Broken dependencies: bouncycastle-pkix
by buildsys@fedoraproject.org
bouncycastle-pkix has broken dependencies in the rawhide tree:
On aarch64:
bouncycastle-pkix-1.54-2.fc26.noarch requires mvn(org.bouncycastle:bcprov-jdk15on) = 0:1.54
Please resolve this as soon as possible.
6 years, 11 months
[Bug 1448753] New: SourceProvider in RestEasy-jaxrs is vulnerable to XXE
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1448753
Bug ID: 1448753
Summary: SourceProvider in RestEasy-jaxrs is vulnerable to XXE
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: jshepherd(a)redhat.com
CC: alee(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
mgoldman(a)redhat.com, puntogil(a)libero.it,
weli(a)redhat.com
RESTEasy SourceProvider unmarshals some content without XML External Entity
protection. An attacker can use this flaw to launch an XXE attack on a RESTEasy
endpoint which uses a wildcard mime-type of mulitpart mime-type. Its only
possible to launch an attack if a mime-type of 'application/*+xml' is used
specifically.
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 11 months
[Bug 1448754] New: resteasy: SourceProvider in RestEasy-jaxrs is vulnerable to XXE [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1448754
Bug ID: 1448754
Summary: resteasy: SourceProvider in RestEasy-jaxrs is
vulnerable to XXE [fedora-all]
Product: Fedora
Version: 25
Component: resteasy
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: alee(a)redhat.com
Reporter: jshepherd(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: alee(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
mgoldman(a)redhat.com, puntogil(a)libero.it,
weli(a)redhat.com
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 11 months
[Bug 1446128] New: CVE-2017-1000355 jenkins: Java crash when trying to instantiate void/Void (SECURITY-503)
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1446128
Bug ID: 1446128
Summary: CVE-2017-1000355 jenkins: Java crash when trying to
instantiate void/Void (SECURITY-503)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: abhgupta(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
joelsmith(a)redhat.com, kseifried(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
tdawson(a)redhat.com, tiwillia(a)redhat.com
Jenkins uses the XStream library to serialize and deserialize XML. Its
maintainer recently published a security vulnerability that allows anyone able
to provide XML to Jenkins for processing using XStream to crash the Java
process. In Jenkins this typically applies to users with permission to create
or configure items (jobs), views, or agents.
Jenkins now prohibits the attempted deserialization of void / Void that results
in a crash.
Affected versions:
All Jenkins main line releases up to and including 2.56
All Jenkins LTS releases up to and including 2.46.1
Fixed in:
Jenkins main line users should update to 2.57
Jenkins LTS users should update to 2.46.2
External References:
https://jenkins.io/security/advisory/2017-04-26/#xstream-java-crash-when-...
http://www.openwall.com/lists/oss-security/2017/04/03/4
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 11 months
[Bug 1451405] New: CVE-2017-5655 CVE-2017-5654 ambari: Multiple security vulnerabilities fixed in ambari 2.5.1
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1451405
Bug ID: 1451405
Summary: CVE-2017-5655 CVE-2017-5654 ambari: Multiple security
vulnerabilities fixed in ambari 2.5.1
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: java-sig-commits(a)lists.fedoraproject.org,
me(a)coolsvap.net, moceap(a)hotmail.com,
pmackinn(a)redhat.com
Multiple security vulnerabilities were found in Ambari.
CVE-2017-5654: XML injection vulnerability in Hive View
An authorized user of the Ambari Hive View may be able to gain unauthorized
read access to files on the host where the Amari server executes. Access to
files are limit to the set of files for which the user that executes the Ambari
server has read access.
CVE-2017-5655: Possible exposure of sensitive data in files created in Ambari
temp directory when downloading configurations
Sensitive data may be stored on disk in temporary files on the Ambari Server
host. The temporary files are readable by any user authenticated on the host.
External References:
https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities...
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 11 months
[Bug 1443567] New: missing Requires: xmlgraphics-commons in squiggle and rasterizer subpackage
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1443567
Bug ID: 1443567
Summary: missing Requires: xmlgraphics-commons in squiggle and
rasterizer subpackage
Product: Fedora
Version: 25
Component: batik
Assignee: mizdebsk(a)redhat.com
Reporter: martin.gieseking(a)uos.de
QA Contact: extras-qa(a)fedoraproject.org
CC: c.david86(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
jvanek(a)redhat.com, mizdebsk(a)redhat.com,
msimacek(a)redhat.com
Currently, the packages batik-squiggle and batik-rasterizer don't depend on
xmlgraphics-commons which is required by "squiggle" and "rasterizer" to work
properly. Both utilities fail to start if it's not installed. It would be nice
if you could add the missing Requires to the subpackages.
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 12 months
[Bug 1443593] New: CVE-2017-5662 batik: XML external entity processing vulnerability [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1443593
Bug ID: 1443593
Summary: CVE-2017-5662 batik: XML external entity processing
vulnerability [fedora-all]
Product: Fedora
Version: 25
Component: batik
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: mizdebsk(a)redhat.com
Reporter: anemec(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: c.david86(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
jvanek(a)redhat.com, mizdebsk(a)redhat.com,
msimacek(a)redhat.com
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 12 months