[Bug 1299674] New: xmlpull.jar causes java.lang.LinkageError: loader constraint violation: when resolving method "javax.xml.ws.Service"
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1299674
Bug ID: 1299674
Summary: xmlpull.jar causes java.lang.LinkageError: loader
constraint violation: when resolving method
"javax.xml.ws.Service"
Product: Fedora
Version: 23
Component: groovy
Severity: high
Assignee: msrb(a)redhat.com
Reporter: rc556677(a)outlook.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Description of problem:
Running a SOAP client QName is loaded from xmlpull.jar and JVM rt.jar leading
to
Caught: java.lang.LinkageError: loader constraint violation: when resolving
method
"javax.xml.ws.Service.<init>(Ljava/net/URL;Ljavax/xml/namespace/QName;)V" the
class loader (instance of org/codehaus/groovy/tools/RootLoader) of the current
class, org/ejbca/core/protocol/ws/client/gen/EjbcaWSService, and the class
loader (instance of <bootloader>) for the method's defining class,
javax/xml/ws/Service, have different Class objects for the type
javax/xml/namespace/QName used in the signature
java.lang.LinkageError: loader constraint violation: when resolving method
"javax.xml.ws.Service.<init>(Ljava/net/URL;Ljavax/xml/namespace/QName;)V" the
class loader (instance of org/codehaus/groovy/tools/RootLoader) of the current
class, org/ejbca/core/protocol/ws/client/gen/EjbcaWSService, and the class
loader (instance of <bootloader>) for the method's defining class,
javax/xml/ws/Service, have different Class objects for the type
javax/xml/namespace/QName used in the signature
at
org.ejbca.core.protocol.ws.client.gen.EjbcaWSService.<init>(EjbcaWSService.java:37)
at com.example.ejbca.version.run(version.groovy:73)
Version-Release number of selected component (if applicable):
2.4.4
How reproducible:
Always
Steps to Reproduce:
1. Run groovy script using EJBCA SOAP service
Name qname = new QName("http://ws.protocol.core.ejbca.org/", "EjbcaWSService")
def ejbcasvc = new EjbcaWSService(new
URL("https://example.com/ejbca/ejbcaws/ejbcaws?wsdl"), qname)
def ejbcaws = ejbcasvc.getEjbcaWSPort()
logger.info("Connected to EJBCA version: " + Ejbca.getVersion(ejbcaws))
2. The SOAP service is from
https://www.ejbca.org/
3.
Actual results:
Caught: java.lang.LinkageError: loader constraint violation: when resolving
method
"javax.xml.ws.Service.<init>(Ljava/net/URL;Ljavax/xml/namespace/QName;)V" the
class loader (instance of org/codehaus/groovy/tools/RootLoader) of the current
class, org/ejbca/core/protocol/ws/client/gen/EjbcaWSService, and the class
loader (instance of <bootloader>) for the method's defining class,
javax/xml/ws/Service, have different Class objects for the type
javax/xml/namespace/QName used in the signature
java.lang.LinkageError: loader constraint violation: when resolving method
"javax.xml.ws.Service.<init>(Ljava/net/URL;Ljavax/xml/namespace/QName;)V" the
class loader (instance of org/codehaus/groovy/tools/RootLoader) of the current
class, org/ejbca/core/protocol/ws/client/gen/EjbcaWSService, and the class
loader (instance of <bootloader>) for the method's defining class,
javax/xml/ws/Service, have different Class objects for the type
javax/xml/namespace/QName used in the signature
at
org.ejbca.core.protocol.ws.client.gen.EjbcaWSService.<init>(EjbcaWSService.java:37)
Expected results:
[main] INFO ejbca - Connected to EJBCA version: EJBCA 6.3.1.1 Community
(r21429)
Additional info:
Upstream groovy-2.4.5 has xmlpull-1.1.3.1.jar. Not sure why that works but
Fedora groovy doesn't.
Fedora 2.4.4: (with -verbose)
[Loaded javax.xml.namespace.QName from file:/usr/share/groovy/lib/xmlpull.jar]
[Loaded javax.xml.namespace.QName from
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.65-4.b17.fc23.x86_64/jre/lib/rt.jar]
Caught: java.lang.LinkageError: loader constraint violation: when resolving
method
"javax.xml.ws.Service.<init>(Ljava/net/URL;Ljavax/xml/namespace/QName;)V" the
class loader (instance of org/codehaus/groovy/tools/RootLoader) of the current
class, org/ejbca/core/protocol/ws/client/gen/EjbcaWSService, and the class
loader (instance of <bootloader>) for the method's defining class,
javax/xml/ws/Service, have different Class objects for the type
javax/xml/namespace/QName used in the signature
Upstream 2.4.5: (-verbose)
[Loaded javax.xml.namespace.QName from
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.65-4.b17.fc23.x86_64/jre/lib/rt.jar]
[Loaded javax.xml.namespace.QName$1 from
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.65-4.b17.fc23.x86_64/jre/lib/rt.jar]
Why upstream doesn't pull in its own groovy-2.4.5/lib/pull-1.1.3.1.jar and
have the same error?
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 2 months
[Bug 1267411] New: lucene-5.3.1 is available
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1267411
Bug ID: 1267411
Summary: lucene-5.3.1 is available
Product: Fedora
Version: rawhide
Component: lucene
Keywords: FutureFeature, Triaged
Assignee: akurtako(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
hicham.haouari(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
jerboaa(a)gmail.com, krzysztof.daniel(a)gmail.com,
msimacek(a)redhat.com, puntogil(a)libero.it,
rgrunber(a)redhat.com
Latest upstream release: 5.3.1
Current version/release in rawhide: 5.3.0-1.fc24
URL: http://lucene.apache.org/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=fxMoJzQo8W&a=cc_unsubscribe
8 years, 2 months
[Bug 1185148] New: CVE-2014-9634 Jenkins on Tomcat: failure to set secure flag on cookies
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1185148
Bug ID: 1185148
Summary: CVE-2014-9634 Jenkins on Tomcat: failure to set secure
flag on cookies
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: kseifried(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jdetiber(a)redhat.com, jialiu(a)redhat.com,
jkeck(a)redhat.com, joelsmith(a)redhat.com,
jokerman(a)redhat.com, kseifried(a)redhat.com,
lmeyer(a)redhat.com, mmccomas(a)redhat.com,
msrb(a)redhat.com
Yann Rouillard reports:
Jenkins on Tomcat fails to set the secure flag on cookies.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=gU5XTmvmU1&a=cc_unsubscribe
8 years, 3 months
[Bug 1299279] New: jetty-9.3.7.v20160115 is available
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1299279
Bug ID: 1299279
Summary: jetty-9.3.7.v20160115 is available
Product: Fedora
Version: rawhide
Component: jetty
Keywords: FutureFeature, Triaged
Assignee: mizdebsk(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: eclipse-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
krzysztof.daniel(a)gmail.com, mizdebsk(a)redhat.com,
msimacek(a)redhat.com, msrb(a)redhat.com
Latest upstream release: 9.3.7.v20160115
Current version/release in rawhide: 9.3.7-0.2.RC1.fc24
URL: http://repo2.maven.org/maven2/org/eclipse/jetty/jetty-project/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 3 months
[Bug 1185151] New: CVE-2014-9635 Jenkins on Tomcat: failure to set httponly flag on cookies
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1185151
Bug ID: 1185151
Summary: CVE-2014-9635 Jenkins on Tomcat: failure to set
httponly flag on cookies
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: kseifried(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jdetiber(a)redhat.com, jialiu(a)redhat.com,
jkeck(a)redhat.com, joelsmith(a)redhat.com,
jokerman(a)redhat.com, kseifried(a)redhat.com,
lmeyer(a)redhat.com, mmccomas(a)redhat.com,
msrb(a)redhat.com
Yann Rouillard reports:
Jenkins on Tomcat fails to set the httponly flag on cookies.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=6JvfkFVyd4&a=cc_unsubscribe
8 years, 3 months
[Bug 1140314] New: CVE-2013-4444 tomcat: remote code execution via uploaded JSP
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1140314
Bug ID: 1140314
Summary: CVE-2013-4444 tomcat: remote code execution via
uploaded JSP
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: vdanen(a)redhat.com
CC: akurtako(a)redhat.com, dknox(a)redhat.com,
gmurphy(a)redhat.com, ivan.afonichev(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
jclere(a)redhat.com, jdoyle(a)redhat.com,
krzysztof.daniel(a)gmail.com, lgao(a)redhat.com,
myarboro(a)redhat.com, pslavice(a)redhat.com,
rsvoboda(a)redhat.com, weli(a)redhat.com
As reported fixed in Apache Tomcat 7.0.40 [1]:
In very limited circumstances, it was possible for an attacker to upload a
malicious JSP to a Tomcat server and then trigger the execution of that JSP.
While Remote Code Execution would normally be viewed as a critical
vulnerability, the circumstances under which this is possible are, in the view
of the Tomcat security team, sufficiently limited that this vulnerability is
viewed as important.
For this attack to succeed all of the following requirements must be met:
1. Using Oracle Java 1.7.0 update 25 or earlier (or any other Java
implementation where java.io.File is vulnerable to null byte injection).
2. A web application must be deployed to a vulnerable version of Tomcat.
3. The web application must use the Servlet 3.0 File Upload feature.
4. A file location within a deployed web application must be writeable by the
user the Tomcat process is running as. The Tomcat security documentation
recommends against this.
5. A custom listener for JMX connections (e.g. the JmxRemoteListener that is
not enabled by default) must be configured and be able to load classes from
Tomcat's common class loader (i.e. the custom JMX listener must be placed in
Tomcat's lib directory).
6. The custom JMX listener must be bound to an address other than localhost for
a remote attack (it is bound to localhost by default). If the custom JMX
listener is bound to localhost, a local attack will still be possible.
Note that requirements 2 and 3 may be replaced with the following requirement:
7. A web application is deployed that uses Apache Commons File Upload 1.2.1 or
earlier.
In this case (requirements 1, 4, 5, 6 and 7 met) a similar vulnerability may
exist on any Servlet container, not just Apache Tomcat.
This was fixed in revision 1470437. [2] (April 22, 2013)
This issue was identified by Pierre Ernst of the VMware Security Engineering,
Communications and Response group (vSECR) and reported to the Tomcat security
team via the Pivotal security team on 5 September 2014. It was made public on
10 September 2014.
Affects: 7.0.0 to 7.0.39
[1] http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.40
[2] http://svn.apache.org/viewvc?view=revision&revision=1470437
Statement:
This issue did not affect the versions of tomcat as shipped with Red Hat
Enterprise Linux 5, 6, or 7 nor the versions of tomcat as shipped with JBoss
Enterprise Web Server.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=NIGlAdEiPm&a=cc_unsubscribe
8 years, 3 months