[Bug 1203762] CVE-2015-0250 batik: XML External Entity (XXE) injection in SVG parsing
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1203762
Tomas Hoger <thoger(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=moderate,public=2012 |impact=moderate,public=2012
|0725,reported=20150317,sour |0725,reported=20150317,sour
|ce=oss-security,cvss2=5.8/A |ce=oss-security,cvss2=5.8/A
|V:N/AC:M/Au:N/C:P/I:N/A:P,c |V:N/AC:M/Au:N/C:P/I:N/A:P,c
|we=CWE-611,bpms-6/batik=aff |we=CWE-611,bpms-6/batik=aff
|ected,brms-5/batik=wontfix, |ected,brms-5/batik=wontfix,
|brms-6/batik=affected,dts-2 |brms-6/batik=affected,dts-2
|.1/batik=wontfix,dts-3.1/ba |.1/batik=wontfix,dts-3/bati
|tik=wontfix,fedora-all/bati |k=wontfix,fedora-all/batik=
|k=affected,fsw-6/batik=affe |affected,fsw-6/batik=affect
|cted,jboss/fuse=notaffected |ed,jboss/fuse=notaffected,o
|,openshift-enterprise-2/jbo |penshift-enterprise-2/jboss
|ss-eap6-modules=notaffected |-eap6-modules=notaffected,o
|,openshift-enterprise-2/ope |penshift-enterprise-2/opens
|nshift-origin-cartridge-fus |hift-origin-cartridge-fuse=
|e=notaffected,rhel-6/batik= |notaffected,rhel-6/batik=wo
|wontfix,rhel-7/batik=wontfi |ntfix,rhel-7/batik=wontfix,
|x,rhev-m-3/jasperreports-se |rhev-m-3/jasperreports-serv
|rver-pro=wontfix,rhscl-2/rh |er-pro=wontfix,rhscl-2/rh-j
|-java-common-batik=wontfix, |ava-common-batik=wontfix,so
|soap-5/batik=wontfix |ap-5/batik=wontfix
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years, 10 months
[Bug 1341052] New: easymock: Broken OSGi manifest
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1341052
Bug ID: 1341052
Summary: easymock: Broken OSGi manifest
Product: Fedora
Version: rawhide
Component: easymock
Assignee: msimacek(a)redhat.com
Reporter: mizdebsk(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com, dbhole(a)redhat.com,
fnasser(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
mat.booth(a)redhat.com, mizdebsk(a)redhat.com,
msimacek(a)redhat.com, msrb(a)redhat.com,
sgehwolf(a)redhat.com
Description of problem:
Easymock update to 3.4 broke eclipse-fedorapackager - it can't resolve OSGi
requirement on easymock bundle.
[ERROR] Cannot resolve project dependencies:
[ERROR] Software being installed: org.fedoraproject.eclipse.packager.tests
0.5.1.qualifier
[ERROR] Missing requirement: org.easymock 3.4.0 requires 'package
org.easymock 0.0.0' but it could not be found
[ERROR] Cannot satisfy dependency: org.fedoraproject.eclipse.packager.tests
0.5.1.qualifier depends on: bundle org.easymock 0.0.0
The problem seems to be Fedora-specific. eclipse-fedorapackager built fine when
I tried replacing /usr/share/java/easymock.jar with easymock-3.4.jar downloaded
from Maven Central.
Version-Release number of selected component (if applicable):
3.4-1
Steps to Reproduce:
koji build --scratch f25
eclipse-fedorapackager-0.6.0-0.1.gitb0ca8af.fc25.src.rpm
Additional info:
https://apps.fedoraproject.org/koschei/package/eclipse-fedorapackager
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years, 10 months
[Bug 1335398] New: joda-convert: FTBFS in rawhide
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1335398
Bug ID: 1335398
Summary: joda-convert: FTBFS in rawhide
Product: Fedora
Version: rawhide
Component: joda-convert
Assignee: mizdebsk(a)redhat.com
Reporter: mizdebsk(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
msrb(a)redhat.com, SpikeFedora(a)gmail.com
Description of problem:
Package joda-convert fails to build from source in rawhide.
There seem to be two problems - caused by Maven Doxia and Checkstyle updates.
Version-Release number of selected component (if applicable):
1.8.1-2.fc24
Steps to Reproduce:
koji build --scratch f25 joda-convert-1.8.1-2.fc24.src.rpm
Additional info:
This package is tracked by Koschei. See:
https://apps.fedoraproject.org/koschei/package/joda-convert
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years, 10 months
[Bug 1320842] New: CVE-2016-2166 qpid-proton: reactor sends messages in clear if ssl is requested but not available
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1320842
Bug ID: 1320842
Summary: CVE-2016-2166 qpid-proton: reactor sends messages in
clear if ssl is requested but not available
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: abaron(a)redhat.com, aortega(a)redhat.com,
apevec(a)redhat.com, ayoung(a)redhat.com,
bkearney(a)redhat.com, chrisw(a)redhat.com,
cpelland(a)redhat.com, dallan(a)redhat.com,
esammons(a)redhat.com, gkotton(a)redhat.com,
iboverma(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jross(a)redhat.com, jschluet(a)redhat.com,
kgiusti(a)gmail.com, kpalko(a)redhat.com, lhh(a)redhat.com,
lpeer(a)redhat.com, markmc(a)redhat.com,
mcressma(a)redhat.com, messaging-bugs(a)redhat.com,
mmccune(a)redhat.com, ohadlevy(a)redhat.com,
pmyers(a)redhat.com, puntogil(a)libero.it,
rbryant(a)redhat.com, rhos-maint(a)redhat.com,
rrajasek(a)redhat.com, satellite6-bugs(a)redhat.com,
sclewis(a)redhat.com, tdecacqu(a)redhat.com,
tjay(a)redhat.com, tlestach(a)redhat.com
Messaging applications using the Proton Python API to provision an SSL/TLS
encrypted TCP connection may actually instantiate a non-encrypted connection
without notice if SSL support is unavailable. This will result in all messages
being sent in the clear without the knowledge of the user.
This issue affects those applications that use the Proton Reactor Python API to
create SSL/TLS connections. Specifically the proton.reactor.Connector,
proton.reactor.Container, and proton.utils.BlockingConnection classes are
vulnerable. These classes can create an unencrypted connections if the
"amqps://" URL prefix is used.
The issue only occurs if the installed Proton libraries do not support SSL.
This would be the case if the libraries were built without SSL support or the
necessary SSL libraries are not present on the system (e.g. OpenSSL in the case
of *nix).
References:
http://seclists.org/bugtraq/2016/Mar/166
Upstream fix:
https://issues.apache.org/jira/browse/PROTON-1157
Upstream fixed release:
http://qpid.apache.org/releases/qpid-proton-0.12.1/
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years, 10 months