[Bug 1129074] CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1129074
Ján Rusnačko <jrusnack(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=important,public=201 |impact=important,public=201
|40818,reported=20140812,sou |40818,reported=20140812,sou
|rce=upstream,cvss2=5.8/AV:N |rce=upstream,cvss2=5.8/AV:N
|/AC:M/Au:N/C:P/I:P/A:N,cwe= |/AC:M/Au:N/C:P/I:P/A:N,cwe=
|CWE-297,rhel-5/jakarta-comm |CWE-297,rhel-5/jakarta-comm
|ons-httpclient=affected,rhe |ons-httpclient=affected,rhe
|l-6/jakarta-commons-httpcli |l-6/jakarta-commons-httpcli
|ent=notaffected,rhel-7/jaka |ent=affected,rhel-7/jakarta
|rta-commons-httpclient=nota |-commons-httpclient=affecte
|ffected,fedora-all/jakarta- |d,fedora-all/jakarta-common
|commons-httpclient=affected |s-httpclient=affected,rhel-
|,rhel-7/httpcomponents-clie |7/httpcomponents-client=aff
|nt=notaffected,fedora-all/h |ected,fedora-all/httpcompon
|ttpcomponents-client=affect |ents-client=affected,brms-6
|ed,brms-6/httpclient=affect |/httpclient=affected,bpms-6
|ed,bpms-6/httpclient=affect |/httpclient=affected,brms-6
|ed,brms-6/jakarta-commons-h |/jakarta-commons-httpclient
|ttpclient=affected,bpms-6/j |=affected,bpms-6/jakarta-co
|akarta-commons-httpclient=a |mmons-httpclient=affected,j
|ffected,jdg-6/httpclient=af |dg-6/httpclient=affected,jd
|fected,jdv-6/modeshape-clie |v-6/modeshape-client=defer,
|nt=defer,jdv-6/httpclient=a |jdv-6/httpclient=affected,d
|ffected,dts-2.1/httpcompone |ts-2.1/httpcomponents-clien
|nts-client=notaffected,eap- |t=notaffected,eap-4/jakarta
|4/jakarta-commons-httpclien |-commons-httpclient=wontfix
|t=wontfix,eap-5/httpclient= |,eap-5/httpclient=affected,
|affected,eap-5/jakarta-comm |eap-5/jakarta-commons-httpc
|ons-httpclient=affected,eap |lient=affected,eap-6/httpcl
|-6/httpclient=affected,eap- |ient=affected,eap-6/jakarta
|6/jakarta-commons-httpclien |-commons-httpclient=defer,e
|t=defer,epp-5/httpclient=af |pp-5/httpclient=affected,ep
|fected,epp-5/jakarta-common |p-5/jakarta-commons-httpcli
|s-httpclient=affected,brms- |ent=affected,brms-5/httpcli
|5/httpclient=affected,brms- |ent=affected,brms-5/jakarta
|5/jakarta-commons-httpclien |-commons-httpclient=affecte
|t=affected,brms-5/modeshape |d,brms-5/modeshape-client=a
|-client=affected,soap-4.3/j |ffected,soap-4.3/jakarta-co
|akarta-commons-httpclient=w |mmons-httpclient=wontfix,so
|ontfix,soap-5/httpclient=af |ap-5/httpclient=affected,so
|fected,soap-5/jakarta-commo |ap-5/jakarta-commons-httpcl
|ns-httpclient=affected,jbew |ient=affected,jbews-1/jakar
|s-1/jakarta-commons-httpcli |ta-commons-httpclient=wontf
|ent=wontfix,fsw-6/httpclien |ix,fsw-6/httpclient=affecte
|t=affected,jon-3/httpclient |d,jon-3/httpclient=affected
|=affected,jon-3/jakarta-com |,jon-3/jakarta-commons-http
|mons-httpclient=affected,jp |client=affected,jpp-6/httpc
|p-6/httpclient=affected,wfk |lient=affected,wfk-2/httpcl
|-2/httpclient=affected,open |ient=affected,openshift-ent
|shift-enterprise-1/wagon-ht |erprise-1/wagon-http=notaff
|tp=notaffected,openshift-en |ected,openshift-enterprise-
|terprise-2/wagon-http=notaf |2/wagon-http=notaffected,op
|fected,openshift-enterprise |enshift-enterprise-1/jakart
|-1/jakarta-commons-httpclie |a-commons-httpclient=wontfi
|nt=wontfix,openshift-enterp |x,openshift-enterprise-2/ja
|rise-2/jakarta-commons-http |karta-commons-httpclient=af
|client=affected,openshift-e |fected,openshift-enterprise
|nterprise-2/httpclient=affe |-2/httpclient=affected,rhev
|cted,rhev-m-3/jasperreports |-m-3/jasperreports-server-p
|-server-pro=affected,rhev-m |ro=affected,rhev-m-3.4/rhev
|-3.4/rhevm-dependencies=won |m-dependencies=wontfix,rhev
|tfix,rhev-m-3.5/rhevm-depen |-m-3.5/rhevm-dependencies=a
|dencies=affected,rhev-m-3/r |ffected,rhev-m-3/redhat-sup
|edhat-support-plugin-rhev=a |port-plugin-rhev=affected,r
|ffected,rhn_satellite_6/htt |hn_satellite_6/httpcomponen
|pcomponents-client=affected |ts-client=affected,rhn_sate
|,rhn_satellite_5/jakarta-co |llite_5/jakarta-commons-htt
|mmons-httpclient=wontfix,rh |pclient=wontfix,rhscl-1/the
|scl-1/thermostat1-httpcompo |rmostat1-httpcomponents-cli
|nents-client=affected,rhscl |ent=affected,rhscl-1/maven3
|-1/maven30-httpcomponents-c |0-httpcomponents-client=aff
|lient=affected,rhscl-1/mave |ected,rhscl-1/maven30-jakar
|n30-jakarta-commons-httpcli |ta-commons-httpclient=affec
|ent=affected,rhes-2.1/rhevm |ted,rhes-2.1/rhevm-dependen
|-dependencies=wontfix,rhes- |cies=wontfix,rhes-3.0/rhevm
|3.0/rhevm-dependencies=defe |-dependencies=defer,jboss/e
|r,jboss/ewp-5=affected,jbos |wp-5=affected,jboss/fuse-es
|s/fuse-esb-4=wontfix,jboss/ |b-4=wontfix,jboss/fuse-esb-
|fuse-esb-7=affected,jboss/f |7=affected,jboss/fuse-mq-5.
|use-mq-5.4=wontfix,jboss/fu |4=wontfix,jboss/fuse-mq-5.5
|se-mq-5.5=affected,jboss/fu |=affected,jboss/fuse-mq-7=a
|se-mq-7=affected,jboss/fsf- |ffected,jboss/fsf-2=wontfix
|2=wontfix,jboss/amq-6=affec |,jboss/amq-6=affected,jboss
|ted,jboss/jds-5=defer,jboss |/jds-5=defer,jboss/jds-6=de
|/jds-6=defer,jboss/jds-7=de |fer,jboss/jds-7=defer,jboss
|fer,jboss/fuse-6=affected,e |/fuse-6=affected,eds-5/mode
|ds-5/modeshape-client=defer |shape-client=defer,brms-5/c
|,brms-5/cxf=affected,brms-6 |xf=affected,brms-6/cxf=affe
|/cxf=affected,bpms-6/cxf=af |cted,bpms-6/cxf=affected,so
|fected,soap-5/cxf=affected, |ap-5/cxf=affected,fsw-6/cxf
|fsw-6/cxf=affected,eds-5/cx |=affected,eds-5/cxf=affecte
|f=affected,jdv-6/cxf=affect |d,jdv-6/cxf=affected,eap-5/
|ed,eap-5/cxf=affected,eap-6 |cxf=affected,eap-6/cxf=affe
|/cxf=affected,jon-3/cxf=aff |cted,jon-3/cxf=affected,jpp
|ected,jpp-6/cxf=affected,jd |-6/cxf=affected,jdg-6/cxf=a
|g-6/cxf=affected,eds-5/http |ffected,eds-5/httpclient=af
|client=affected |fected
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=YCyujyzWwV&a=cc_unsubscribe
8 years, 5 months
[Bug 1261458] New: Zookeeper service fails to start due to classpath errors, logging no error
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1261458
Bug ID: 1261458
Summary: Zookeeper service fails to start due to classpath
errors, logging no error
Product: Fedora
Version: 22
Component: zookeeper
Assignee: tstclair(a)redhat.com
Reporter: KevinFarshaw(a)mailinator.com
QA Contact: extras-qa(a)fedoraproject.org
CC: ctubbsii-fedora(a)apache.org, ethan(a)ethantuttle.com,
java-sig-commits(a)lists.fedoraproject.org,
jeff(a)ocjtech.us, s(a)shk.io, tstclair(a)redhat.com
Created attachment 1071694
--> https://bugzilla.redhat.com/attachment.cgi?id=1071694&action=edit
Patched /usr/libexec/zkEnv.sh
I've reviewed the other zookeeper issues, they report other problems and
concern f21 rather the the current f22.
Description of problem:
After sudo cp /etc/zookeeper/zoo_sample.cfg /etc/zookeeper/zoo.cfg,
Starting the zookeeper service fails silently without logging any error
to console or journal.
Manually starting it in the foreground using:
sudo -u zookeeper /usr/bin/zkServer.sh start-foreground
Gives:
JMX enabled by default
Using config: /etc/zookeeper/zoo.cfg
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in
[jar:file:/usr/share/java/slf4j/slf4j-log4j12.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in
[jar:file:/usr/share/java/slf4j/slf4j-simple.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in
[jar:file:/usr/share/java/slf4j/slf4j-nop.jar!/org/slf4j/impl/StaticLoggerBinder.class]
Version-Release number of selected component (if applicable):
zookeeper-3.4.6-4.fc22.x86_64
How reproducible:
always
Steps to Reproduce:
1. sudo cp /etc/zookeeper/zoo_sample.cfg /etc/zookeeper/zoo.cfg
2. systemctl start zookeeper (fails, nothing logged)
3. sudo -u zookeeper /usr/bin/zkServer.sh start-foreground (logs error to
stderr)
Additional info:
Tipped off by https://issues.apache.org/jira/browse/SOLR-2369, it appears
that:
1. The classpath used to launch zk contains multiple jars of
slog4j logging providers.
2. This is not allowed as documented by sl4fj at
http://www.slf4j.org/codes.html#multiple_bindings
3. Inspection of the classpath setup by /usr/libexec/zkEnv.sh shows much
duplication, including multiple bindings.
Attached modified zkEnv.sh in which I've:
1. Removed duplicates.
2. Commented out alternate bindings and allegedly redundant jars.
3. I did not intentionally remove any jars originally in the file (only
commented).
4. Added individual log4j jars from appropriate package.
After updating zkEnv.sh, starting the service with systemctl complains
about missing precondition of file at /var/lib/zookeeper/data/myid.
After creating the file (with a single line containing an id such as
the digit '1'), zookeeper starts.
I have not exercised zookeeper to see whether something else is broken
(or was broken by the changes), but it does start up properly now.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=laEkcaD2Z1&a=cc_unsubscribe
_______________________________________________
java-sig-commits mailing list
java-sig-commits(a)lists.fedoraproject.org
http://lists.fedoraproject.org/postorius/java-sig-commits@lists.fedorapro...
8 years, 5 months