February 2016 - java-sig-commits - Fedora Mailing-Lists

[Bug 1140314] New: CVE-2013-4444 tomcat: remote code execution via uploaded JSP

by Red Hat Bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1140314 Bug ID: 1140314 Summary: CVE-2013-4444 tomcat: remote code execution via uploaded JSP Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: vdanen(a)redhat.com CC: akurtako(a)redhat.com, dknox(a)redhat.com, gmurphy(a)redhat.com, ivan.afonichev(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, jclere(a)redhat.com, jdoyle(a)redhat.com, krzysztof.daniel(a)gmail.com, lgao(a)redhat.com, myarboro(a)redhat.com, pslavice(a)redhat.com, rsvoboda(a)redhat.com, weli(a)redhat.com As reported fixed in Apache Tomcat 7.0.40 [1]: In very limited circumstances, it was possible for an attacker to upload a malicious JSP to a Tomcat server and then trigger the execution of that JSP. While Remote Code Execution would normally be viewed as a critical vulnerability, the circumstances under which this is possible are, in the view of the Tomcat security team, sufficiently limited that this vulnerability is viewed as important. For this attack to succeed all of the following requirements must be met: 1. Using Oracle Java 1.7.0 update 25 or earlier (or any other Java implementation where java.io.File is vulnerable to null byte injection). 2. A web application must be deployed to a vulnerable version of Tomcat. 3. The web application must use the Servlet 3.0 File Upload feature. 4. A file location within a deployed web application must be writeable by the user the Tomcat process is running as. The Tomcat security documentation recommends against this. 5. A custom listener for JMX connections (e.g. the JmxRemoteListener that is not enabled by default) must be configured and be able to load classes from Tomcat's common class loader (i.e. the custom JMX listener must be placed in Tomcat's lib directory). 6. The custom JMX listener must be bound to an address other than localhost for a remote attack (it is bound to localhost by default). If the custom JMX listener is bound to localhost, a local attack will still be possible. Note that requirements 2 and 3 may be replaced with the following requirement: 7. A web application is deployed that uses Apache Commons File Upload 1.2.1 or earlier. In this case (requirements 1, 4, 5, 6 and 7 met) a similar vulnerability may exist on any Servlet container, not just Apache Tomcat. This was fixed in revision 1470437. [2] (April 22, 2013) This issue was identified by Pierre Ernst of the VMware Security Engineering, Communications and Response group (vSECR) and reported to the Tomcat security team via the Pivotal security team on 5 September 2014. It was made public on 10 September 2014. Affects: 7.0.0 to 7.0.39 [1] http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.40 [2] http://svn.apache.org/viewvc?view=revision&revision=1470437 Statement: This issue did not affect the versions of tomcat as shipped with Red Hat Enterprise Linux 5, 6, or 7 nor the versions of tomcat as shipped with JBoss Enterprise Web Server. -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=NIGlAdEiPm&a=cc_unsubscribe

8 years, 2 months

1
9
0 / 0

[Bug 652183] Java SIG tracker bug

by Red Hat Bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=652183 gil cattaneo <puntogil(a)libero.it> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1305237 Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1305237 [Bug 1305237] Review Request: rome-parent - Parent for all ROME projects -- You are receiving this mail because: You are the QA Contact for the bug. You are the assignee for the bug.

8 years, 2 months

1
0
0 / 0

[Bug 1203652] New: tomcat: Duplicate Maven metadata for tomcat-jdbc

by Red Hat Bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1203652 Bug ID: 1203652 Summary: tomcat: Duplicate Maven metadata for tomcat-jdbc Product: Fedora Version: 22 Component: tomcat Keywords: Regression Assignee: ivan.afonichev(a)gmail.com Reporter: mizdebsk(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: alee(a)redhat.com, ivan.afonichev(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, krzysztof.daniel(a)gmail.com, sgallagh(a)redhat.com Description of problem: Tomcat installs duplicate metadata for tomcat-jdbc Maven artifact. Version-Release number of selected component (if applicable): 7.0.59-3 Steps to Reproduce: xmvn-resolve org.apache.tomcat:tomcat-jdbc Actual results: [WARNING] Ignoring metadata for artifact org.apache.tomcat:tomcat-jdbc:jar:SYSTEM as it has duplicate metadata [WARNING] Ignoring metadata for artifact org.apache.tomcat:tomcat-jdbc:pom:SYSTEM as it has duplicate metadata [ERROR] Unable to resolve artifact org.apache.tomcat:tomcat-jdbc:jar:SYSTEM Expected results: /usr/share/java/tomcat/tomcat-jdbc.jar Additional info: Regression was introduced in: commit ce74ddbcd3beba22fb70cd2dc890efa7409bf97f Author: Stephen Gallagher <sgallagh(a)redhat.com> Date: Tue Mar 3 14:58:21 2015 -0500 Revert to Tomcat 7 -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=wfJxJ9VXJ8&a=cc_unsubscribe

8 years, 2 months

1
6
0 / 0

[Bug 652183] Java SIG tracker bug

by Red Hat Bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=652183 Jonny Heggheim <hegjon(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1303764 Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1303764 [Bug 1303764] Review Request: xchange - Java library providing API for Bitcoin and Altcoin exchanges -- You are receiving this mail because: You are the QA Contact for the bug. You are the assignee for the bug.

8 years, 2 months

1
0
0 / 0

[Bug 1301160] New: itext-toolbox wrapper doesn't worki

by Red Hat Bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=1301160 Bug ID: 1301160 Summary: itext-toolbox wrapper doesn't worki Product: Fedora Version: 23 Component: itext Assignee: puntogil(a)libero.it Reporter: luto(a)kernel.org QA Contact: extras-qa(a)fedoraproject.org CC: andjrobins(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, jochen(a)herr-schmitt.de, puntogil(a)libero.it itext-toolbox fails: $ itext-toolbox Java virtual machine used: /usr/share/java-utils/java-wrapper classpath used: /usr/share/java/bcprov.jar:/usr/share/java/bcmail.jar:/usr/share/java/bctsp.jar:/usr/share/java/itext.jar:/usr/share/java/itext-toolbox.jar main class used: com.lowagie.toolbox.Toolbox flags used: options used: '-cp /usr/share/java/bcprov.jar:/usr/share/java/bcmail.jar:/usr/share/java/bctsp.jar:/usr/share/java/itext.jar:/usr/share/java/itext-toolbox.jar' arguments used: Unrecognized option: -cp /usr/share/java/bcprov.jar:/usr/share/java/bcmail.jar:/usr/share/java/bctsp.jar:/usr/share/java/itext.jar:/usr/share/java/itext-toolbox.jar Error: Could not create the Java Virtual Machine. Error: A fatal exception has occurred. Program will exit. I think the right fix is to switch to %jpackage_script. See https://fedoraproject.org/wiki/Packaging:Java#Wrapper_Scripts -- You are receiving this mail because: You are on the CC list for the bug.

8 years, 2 months

1
8
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits February 2016