[Bug 1294230] New: Please provide support for EPEL7
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1294230
Bug ID: 1294230
Summary: Please provide support for EPEL7
Product: Fedora
Version: rawhide
Component: powermock
Severity: medium
Assignee: rkennke(a)redhat.com
Reporter: projects.rg(a)smart.ms
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
jerboaa(a)gmail.com, msimacek(a)redhat.com,
neugens(a)redhat.com, projects.rg(a)smart.ms,
rkennke(a)redhat.com
Description of problem:
There are packages for EPEL6 and 5. Please apply it also for EPEL7.
Version-Release number of selected component (if applicable):
-
How reproducible:
yes
Steps to Reproduce:
1. run an EPEL7 system
2. dnf install powermock
3.
Actual results:
no package found.
Expected results:
powermock gets installed with success.
Additional info:
DEBUG util.py:393: Getting requirements for powermock-1.6.2-2.el7.src
DEBUG util.py:393: --> maven-local-3.4.1-11.el7.noarch
DEBUG util.py:393: --> apache-commons-logging-1.1.2-7.el7.noarch
DEBUG util.py:393: --> tomcat-servlet-3.0-api-7.0.54-2.el7_1.noarch
DEBUG util.py:393: --> junit-4.11-8.el7.noarch
DEBUG util.py:393: --> cglib-2.2-18.el7.noarch
DEBUG util.py:393: --> maven-plugin-bundle-2.3.7-12.el7.noarch
DEBUG util.py:393: --> javassist-3.16.1-10.el7.noarch
DEBUG util.py:393: --> mockito-1.9.0-19.el7.noarch
DEBUG util.py:393: --> mockito-1.9.0-19.el7.noarch
DEBUG util.py:393: --> objenesis-1.2-18.el7.noarch
DEBUG util.py:393: --> sonatype-oss-parent-7-6.el7.noarch
DEBUG util.py:393: Error: No Package found for mvn(cglib:cglib-nodep)
DEBUG util.py:393: Error: No Package found for mvn(org.easymock:easymock)
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=GemvJMgqTe&a=cc_unsubscribe
6 years, 10 months
[Bug 1222573] New: CVE-2014-7810 Tomcat/JbossWeb: security manager bypass via EL expressions
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1222573
Bug ID: 1222573
Summary: CVE-2014-7810 Tomcat/JbossWeb: security manager bypass
via EL expressions
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: mprpic(a)redhat.com
CC: aileenc(a)redhat.com, alazarot(a)redhat.com,
alee(a)redhat.com, asantos(a)redhat.com,
aszczucz(a)redhat.com, bdawidow(a)redhat.com,
bgollahe(a)redhat.com, ccoleman(a)redhat.com,
cdewolf(a)redhat.com, chazlett(a)redhat.com,
dandread(a)redhat.com, darran.lofthouse(a)redhat.com,
dknox(a)redhat.com, dmcphers(a)redhat.com,
epp-bugs(a)redhat.com, etirelli(a)redhat.com,
felias(a)redhat.com, gvarsami(a)redhat.com,
hchiorea(a)redhat.com, hfnukal(a)redhat.com,
ivan.afonichev(a)gmail.com, jason.greene(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jboss-set(a)redhat.com,
jbpapp-maint(a)redhat.com, jclere(a)redhat.com,
jcoleman(a)redhat.com, jdg-bugs(a)redhat.com,
jdoyle(a)redhat.com, jialiu(a)redhat.com,
joelsmith(a)redhat.com, jokerman(a)redhat.com,
jolee(a)redhat.com, jpallich(a)redhat.com,
kanderso(a)redhat.com, kconner(a)redhat.com,
krzysztof.daniel(a)gmail.com, kseifried(a)redhat.com,
ldimaggi(a)redhat.com, lgao(a)redhat.com,
lkocman(a)redhat.com, lmeyer(a)redhat.com,
lpetrovi(a)redhat.com, mbaluch(a)redhat.com,
me(a)coolsvap.net, mfranc(a)redhat.com,
mmccomas(a)redhat.com, mweiler(a)redhat.com,
mwinkler(a)redhat.com, myarboro(a)redhat.com,
nwallace(a)redhat.com, pavelp(a)redhat.com,
pgier(a)redhat.com, pslavice(a)redhat.com,
rhq-maint(a)redhat.com, rrajasek(a)redhat.com,
rsvoboda(a)redhat.com, rwagner(a)redhat.com,
rzhang(a)redhat.com,
soa-p-jira(a)post-office.corp.redhat.com,
spinder(a)redhat.com, tcunning(a)redhat.com,
theute(a)redhat.com, tkirby(a)redhat.com,
tmlcoch(a)redhat.com, ttarrant(a)redhat.com,
twalsh(a)redhat.com, vhalbert(a)redhat.com,
vtunka(a)redhat.com, weli(a)redhat.com
It was found that the expression language resolver evaluated expressions within
a privileged code section. A malicious web application could use this flaw to
bypass security manager protections.
Upstream patches:
http://svn.apache.org/viewvc?view=revision&revision=1644019
http://svn.apache.org/viewvc?view=revision&revision=1645644
External References:
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.44
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.59
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.17
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=Ve028TaWS0&a=cc_unsubscribe
7 years, 2 months
[Bug 1293837] New: CVE-2015-1772 Apache Hive: authentication
vulnerability in HiveServer2
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1293837
Bug ID: 1293837
Summary: CVE-2015-1772 Apache Hive: authentication
vulnerability in HiveServer2
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: mprpic(a)redhat.com
CC: alonbl(a)redhat.com, bmcclain(a)redhat.com,
dblechte(a)redhat.com, ecohen(a)redhat.com,
gklein(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
lsurette(a)redhat.com, me(a)coolsvap.net,
mgoldboi(a)redhat.com, michal.skrivanek(a)redhat.com,
moceap(a)hotmail.com, pmackinn(a)redhat.com,
rbalakri(a)redhat.com, Rhev-m-bugs(a)redhat.com,
sherold(a)redhat.com, ydary(a)redhat.com,
yeylon(a)redhat.com, ykaul(a)redhat.com
The following flaw was reported in Apache Hive:
Users who use LDAP authentication mode in HiveServer2 and also have LDAP
configured to allow simple unauthenticated or anonymous bind.
LDAP services are sometimes configured to allow simple unauthenticated binds.
When HiveServer2 is configured to use LDAP authentication mode
(hive.server2.authentication configuration parameter is set to LDAP), with such
LDAP configurations, it can allow users without proper credentials to get
authenticated.
External References:
https://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3CCAO...
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=7l0908CQe6&a=cc_unsubscribe
7 years, 4 months
[Bug 1293838] New: CVE-2015-1772 Apache Hive: authentication
vulnerability in HiveServer2 [fedora-all]
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1293838
Bug ID: 1293838
Summary: CVE-2015-1772 Apache Hive: authentication
vulnerability in HiveServer2 [fedora-all]
Product: Fedora
Version: 23
Component: hive
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: pmackinn(a)redhat.com
Reporter: mprpic(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
me(a)coolsvap.net, moceap(a)hotmail.com,
pmackinn(a)redhat.com
Blocks: 1293837 (CVE-2015-1772)
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
[bug automatically created by: add-tracking-bugs]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1293837
[Bug 1293837] CVE-2015-1772 Apache Hive: authentication vulnerability in
HiveServer2
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=Lw24SPOpgI&a=cc_unsubscribe
7 years, 4 months
[Bug 1291798] New: CVE-2015-7539 jenkins: Jenkins plugin manager
vulnerable to MITM attacks (SECURITY-234)
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1291798
Bug ID: 1291798
Summary: CVE-2015-7539 jenkins: Jenkins plugin manager
vulnerable to MITM attacks (SECURITY-234)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: mprpic(a)redhat.com
CC: abhgupta(a)redhat.com, ccoleman(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jialiu(a)redhat.com, joelsmith(a)redhat.com,
jokerman(a)redhat.com, kseifried(a)redhat.com,
lmeyer(a)redhat.com, mizdebsk(a)redhat.com,
mmccomas(a)redhat.com, msrb(a)redhat.com,
tiwillia(a)redhat.com
While the Jenkins update site data is digitally signed, and the signature
verified by Jenkins, Jenkins did not verify the provided SHA-1 checksums for
the plugin files referenced in the update site data. This enabled MITM attacks
on the plugin manager, resulting in installation of attacker-provided plugins.
This could allow attackers able to manipulate the network path between Jenkins
and the update site to install and run arbitrary code on Jenkins.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+20...
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=PfjhCqF8Cb&a=cc_unsubscribe
7 years, 4 months
[Bug 1291797] New: CVE-2015-7538 jenkins: CSRF protection
ineffective (SECURITY-233)
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1291797
Bug ID: 1291797
Summary: CVE-2015-7538 jenkins: CSRF protection ineffective
(SECURITY-233)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: mprpic(a)redhat.com
CC: abhgupta(a)redhat.com, ccoleman(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jialiu(a)redhat.com, joelsmith(a)redhat.com,
jokerman(a)redhat.com, kseifried(a)redhat.com,
lmeyer(a)redhat.com, mizdebsk(a)redhat.com,
mmccomas(a)redhat.com, msrb(a)redhat.com,
tiwillia(a)redhat.com
Malicious users were able to circumvent CSRF protection on any URL by sending
specially crafted POST requests. This could allow unprivileged attackers to
circumvent CSRF protection.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+20...
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=dVgJwqO0zY&a=cc_unsubscribe
7 years, 4 months
[Bug 1291795] New: CVE-2015-7537 jenkins: CSRF vulnerability in some
administrative actions (SECURITY-225)
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1291795
Bug ID: 1291795
Summary: CVE-2015-7537 jenkins: CSRF vulnerability in some
administrative actions (SECURITY-225)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: mprpic(a)redhat.com
CC: abhgupta(a)redhat.com, ccoleman(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jialiu(a)redhat.com, joelsmith(a)redhat.com,
jokerman(a)redhat.com, kseifried(a)redhat.com,
lmeyer(a)redhat.com, mizdebsk(a)redhat.com,
mmccomas(a)redhat.com, msrb(a)redhat.com,
tiwillia(a)redhat.com
Several administration/configuration related URLs could be accessed using GET,
which allowed attackers to circumvent CSRF protection. This could allow
unprivileged attackers to perform some administrative actions via CSRF.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+20...
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=dy8TFEUMji&a=cc_unsubscribe
7 years, 4 months
[Bug 1291794] New: CVE-2015-7536 jenkins: stored XSS vulnerability
through workspace files and archived artifacts (SECURITY-95)
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1291794
Bug ID: 1291794
Summary: CVE-2015-7536 jenkins: stored XSS vulnerability
through workspace files and archived artifacts
(SECURITY-95)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: mprpic(a)redhat.com
CC: abhgupta(a)redhat.com, ccoleman(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jialiu(a)redhat.com, joelsmith(a)redhat.com,
jokerman(a)redhat.com, kseifried(a)redhat.com,
lmeyer(a)redhat.com, mizdebsk(a)redhat.com,
mmccomas(a)redhat.com, msrb(a)redhat.com,
tiwillia(a)redhat.com
In certain configurations, low privilege users were able to create e.g. HTML
files in workspaces and archived artifacts that could result in XSS when
accessed by other users. Jenkins now sends Content-Security-Policy headers that
enables sandboxing and prohibits script execution by default.
This could allow low-privilege users to perform limited XSS in certain
configurations.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+20...
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=BQv8HX1t7u&a=cc_unsubscribe
7 years, 4 months
[Bug 1291799] New: CVE-2015-7536 CVE-2015-7537 CVE-2015-7538
CVE-2015-7539 jenkins: various flaws [fedora-all]
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1291799
Bug ID: 1291799
Summary: CVE-2015-7536 CVE-2015-7537 CVE-2015-7538
CVE-2015-7539 jenkins: various flaws [fedora-all]
Product: Fedora
Version: 23
Component: jenkins
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: msrb(a)redhat.com
Reporter: mprpic(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Blocks: 1291794 (CVE-2015-7536), 1291795 (CVE-2015-7537),
1291797 (CVE-2015-7538), 1291798 (CVE-2015-7539)
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
[bug automatically created by: add-tracking-bugs]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1291794
[Bug 1291794] CVE-2015-7536 jenkins: stored XSS vulnerability through
workspace files and archived artifacts (SECURITY-95)
https://bugzilla.redhat.com/show_bug.cgi?id=1291795
[Bug 1291795] CVE-2015-7537 jenkins: CSRF vulnerability in some
administrative actions (SECURITY-225)
https://bugzilla.redhat.com/show_bug.cgi?id=1291797
[Bug 1291797] CVE-2015-7538 jenkins: CSRF protection ineffective
(SECURITY-233)
https://bugzilla.redhat.com/show_bug.cgi?id=1291798
[Bug 1291798] CVE-2015-7539 jenkins: Jenkins plugin manager vulnerable to
MITM attacks (SECURITY-234)
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=s1ovB160TH&a=cc_unsubscribe
7 years, 4 months