May 2017 - java-sig-commits - Fedora Mailing-Lists

by buildsys＠fedoraproject.org

bouncycastle-pkix has broken dependencies in the rawhide tree: On aarch64: bouncycastle-pkix-1.54-2.fc26.noarch requires mvn(org.bouncycastle:bcprov-jdk15on) = 0:1.54 Please resolve this as soon as possible.

6 years, 11 months

1
0
0 / 0

[Bug 1447321] New: nasm-2.13.01 is available

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1447321 Bug ID: 1447321 Summary: nasm-2.13.01 is available Product: Fedora Version: rawhide Component: nasm Keywords: FutureFeature, Triaged Assignee: mizdebsk(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msimacek(a)redhat.com Latest upstream release: 2.13.01 Current version/release in rawhide: 2.13-1.fc27 URL: http://www.nasm.us/pub/nasm/releasebuilds/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/2048/ -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 11 months

1
3
0 / 0

[Bug 1448753] New: SourceProvider in RestEasy-jaxrs is vulnerable to XXE

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1448753 Bug ID: 1448753 Summary: SourceProvider in RestEasy-jaxrs is vulnerable to XXE Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: jshepherd(a)redhat.com CC: alee(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, mgoldman(a)redhat.com, puntogil(a)libero.it, weli(a)redhat.com RESTEasy SourceProvider unmarshals some content without XML External Entity protection. An attacker can use this flaw to launch an XXE attack on a RESTEasy endpoint which uses a wildcard mime-type of mulitpart mime-type. Its only possible to launch an attack if a mime-type of 'application/*+xml' is used specifically. -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 11 months

1
11
0 / 0

[Bug 1448754] New: resteasy: SourceProvider in RestEasy-jaxrs is vulnerable to XXE [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1448754 Bug ID: 1448754 Summary: resteasy: SourceProvider in RestEasy-jaxrs is vulnerable to XXE [fedora-all] Product: Fedora Version: 25 Component: resteasy Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: alee(a)redhat.com Reporter: jshepherd(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: alee(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, mgoldman(a)redhat.com, puntogil(a)libero.it, weli(a)redhat.com This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 11 months

1
4
0 / 0

[Bug 1446128] New: CVE-2017-1000355 jenkins: Java crash when trying to instantiate void/Void (SECURITY-503)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1446128 Bug ID: 1446128 Summary: CVE-2017-1000355 jenkins: Java crash when trying to instantiate void/Void (SECURITY-503) Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: amaris(a)redhat.com CC: abhgupta(a)redhat.com, bleanhar(a)redhat.com, ccoleman(a)redhat.com, dedgar(a)redhat.com, dmcphers(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jgoulding(a)redhat.com, jkeck(a)redhat.com, joelsmith(a)redhat.com, kseifried(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com, tdawson(a)redhat.com, tiwillia(a)redhat.com Jenkins uses the XStream library to serialize and deserialize XML. Its maintainer recently published a security vulnerability that allows anyone able to provide XML to Jenkins for processing using XStream to crash the Java process. In Jenkins this typically applies to users with permission to create or configure items (jobs), views, or agents. Jenkins now prohibits the attempted deserialization of void / Void that results in a crash. Affected versions: All Jenkins main line releases up to and including 2.56 All Jenkins LTS releases up to and including 2.46.1 Fixed in: Jenkins main line users should update to 2.57 Jenkins LTS users should update to 2.46.2 External References: https://jenkins.io/security/advisory/2017-04-26/#xstream-java-crash-when-... http://www.openwall.com/lists/oss-security/2017/04/03/4 -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 11 months

1
6
0 / 0

[Bug 1451405] New: CVE-2017-5655 CVE-2017-5654 ambari: Multiple security vulnerabilities fixed in ambari 2.5.1

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1451405 Bug ID: 1451405 Summary: CVE-2017-5655 CVE-2017-5654 ambari: Multiple security vulnerabilities fixed in ambari 2.5.1 Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: anemec(a)redhat.com CC: java-sig-commits(a)lists.fedoraproject.org, me(a)coolsvap.net, moceap(a)hotmail.com, pmackinn(a)redhat.com Multiple security vulnerabilities were found in Ambari. CVE-2017-5654: XML injection vulnerability in Hive View An authorized user of the Ambari Hive View may be able to gain unauthorized read access to files on the host where the Amari server executes. Access to files are limit to the set of files for which the user that executes the Ambari server has read access. CVE-2017-5655: Possible exposure of sensitive data in files created in Ambari temp directory when downloading configurations Sensitive data may be stored on disk in temporary files on the Ambari Server host. The temporary files are readable by any user authenticated on the host. External References: https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities... -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 11 months

1
2
0 / 0

[Bug 1443567] New: missing Requires: xmlgraphics-commons in squiggle and rasterizer subpackage

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1443567 Bug ID: 1443567 Summary: missing Requires: xmlgraphics-commons in squiggle and rasterizer subpackage Product: Fedora Version: 25 Component: batik Assignee: mizdebsk(a)redhat.com Reporter: martin.gieseking(a)uos.de QA Contact: extras-qa(a)fedoraproject.org CC: c.david86(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, jvanek(a)redhat.com, mizdebsk(a)redhat.com, msimacek(a)redhat.com Currently, the packages batik-squiggle and batik-rasterizer don't depend on xmlgraphics-commons which is required by "squiggle" and "rasterizer" to work properly. Both utilities fail to start if it's not installed. It would be nice if you could add the missing Requires to the subpackages. -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 12 months

1
14
0 / 0

[Bug 1443593] New: CVE-2017-5662 batik: XML external entity processing vulnerability [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1443593 Bug ID: 1443593 Summary: CVE-2017-5662 batik: XML external entity processing vulnerability [fedora-all] Product: Fedora Version: 25 Component: batik Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: mizdebsk(a)redhat.com Reporter: anemec(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: c.david86(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, jvanek(a)redhat.com, mizdebsk(a)redhat.com, msimacek(a)redhat.com This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 12 months

1
16
0 / 0

[Bug 1444036] New: batik-1.9 is available

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1444036 Bug ID: 1444036 Summary: batik-1.9 is available Product: Fedora Version: rawhide Component: batik Keywords: FutureFeature, Triaged Assignee: mizdebsk(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: c.david86(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, jvanek(a)redhat.com, mizdebsk(a)redhat.com, msimacek(a)redhat.com Latest upstream release: 1.9 Current version/release in rawhide: 1.8-8.fc27 URL: http://archive.apache.org/dist/xmlgraphics/batik/source/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/168/ -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 12 months

1
6
0 / 0

[Bug 1448102] New: felix-gogo-parent-2 is available

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1448102 Bug ID: 1448102 Summary: felix-gogo-parent-2 is available Product: Fedora Version: rawhide Component: felix-gogo-parent Keywords: FutureFeature, Triaged Assignee: akurtako(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: akurtako(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, krzysztof.daniel(a)gmail.com, mizdebsk(a)redhat.com, msimacek(a)redhat.com Latest upstream release: 2 Current version/release in rawhide: 0.6.0-15.fc26 URL: http://felix.apache.org/site/apache-felix-gogo.html Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/15082/ -- You are receiving this mail because: You are on the CC list for the bug.

7 years

1
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits May 2017