[Bug 1441242] New: CVE-2017-5647 CVE-2017-5648 CVE-2017-5650 CVE-2017-5651 tomcat: various flaws [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1441242
Bug ID: 1441242
Summary: CVE-2017-5647 CVE-2017-5648 CVE-2017-5650
CVE-2017-5651 tomcat: various flaws [fedora-all]
Product: Fedora
Version: 25
Component: tomcat
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: ivan.afonichev(a)gmail.com
Reporter: amaris(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: alee(a)redhat.com, csutherl(a)redhat.com,
ivan.afonichev(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
krzysztof.daniel(a)gmail.com, me(a)coolsvap.net,
trick(a)vanstaveren.us
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years
[Bug 1445738] New: Maven java.lang.NoClassDefFoundError: org/apache/ commons/codec/binary/Base64
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1445738
Bug ID: 1445738
Summary: Maven java.lang.NoClassDefFoundError:
org/apache/commons/codec/binary/Base64
Product: Fedora
Version: rawhide
Component: maven
Assignee: mizdebsk(a)redhat.com
Reporter: schaum(a)kaffeekrone.de
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
msrb(a)redhat.com
Description of problem:
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1.Checkout a maven Project
2. execute "mvn clean install"
Actual results:
Exception in thread "main" java.lang.NoClassDefFoundError:
org/apache/commons/codec/binary/Base64
at
org.apache.http.impl.auth.BasicScheme.authenticate(BasicScheme.java:166)
at
org.apache.http.impl.auth.HttpAuthenticator.doAuth(HttpAuthenticator.java:239)
at
org.apache.http.impl.auth.HttpAuthenticator.generateAuthResponse(HttpAuthenticator.java:202)
at
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:263)
at
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
at
org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at
org.apache.maven.wagon.providers.http.AbstractHttpClientWagon.execute(AbstractHttpClientWagon.java:832)
at
org.apache.maven.wagon.providers.http.AbstractHttpClientWagon.fillInputData(AbstractHttpClientWagon.java:983)
at
org.apache.maven.wagon.providers.http.AbstractHttpClientWagon.fillInputData(AbstractHttpClientWagon.java:960)
at
org.apache.maven.wagon.StreamWagon.getInputStream(StreamWagon.java:116)
at org.apache.maven.wagon.StreamWagon.getIfNewer(StreamWagon.java:88)
at org.apache.maven.wagon.StreamWagon.get(StreamWagon.java:61)
at
org.eclipse.aether.transport.wagon.WagonTransporter$GetTaskRunner.run(WagonTransporter.java:569)
at
org.eclipse.aether.transport.wagon.WagonTransporter.execute(WagonTransporter.java:436)
at
org.eclipse.aether.transport.wagon.WagonTransporter.get(WagonTransporter.java:413)
at
org.eclipse.aether.connector.basic.BasicRepositoryConnector$GetTaskRunner.runTask(BasicRepositoryConnector.java:456)
at
org.eclipse.aether.connector.basic.BasicRepositoryConnector$TaskRunner.run(BasicRepositoryConnector.java:359)
at
org.eclipse.aether.util.concurrency.RunnableErrorForwarder$1.run(RunnableErrorForwarder.java:76)
at
org.eclipse.aether.connector.basic.BasicRepositoryConnector$DirectExecutor.execute(BasicRepositoryConnector.java:590)
at
org.eclipse.aether.connector.basic.BasicRepositoryConnector.get(BasicRepositoryConnector.java:231)
at
org.eclipse.aether.internal.impl.DefaultMetadataResolver$ResolveTask.run(DefaultMetadataResolver.java:616)
at
org.eclipse.aether.util.concurrency.RunnableErrorForwarder$1.run(RunnableErrorForwarder.java:76)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Expected results:
Maven does not complain about a mission class
Additional info:
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years
[Bug 1390526] CVE-2016-0762 tomcat: timing attack in Realm implementation
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1390526
Timothy Walsh <twalsh(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |psotirop(a)redhat.com
Whiteboard|impact=low,public=20161027, |impact=low,public=20161027,
|reported=20161027,source=in |reported=20161027,source=in
|ternet,cvss2=2.6/AV:N/AC:H/ |ternet,cvss2=2.6/AV:N/AC:H/
|Au:N/C:P/I:N/A:N,cvss3=3.7/ |Au:N/C:P/I:N/A:N,cvss3=3.7/
|CVSS:3.0/AV:N/AC:H/PR:N/UI: |CVSS:3.0/AV:N/AC:H/PR:N/UI:
|N/S:U/C:L/I:N/A:N,brms-5/jb |N/S:U/C:L/I:N/A:N,brms-5/jb
|ossweb=affected,eap-5/jboss |ossweb=affected,eap-5/jboss
|web=affected,eap-6/jbossweb |web=notaffected,eap-6/jboss
|=affected,jdg-6/jbossweb=af |web=notaffected,jdg-6/jboss
|fected,jdv-6/jbossweb=affec |web=affected,jdv-6/jbossweb
|ted,jon-3/jbossweb=affected |=affected,jon-3/jbossweb=af
|,fsw-6/jbossweb=affected,fu |fected,fsw-6/jbossweb=affec
|se-6/jbossweb=wontfix,opens |ted,fuse-6/jbossweb=wontfix
|hift-1/jbossweb=affected,rh |,openshift-1/jbossweb=affec
|el-5/tomcat5=wontfix,rhel-6 |ted,rhel-5/tomcat5=wontfix,
|/tomcat6=wontfix,rhel-7/tom |rhel-6/tomcat6=wontfix,rhel
|cat=wontfix,jbews-2/tomcat7 |-7/tomcat=wontfix,jbews-2/t
|=wontfix,jbews-2/tomcat6=wo |omcat7=wontfix,jbews-2/tomc
|ntfix,jbews-3/tomcat7=defer |at6=wontfix,jbews-3/tomcat7
|,jbews-3/tomcat8=defer,fedo |=defer,jbews-3/tomcat8=defe
|ra-all/tomcat=affected,epel |r,fedora-all/tomcat=affecte
|-6/tomcat=affected,jws-3/to |d,epel-6/tomcat=affected,jw
|mcat7=affected,jws-3/tomcat |s-3/tomcat7=affected,jws-3/
|8=affected |tomcat8=affected
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years
[Bug 1390520] CVE-2016-6794 tomcat: system property disclosure
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1390520
Timothy Walsh <twalsh(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |psotirop(a)redhat.com
Whiteboard|impact=low,public=20161027, |impact=low,public=20161027,
|reported=20161027,source=in |reported=20161027,source=in
|ternet,cvss2=2.6/AV:N/AC:H/ |ternet,cvss2=2.6/AV:N/AC:H/
|Au:N/C:P/I:N/A:N,cvss3=3.1/ |Au:N/C:P/I:N/A:N,cvss3=3.1/
|CVSS:3.0/AV:N/AC:H/PR:L/UI: |CVSS:3.0/AV:N/AC:H/PR:L/UI:
|N/S:U/C:L/I:N/A:N,brms-5/jb |N/S:U/C:L/I:N/A:N,brms-5/jb
|ossweb=affected,eap-5/jboss |ossweb=affected,eap-5/jboss
|web=affected,eap-6/jbossweb |web=notaffected,eap-6/jboss
|=affected,jdg-6/jbossweb=af |web=notaffected,jdg-6/jboss
|fected,jdv-6/jbossweb=affec |web=affected,jdv-6/jbossweb
|ted,jon-3/jbossweb=affected |=affected,jon-3/jbossweb=af
|,fsw-6/jbossweb=affected,fu |fected,fsw-6/jbossweb=affec
|se-6/jbossweb=wontfix,opens |ted,fuse-6/jbossweb=wontfix
|hift-1/jbossweb=affected,rh |,openshift-1/jbossweb=affec
|el-5/tomcat5=wontfix,rhel-6 |ted,rhel-5/tomcat5=wontfix,
|/tomcat6=wontfix,rhel-7/tom |rhel-6/tomcat6=wontfix,rhel
|cat=wontfix,jbews-2/tomcat7 |-7/tomcat=wontfix,jbews-2/t
|=wontfix,jbews-2/tomcat6=wo |omcat7=wontfix,jbews-2/tomc
|ntfix,jbews-3/tomcat7=defer |at6=wontfix,jbews-3/tomcat7
|,jbews-3/tomcat8=defer,fedo |=defer,jbews-3/tomcat8=defe
|ra-all/tomcat=affected,epel |r,fedora-all/tomcat=affecte
|-6/tomcat=affected,jws-3/to |d,epel-6/tomcat=affected,jw
|mcat7=affected,jws-3/tomcat |s-3/tomcat7=affected,jws-3/
|8=affected |tomcat8=affected
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years
[Bug 1390493] CVE-2016-6797 tomcat: unrestricted access to global resources
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1390493
Timothy Walsh <twalsh(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |psotirop(a)redhat.com
Whiteboard|impact=low,public=20161027, |impact=low,public=20161027,
|reported=20161027,source=in |reported=20161027,source=in
|ternet,cvss2=2.6/AV:N/AC:H/ |ternet,cvss2=2.6/AV:N/AC:H/
|Au:N/C:P/I:N/A:N,cvss3=3.7/ |Au:N/C:P/I:N/A:N,cvss3=3.7/
|CVSS:3.0/AV:N/AC:H/PR:N/UI: |CVSS:3.0/AV:N/AC:H/PR:N/UI:
|N/S:U/C:L/I:N/A:N,brms-5/jb |N/S:U/C:L/I:N/A:N,brms-5/jb
|ossweb=affected,eap-5/jboss |ossweb=affected,eap-5/jboss
|web=affected,eap-6/jbossweb |web=notaffected,eap-6/jboss
|=affected,jdg-6/jbossweb=af |web=notaffected,jdg-6/jboss
|fected,jdv-6/jbossweb=affec |web=affected,jdv-6/jbossweb
|ted,jon-3/jbossweb=affected |=affected,jon-3/jbossweb=af
|,fsw-6/jbossweb=affected,fu |fected,fsw-6/jbossweb=affec
|se-6/jbossweb=wontfix,opens |ted,fuse-6/jbossweb=wontfix
|hift-1/jbossweb=affected,rh |,openshift-1/jbossweb=affec
|el-5/tomcat5=wontfix,rhel-6 |ted,rhel-5/tomcat5=wontfix,
|/tomcat6=wontfix,rhel-7/tom |rhel-6/tomcat6=wontfix,rhel
|cat=wontfix,jbews-2/tomcat7 |-7/tomcat=wontfix,jbews-2/t
|=wontfix,jbews-2/tomcat6=wo |omcat7=wontfix,jbews-2/tomc
|ntfix,jbews-3/tomcat7=defer |at6=wontfix,jbews-3/tomcat7
|,jbews-3/tomcat8=defer,fedo |=defer,jbews-3/tomcat8=defe
|ra-all/tomcat=affected,epel |r,fedora-all/tomcat=affecte
|-6/tomcat=affected,jws-3/to |d,epel-6/tomcat=affected,jw
|mcat8=affected,jws-3/tomcat |s-3/tomcat8=affected,jws-3/
|7=affected |tomcat7=affected
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years
[Bug 1422148] New: tomcat: Infinite loop in the processing of https requests
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1422148
Bug ID: 1422148
Summary: tomcat: Infinite loop in the processing of https
requests
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: alee(a)redhat.com, bbaranow(a)redhat.com,
bmaxwell(a)redhat.com, cdewolf(a)redhat.com,
csutherl(a)redhat.com, dandread(a)redhat.com,
darran.lofthouse(a)redhat.com, dosoudil(a)redhat.com,
gzaronik(a)redhat.com, hhorak(a)redhat.com,
ivan.afonichev(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jclere(a)redhat.com,
jdoyle(a)redhat.com, jorton(a)redhat.com,
krzysztof.daniel(a)gmail.com, lgao(a)redhat.com,
mbabacek(a)redhat.com, me(a)coolsvap.net,
mizdebsk(a)redhat.com, myarboro(a)redhat.com,
pgier(a)redhat.com, psakar(a)redhat.com,
pslavice(a)redhat.com, rnetuka(a)redhat.com,
rsvoboda(a)redhat.com, trick(a)vanstaveren.us,
twalsh(a)redhat.com, vtunka(a)redhat.com, weli(a)redhat.com
It was discovered that a programming error in the processing of HTTPS requests
in the Apache Tomcat servlet and JSP engine may result in denial of service via
an infinite loop.
Upstream patch:
https://github.com/apache/tomcat80/commit/614e7f78aecc429d8740bb59900c2f9...
Upstream bug:
https://bz.apache.org/bugzilla/show_bug.cgi?id=57544
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years
[Bug 1413466] CVE-2016-6814 Apache Groovy: Remote code execution via deserialization
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1413466
Hooman Broujerdi <hghasemb(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=important,public=201 |impact=important,public=201
|70114,reported=20170112,sou |70114,reported=20170112,sou
|rce=internet,cvss3=9.6/CVSS |rce=internet,cvss3=9.6/CVSS
|:3.0/AV:N/AC:L/PR:N/UI:R/S: |:3.0/AV:N/AC:L/PR:N/UI:R/S:
|C/C:H/I:H/A:H,amq-6/groovy= |C/C:H/I:H/A:H,amq-6/groovy=
|affected,jdv-6/groovy=affec |affected,jdv-6/groovy=affec
|ted/cvss3=8.3/CVSS:3.0/AV:N |ted/impact=moderate/cvss3=8
|/AC:H/PR:N/UI:R/S:C/C:H/I:H |.3/CVSS:3.0/AV:N/AC:H/PR:N/
|/A:H/impact=moderate,eap-5/ |UI:R/S:C/C:H/I:H/A:H,eap-5/
|groovy=wontfix,brms-5/groov |groovy=wontfix,brms-5/groov
|y=wontfix,soap-5/groovy=won |y=wontfix,soap-5/groovy=won
|tfix,eds-5/groovy=wontfix,f |tfix,eds-5/groovy=wontfix,f
|sw-6/camel=affected,fuse-6/ |sw-6/camel=affected,fuse-6/
|camel=affected,jon-3/groovy |camel=affected,jon-3/groovy
|=notaffected,epp-5/groovy=n |=notaffected,epp-5/groovy=n
|ew,openshift-enterprise-2/j |ew,openshift-enterprise-2/j
|enkins=new,rhev-m-3/jasperr |enkins=new,rhev-m-3/jasperr
|eports-server-pro=new,rhel- |eports-server-pro=new,rhel-
|7/groovy=new,rhn_satellite_ |7/groovy=new,rhn_satellite_
|6/groovy=new,rhscl-2/rh-mav |6/groovy=new,rhscl-2/rh-mav
|en33-groovy=new,fedora-all/ |en33-groovy=new,fedora-all/
|groovy=affected,fedora-all/ |groovy=affected,fedora-all/
|groovy18=affected |groovy18=affected
--- Comment #12 from Hooman Broujerdi <hghasemb(a)redhat.com> ---
Apache groovy prior to 2.4.8 allows a desrialization via methodClosure which
could allow desrialization of untrusted data.
Currently all versions prior to 2.4.8 are affected and the mitigation is to
update to versions >= 2.4.8.
JBoss fuse has fixed this issue as a part of 6.3 R3.
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years
[Bug 1413466] CVE-2016-6814 Apache Groovy: Remote code execution via deserialization
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1413466
Hooman Broujerdi <hghasemb(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=important,public=201 |impact=important,public=201
|70114,reported=20170112,sou |70114,reported=20170112,sou
|rce=internet,cvss3=9.6/CVSS |rce=internet,cvss3=9.6/CVSS
|:3.0/AV:N/AC:L/PR:N/UI:R/S: |:3.0/AV:N/AC:L/PR:N/UI:R/S:
|C/C:H/I:H/A:H,amq-6/groovy= |C/C:H/I:H/A:H,amq-6/groovy=
|affected,jdv-6/groovy=affec |affected,jdv-6/groovy=affec
|ted/impact=moderate/cvss3=8 |ted/cvss3=8.3/CVSS:3.0/AV:N
|.3/CVSS:3.0/AV:N/AC:H/PR:N/ |/AC:H/PR:N/UI:R/S:C/C:H/I:H
|UI:R/S:C/C:H/I:H/A:H,eap-5/ |/A:H/impact=moderate,eap-5/
|groovy=wontfix,brms-5/groov |groovy=wontfix,brms-5/groov
|y=wontfix,soap-5/groovy=won |y=wontfix,soap-5/groovy=won
|tfix,eds-5/groovy=wontfix,f |tfix,eds-5/groovy=wontfix,f
|sw-6/camel=affected,fuse-6/ |sw-6/camel=affected,fuse-6/
|camel=affected,jon-3/groovy |camel=affected,jon-3/groovy
|=notaffected,epp-5/groovy=n |=notaffected,epp-5/groovy=n
|ew,openshift-enterprise-2/j |ew,openshift-enterprise-2/j
|enkins=new,rhev-m-3/jasperr |enkins=new,rhev-m-3/jasperr
|eports-server-pro=new,rhel- |eports-server-pro=new,rhel-
|7/groovy=new,rhn_satellite_ |7/groovy=new,rhn_satellite_
|6/groovy=new,rhscl-2/rh-mav |6/groovy=new,rhscl-2/rh-mav
|en33-groovy=new,fedora-all/ |en33-groovy=new,fedora-all/
|groovy=affected,fedora-all/ |groovy=affected,fedora-all/
|groovy18=affected |groovy18=affected
--- Comment #11 from Hooman Broujerdi <hghasemb(a)redhat.com> ---
Upstream tracker & commit: https://issues.apache.org/jira/browse/GROOVY-8052
https://github.com/apache/groovy/blob/master/src/main/org/codehaus/groovy...
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years
[Bug 1443265] New: jetty-9.4.4.v20170414 is available
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1443265
Bug ID: 1443265
Summary: jetty-9.4.4.v20170414 is available
Product: Fedora
Version: rawhide
Component: jetty
Keywords: FutureFeature, Triaged
Assignee: mizdebsk(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: eclipse-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
krzysztof.daniel(a)gmail.com, mizdebsk(a)redhat.com,
msimacek(a)redhat.com
Latest upstream release: 9.4.4.v20170414
Current version/release in rawhide: 9.4.3-3.v20170317.fc27
URL: http://www.eclipse.org/jetty
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/1447/
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years