https://bugzilla.redhat.com/show_bug.cgi?id=2170627
Bug ID: 2170627 Summary: CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow [epel-all] Product: Fedora EPEL Version: epel8 Status: NEW Component: xstream Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: fedoraproject.org@bluhm-de.com Reporter: askrabec@redhat.com QA Contact: extras-qa@fedoraproject.org CC: didiksupriadi41@gmail.com, fedoraproject.org@bluhm-de.com, java-sig-commits@lists.fedoraproject.org, lkundrak@v3.sk, mizdebsk@redhat.com Target Milestone: --- Classification: Fedora
More information about this security flaw is available in the following bug:
http://bugzilla.redhat.com/show_bug.cgi?id=2170431
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
https://bugzilla.redhat.com/show_bug.cgi?id=2170627
--- Comment #1 from Anten Skrabec askrabec@redhat.com --- Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable.
=====
# bugfix, security, enhancement, newpackage (required) type=security
# low, medium, high, urgent (required) severity=high
# testing, stable request=testing
# Bug numbers: 1234,9876 bugs=2170431,2170627
# Description of your update notes=Security fix for [PUT CVEs HERE]
# Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3
# Automatically close bugs when this marked as stable close_bugs=True
# Suggest that users restart after update suggest_reboot=False
======
Additionally, you may opt to use the bodhi web interface to submit updates:
https://bodhi.fedoraproject.org/updates/new
https://bugzilla.redhat.com/show_bug.cgi?id=2170627
Anten Skrabec askrabec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2170431 (CVE-2022-41966)
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2170431 [Bug 2170431] CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow
https://bugzilla.redhat.com/show_bug.cgi?id=2170627
Carl George 🤠 carl@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |carl@redhat.com
--- Comment #2 from Carl George 🤠 carl@redhat.com --- https://src.fedoraproject.org/rpms/xstream/pull-request/7
https://bugzilla.redhat.com/show_bug.cgi?id=2170627
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |MODIFIED
--- Comment #3 from Fedora Update System updates@fedoraproject.org --- FEDORA-EPEL-2023-3e2af74f4d has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-3e2af74f4d
https://bugzilla.redhat.com/show_bug.cgi?id=2170627
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|MODIFIED |ON_QA
--- Comment #4 from Fedora Update System updates@fedoraproject.org --- FEDORA-EPEL-2023-3e2af74f4d has been pushed to the Fedora EPEL 8 testing repository.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-3e2af74f4d
See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
https://bugzilla.redhat.com/show_bug.cgi?id=2170627
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA Fixed In Version| |xstream-1.4.20-1.el8 Last Closed| |2023-06-23 00:32:12
--- Comment #5 from Fedora Update System updates@fedoraproject.org --- FEDORA-EPEL-2023-3e2af74f4d has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report.
java-sig-commits@lists.fedoraproject.org