[Bug 998251] New: activemq 5.8.0 is available
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=998251
Bug ID: 998251
Summary: activemq 5.8.0 is available
Product: Fedora
Version: rawhide
Component: activemq
Assignee: mspaulding06(a)gmail.com
Reporter: puntogil(a)libero.it
QA Contact: extras-qa(a)fedoraproject.org
CC: agrimm(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
mspaulding06(a)gmail.com, tdawson(a)redhat.com
Created attachment 787792
--> https://bugzilla.redhat.com/attachment.cgi?id=787792&action=edit
update to 5.8.0
Upstream released activemq 5.8.0. Currently, we still have version 5.6.0 in
Rawhide. Please consider updating, patch is attached.
changes in spaec file
- update to 5.8.0
- built with XMvn
- adapt to current guideline
- obsoletes activemq-core activemq-kahadb
- built new modules:
° amq-store, broker, console, jdbc-store,
° log4j-appender, mqtt, openwire-generator,
° openwire-legacy, pool, ra, tooling
(ra module is required by Apache OpenEJB/Tomee 4.5.1)
- fix for CVE-2013-1879 (PATCH0)
- fix for rhbz#991956
NOTE some features cannot be avalaible, cause: require
com.thoughtworks.xstream:xstream:1.4.4
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=AN1TJhSLSq&a=cc_unsubscribe
7 years, 9 months
[Bug 1311950] New: CVE-2016-0792 jenkins: Remote code execution through remote API (SECURITY-247)
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1311950
Bug ID: 1311950
Summary: CVE-2016-0792 jenkins: Remote code execution through
remote API (SECURITY-247)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: abhgupta(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jialiu(a)redhat.com, jkeck(a)redhat.com,
joelsmith(a)redhat.com, jokerman(a)redhat.com,
kseifried(a)redhat.com, lmeyer(a)redhat.com,
mizdebsk(a)redhat.com, mmccomas(a)redhat.com,
msrb(a)redhat.com, tiwillia(a)redhat.com
The following flaw was found in Jenkins:
Jenkins has several API endpoints that allow low-privilege users to POST XML
files that then get deserialized by Jenkins. Maliciously crafted XML files sent
to these API endpoints could result in arbitrary code execution.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+20...
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years, 9 months
[Bug 1311949] New: CVE-2016-0791 jenkins: Non-constant time comparison of CSRF crumbs (SECURITY-245)
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1311949
Bug ID: 1311949
Summary: CVE-2016-0791 jenkins: Non-constant time comparison of
CSRF crumbs (SECURITY-245)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: abhgupta(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jialiu(a)redhat.com, jkeck(a)redhat.com,
joelsmith(a)redhat.com, jokerman(a)redhat.com,
kseifried(a)redhat.com, lmeyer(a)redhat.com,
mizdebsk(a)redhat.com, mmccomas(a)redhat.com,
msrb(a)redhat.com, tiwillia(a)redhat.com
The following flaw was found in Jenkins:
The verification of user-provided CSRF crumbs with the expected value did not
use a constant-time comparison algorithm, potentially allowing attackers to use
statistical methods to determine valid CSRF crumbs using brute-force methods.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+20...
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years, 9 months
[Bug 1311948] New: CVE-2016-0790 jenkins: Non-constant time comparison of API token (SECURITY-241)
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1311948
Bug ID: 1311948
Summary: CVE-2016-0790 jenkins: Non-constant time comparison of
API token (SECURITY-241)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: abhgupta(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jialiu(a)redhat.com, jkeck(a)redhat.com,
joelsmith(a)redhat.com, jokerman(a)redhat.com,
kseifried(a)redhat.com, lmeyer(a)redhat.com,
mizdebsk(a)redhat.com, mmccomas(a)redhat.com,
msrb(a)redhat.com, tiwillia(a)redhat.com
The following flaw was found in Jenkins:
The verification of user-provided API tokens with the expected value did not
use a constant-time comparison algorithm, potentially allowing attackers to use
statistical methods to determine valid API tokens using brute-force methods.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+20...
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years, 9 months
[Bug 1311947] New: CVE-2016-0789 jenkins: HTTP response splitting vulnerability (SECURITY-238)
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1311947
Bug ID: 1311947
Summary: CVE-2016-0789 jenkins: HTTP response splitting
vulnerability (SECURITY-238)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: abhgupta(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jialiu(a)redhat.com, jkeck(a)redhat.com,
joelsmith(a)redhat.com, jokerman(a)redhat.com,
kseifried(a)redhat.com, lmeyer(a)redhat.com,
mizdebsk(a)redhat.com, mmccomas(a)redhat.com,
msrb(a)redhat.com, tiwillia(a)redhat.com
The following flaw was found in Jenkins:
An HTTP response splitting vulnerability in the CLI command documentation
allowed attackers to craft Jenkins URLs that serve malicious content.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+20...
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years, 9 months
[Bug 1311946] New: CVE-2016-0788 jenkins: Remote code execution vulnerability in remoting module (SECURITY-232)
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1311946
Bug ID: 1311946
Summary: CVE-2016-0788 jenkins: Remote code execution
vulnerability in remoting module (SECURITY-232)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: abhgupta(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jialiu(a)redhat.com, jkeck(a)redhat.com,
joelsmith(a)redhat.com, jokerman(a)redhat.com,
kseifried(a)redhat.com, lmeyer(a)redhat.com,
mizdebsk(a)redhat.com, mmccomas(a)redhat.com,
msrb(a)redhat.com, tiwillia(a)redhat.com
The following flaw was found in Jenkins:
A vulnerability in the Jenkins remoting module allowed unauthenticated remote
attackers to open a JRMP listener on the server hosting the Jenkins master
process, which allowed arbitrary code execution.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+20...
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years, 9 months