[Bug 1131350] CVE-2014-4172 cas-client: Bypass of security constraints via URL parameter injection
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1131350
Kurt Seifried <kseifried(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |CLOSED
Resolution|--- |ERRATA
Whiteboard|impact=important,public=201 |impact=important,public=201
|40811,reported=20140819,sou |40811,reported=20140819,sou
|rce=internet,cvss2=5.8/AV:N |rce=internet,cvss2=5.8/AV:N
|/AC:M/Au:N/C:P/I:P/A:N,rhev |/AC:M/Au:N/C:P/I:P/A:N,rhev
|-m-3/jasperreports-server-p |-m-3/jasperreports-server-p
|ro=affected,epp-5/cas-clien |ro=wontfix,epp-5/cas-client
|t=affected,jpp-6/cas-client |=affected,jpp-6/cas-client=
|=affected,fedora-all/cas-cl |affected,fedora-all/cas-cli
|ient=affected,fedora-all/ph |ent=affected,fedora-all/php
|p-pear-CAS=notaffected,epel |-pear-CAS=notaffected,epel-
|-all/php-pear-CAS=notaffect |all/php-pear-CAS=notaffecte
|ed |d
Last Closed| |2016-01-22 13:25:50
--- Comment #14 from Kurt Seifried <kseifried(a)redhat.com> ---
This issue does not affect JasperReports as used in Red Hat Enterprise
Virtualization Manager, marking wontfix.
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 2 months
[Bug 1127276] New: CVE-2014-5075 smack: MitM vulnerability
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1127276
Bug ID: 1127276
Summary: CVE-2014-5075 smack: MitM vulnerability
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: vkaigoro(a)redhat.com
CC: brms-jira(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
pavelp(a)redhat.com, puntogil(a)libero.it,
tkirby(a)redhat.com, weli(a)redhat.com
It was reported [1] that Smack (XMPP client library) is vulnerable to MitM
attacks with a crafted SSL certificates.
Quote from [1]:
...
Details
-------
Smack is using Java's `SSLSocket`, which checks the peer certificate
using an `X509TrustManager`, but does not perform hostname verification.
Therefore, it is possible to redirect the traffic between a Smack-using
application and a legitimate XMPP server through the attacker's server,
merely by providing a valid certificate for a domain under the
attacker's control.
In Smack versions 2.2.0 to 3.4.1, a custom `ServerTrustManager`
implementation was used, which was supplied with the connection's server
name, and performed hostname verification. However, it failed to verify
the basicConstraints and nameConstraints of the certificate chain
(CVE-2014-0363, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0363)
and has been removed in Smack 4.0.0.
Applications using Smack 2.2.0 to 3.4.1 with a custom `TrustManager` did
not benefit from `ServerTrustManager` and are vulnerable as well, unless
their own `TrustManager` implementation explicitly performs hostname
verification.
...
[1]: http://seclists.org/bugtraq/2014/Aug/29
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=vQuZmnHNAP&a=cc_unsubscribe
8 years, 2 months
[Bug 1222923] New: CVE-2015-2156 netty: HttpOnly cookie bypass
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1222923
Bug ID: 1222923
Summary: CVE-2015-2156 netty: HttpOnly cookie bypass
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: mprpic(a)redhat.com
CC: aileenc(a)redhat.com, alazarot(a)redhat.com,
asantos(a)redhat.com, aszczucz(a)redhat.com,
bdawidow(a)redhat.com, bkearney(a)redhat.com,
brms-jira(a)redhat.com, cbillett(a)redhat.com,
cdewolf(a)redhat.com, chazlett(a)redhat.com,
cpelland(a)redhat.com, cperry(a)redhat.com,
dandread(a)redhat.com, darran.lofthouse(a)redhat.com,
epp-bugs(a)redhat.com, etirelli(a)redhat.com,
felias(a)redhat.com, fnasser(a)redhat.com,
gvarsami(a)redhat.com, hchiorea(a)redhat.com,
hfnukal(a)redhat.com, huwang(a)redhat.com,
jason.greene(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jboss-set(a)redhat.com,
jbpapp-maint(a)redhat.com, jcoleman(a)redhat.com,
jdg-bugs(a)redhat.com, jerboaa(a)gmail.com,
jolee(a)redhat.com, jon.vanalten(a)redhat.com,
jpallich(a)redhat.com, katello-bugs(a)redhat.com,
kconner(a)redhat.com, kseifried(a)redhat.com,
ldimaggi(a)redhat.com, lgao(a)redhat.com,
lpetrovi(a)redhat.com, mbaluch(a)redhat.com,
mmccune(a)redhat.com, mnovotny(a)redhat.com,
msimacek(a)redhat.com, msrb(a)redhat.com,
mweiler(a)redhat.com, mwinkler(a)redhat.com,
myarboro(a)redhat.com, nwallace(a)redhat.com,
ohadlevy(a)redhat.com, pavelp(a)redhat.com,
pgier(a)redhat.com, pslavice(a)redhat.com,
rhq-maint(a)redhat.com, rrajasek(a)redhat.com,
rsvoboda(a)redhat.com, rwagner(a)redhat.com,
rzhang(a)redhat.com,
soa-p-jira(a)post-office.corp.redhat.com,
spinder(a)redhat.com, tcunning(a)redhat.com,
theute(a)redhat.com, tjay(a)redhat.com, tkirby(a)redhat.com,
tomckay(a)redhat.com, ttarrant(a)redhat.com,
twalsh(a)redhat.com, vhalbert(a)redhat.com,
vtunka(a)redhat.com, weli(a)redhat.com
A flaw was found in the way Netty’s CookieDecoder method validated cookie name
and value characters. An attacker could use this flaw to bypass the httpOnly
flag on sensitive cookies.
Upstream patch:
https://github.com/slandelle/netty/commit/800555417e77029dcf8a31d7de44f27...
External References:
https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOn...
http://engineering.linkedin.com/security/look-netty%E2%80%99s-recent-secu...
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=Vfly1r8bG5&a=cc_unsubscribe
8 years, 2 months
[Bug 1291673] New: lucene-5.4.0 is available
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1291673
Bug ID: 1291673
Summary: lucene-5.4.0 is available
Product: Fedora
Version: rawhide
Component: lucene
Keywords: FutureFeature, Triaged
Assignee: akurtako(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
hicham.haouari(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
jerboaa(a)gmail.com, krzysztof.daniel(a)gmail.com,
msimacek(a)redhat.com, puntogil(a)libero.it,
rgrunber(a)redhat.com
Latest upstream release: 5.4.0
Current version/release in rawhide: 5.3.1-1.fc24
URL: http://lucene.apache.org/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=nSPy4Mli53&a=cc_unsubscribe
8 years, 2 months
[Bug 1300108] New: felix-utils-1.8.2 is available
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1300108
Bug ID: 1300108
Summary: felix-utils-1.8.2 is available
Product: Fedora
Version: rawhide
Component: felix-utils
Keywords: FutureFeature, Triaged
Assignee: msimacek(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: jaromir.capik(a)email.cz,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
msrb(a)redhat.com
Latest upstream release: 1.8.2
Current version/release in rawhide: 1.8.0-2.fc23
URL: http://www.apache.org/dist/felix/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 2 months
[Bug 1252823] New: Please include plugin script
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1252823
Bug ID: 1252823
Summary: Please include plugin script
Product: Fedora
Version: 22
Component: elasticsearch
Assignee: jvanek(a)redhat.com
Reporter: pahan(a)hubbitus.info
QA Contact: extras-qa(a)fedoraproject.org
CC: bobjensen(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
jvanek(a)redhat.com, pbrobinson(a)gmail.com,
zbyszek(a)in.waw.pl
Hello.
In repack.sh you delete "elasticsearch elasticsearch.bat
elasticsearch-service-mgr.exe elasticsearch-service-x64.exe
elasticsearch-service-x86.exe plugin plugin.bat service.bat".
I understand what binaries must be stripped. But what with plugin, which is
just shell script? I assume it is not sane way install such plugions which is
not in rpm form, and it is main reason of excludin, is not? But may we let it
on administrator choose when desired plugin is not packaged?
Could you please include that script in package as it done in upstream rpm?
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=mqaMrd907k&a=cc_unsubscribe
8 years, 2 months
[Bug 1296308] New: elasticsearch on update silently replace configs
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1296308
Bug ID: 1296308
Summary: elasticsearch on update silently replace configs
Product: Fedora
Version: 23
Component: elasticsearch
Assignee: jvanek(a)redhat.com
Reporter: pahan(a)hubbitus.info
QA Contact: extras-qa(a)fedoraproject.org
CC: bobjensen(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
jvanek(a)redhat.com, zbyszek(a)in.waw.pl
Description of problem:
In spec you are mark as %config(noreplace)
%config(noreplace) %{_sharedstatedir}/%{name}/conf/%{name}.yml
%config(noreplace) %{_sharedstatedir}/%{name}/conf/logging.yml
which actual just symlinks, instead files %{_sysconfdir}/%{name} sould be
marked as configs.
May be even better approach just drop /var/lib/elasticsearch/conf and point it
to /etc...
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=2dexnwRqwC&a=cc_unsubscribe
8 years, 2 months
[Bug 1299774] New: kxml: Buldles classes from xpp3
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1299774
Bug ID: 1299774
Summary: kxml: Buldles classes from xpp3
Product: Fedora
Version: rawhide
Component: kxml
Assignee: mizdebsk(a)redhat.com
Reporter: mizdebsk(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
msrb(a)redhat.com
Blocks: 1299674
Description of problem:
kxml.jar bundles classes from xpp3.jar
Version-Release number of selected component (if applicable):
2.3.0-8
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1299674
[Bug 1299674] xmlpull.jar causes java.lang.LinkageError: loader constraint
violation: when resolving method "javax.xml.ws.Service"
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 2 months
[Bug 1299434] New: maven-dependency-tree-3.3.9 is available
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1299434
Bug ID: 1299434
Summary: maven-dependency-tree-3.3.9 is available
Product: Fedora
Version: rawhide
Component: maven-dependency-tree
Keywords: FutureFeature, Triaged
Assignee: mizdebsk(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
msrb(a)redhat.com
Latest upstream release: 3.3.9
Current version/release in rawhide: 3.0-1.fc24
URL: http://maven.apache.org/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 2 months