
contents of local files to a remote server when edited or validated, even when
external entity resolution is disabled in the user preferences.
Upstream bug:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=458571
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years, 11 months
[Bug 1857370] New: CVE-2019-17637 eclipse-webtools: XML external entity vulnerability in DTD Parser/Validator [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1857370
Bug ID: 1857370
Summary: CVE-2019-17637 eclipse-webtools: XML external entity
vulnerability in DTD Parser/Validator [fedora-all]
Product: Fedora
Version: 32
Status: NEW
Component: eclipse-webtools
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: mat.booth(a)redhat.com
Reporter: psampaio(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: eclipse-sig(a)lists.fedoraproject.org, gerard(a)ryan.lt,
mat.booth(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years, 11 months
[Bug 1948353] New: Not Support For Java EE
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1948353
Bug ID: 1948353
Summary: Not Support For Java EE
Product: Fedora
Version: 32
Hardware: x86_64
OS: Linux
Status: NEW
Component: eclipse-webtools
Severity: medium
Assignee: mat.booth(a)gmail.com
Reporter: flydove(a)qq.com
QA Contact: extras-qa(a)fedoraproject.org
CC: eclipse-sig(a)lists.fedoraproject.org, gerard(a)ryan.lt,
mat.booth(a)gmail.com
Target Milestone: ---
Classification: Fedora
uname -a
Linux FedoraLinux 5.8.17-200.fc32.x86_64 #1 SMP Thu Oct 29 18:14:53 UTC 2020
x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep eclipse | grep web
eclipse-webtools-common-3.18.0-4.fc32.noarch
eclipse-webtools-servertools-3.18.0-4.fc32.noarch
eclipse-webtools-sourceediting-3.18.0-4.fc32.noarch
$ sudo dnf install eclipse-webtools-javaee --best -4 -y
上次元数据过期检查:0:32:09 前,执行于 2021年04月12日 星期一 09时31分17秒。
软件包 eclipse-webtools-common-3.18.0-4.fc32.noarch 已安装。
依赖关系解决。
无需任何处理。
完毕!
$
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years, 11 months
[Bug 1891670] New: Where is Eclispe WorkSpace Chose buttion
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1891670
Bug ID: 1891670
Summary: Where is Eclispe WorkSpace Chose buttion
Product: Fedora
Version: 32
Hardware: All
OS: Linux
Status: NEW
Component: eclipse
Severity: high
Assignee: mat.booth(a)redhat.com
Reporter: flydove(a)qq.com
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com, andjrobins(a)gmail.com,
dbhole(a)redhat.com, ebaron(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
jerboaa(a)gmail.com, jjohnstn(a)redhat.com,
lef(a)fedoraproject.org, mat.booth(a)redhat.com,
rgrunber(a)redhat.com
Target Milestone: ---
Classification: Fedora
Created attachment 1724459
--> https://bugzilla.redhat.com/attachment.cgi?id=1724459&action=edit
Where is Eclispe WorkSpace Chose buttion
Where is Eclispe WorkSpace Chose buttion
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years, 11 months
[Bug 1832383] New: Unable to build maven projects from eclipse
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1832383
Bug ID: 1832383
Summary: Unable to build maven projects from eclipse
Product: Fedora
Version: 32
Status: NEW
Component: eclipse-m2e-core
Severity: high
Assignee: mat.booth(a)redhat.com
Reporter: danielsun3164(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: eclipse-sig(a)lists.fedoraproject.org, gerard(a)ryan.lt,
mat.booth(a)redhat.com, mizdebsk(a)redhat.com
Target Milestone: ---
Classification: Fedora
Created attachment 1685783
--> https://bugzilla.redhat.com/attachment.cgi?id=1685783&action=edit
Eclipse metadata/.log
Description of problem:
Unable to build maven projects from eclipse
Version-Release number of selected component (if applicable):
$ rpm -q eclipse-jdt eclipse-m2e-core maven-archetype-common
maven-artifact-transfer
eclipse-jdt-4.15-5.module_f32+8555+6b76193d.noarch
eclipse-m2e-core-1.15.0-3.module_f32+8482+8510b2e7.noarch
maven-archetype-common-3.1.1-1.module_f32+8422+d2b9781b.noarch
maven-artifact-transfer-0.11.0-2.fc32.noarch
How reproducible:
Everytime
Steps to Reproduce:
1. Open Eclipse.
2. Try to create a new maven project or build a existing maven project
3.
Actual results:
An error dialog will be displayed.
Expected results:
Maven projects should be builded or created successfully.
Additional info:
According to https://bugzilla.redhat.com/show_bug.cgi?id=1704981 , Update
"maven-archetype-common" from "3.1.1" to "3.1.2" could solve this problem, but
I cannot find maven-archetype-common-3.1.2 package anywhere.
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years, 11 months
[Bug 1891133] New: CVE-2020-27216 jetty: local temporary directory hijacking vulnerability [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1891133
Bug ID: 1891133
Summary: CVE-2020-27216 jetty: local temporary directory
hijacking vulnerability [fedora-all]
Product: Fedora
Version: 32
Status: NEW
Component: jetty
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: mat.booth(a)redhat.com
Reporter: gsuckevi(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: eclipse-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jjohnstn(a)redhat.com, krzysztof.daniel(a)gmail.com,
mat.booth(a)redhat.com, mizdebsk(a)redhat.com,
sochotni(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years, 11 months