[Bug 1528565] CVE-2017-17485 jackson-databind: Unsafe deserialization due to incomplete black list ( incomplete fix for CVE-2017-15095)
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1528565
Pavel Polischouk <pavelp(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=important,public=201 |impact=important,public=201
|71212,reported=20171206,sou |71212,reported=20171206,sou
|rce=researcher,cvss3=8.1/CV |rce=researcher,cvss3=8.1/CV
|SS:3.0/AV:N/AC:H/PR:N/UI:N/ |SS:3.0/AV:N/AC:H/PR:N/UI:N/
|S:U/C:H/I:H/A:H,eap-6/reste |S:U/C:H/I:H/A:H,eap-6/reste
|asy=notaffected,fedora-all/ |asy=notaffected,fedora-all/
|jackson-databind=affected,j |jackson-databind=affected,j
|dg-7/jackson-databind=new,j |dg-7/jackson-databind=new,j
|on-3/resteasy=notaffected,o |on-3/resteasy=notaffected,o
|penshift-enterprise-2/jacks |penshift-enterprise-2/jacks
|on-databind=new,dts-4/devto |on-databind=new,dts-4/devto
|olset-4-jackson-databind=wo |olset-4-jackson-databind=wo
|ntfix,rhev-m-3/jasperreport |ntfix,rhev-m-3/jasperreport
|s-server-pro=wontfix,rhev-m |s-server-pro=wontfix,rhev-m
|-4/eap7-jackson-databind=af |-4/eap7-jackson-databind=af
|fected,amq-6/jackson-databi |fected,amq-6/jackson-databi
|nd=notaffected,bpms-6/jacks |nd=notaffected,bpms-6/jacks
|on-databind=new,jdv-6/jacks |on-databind=notaffected,jdv
|on-databind=new,fuse-6/jack |-6/jackson-databind=notaffe
|son-databind=notaffected,rh |cted,fuse-6/jackson-databin
|map-4/jackson-databind=nota |d=notaffected,rhmap-4/jacks
|ffected,rhn_satellite_6/jac |on-databind=notaffected,rhn
|kson-databind=new,rhscl-3/r |_satellite_6/jackson-databi
|h-eclipse46-jackson-databin |nd=new,rhscl-3/rh-eclipse46
|d=affected,rhscl-3/rh-maven |-jackson-databind=affected,
|35-jackson-databind=affecte |rhscl-3/rh-maven35-jackson-
|d,sam-1/jackson-databind=wo |databind=affected,sam-1/jac
|ntfix,eap-7/resteasy=affect |kson-databind=wontfix,eap-7
|ed |/resteasy=affected,brms-6/j
| |ackson-databind=notaffected
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 3 months
[Bug 1469356] New: aether-ant-tasks: Port to XMvn 3.0.0
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1469356
Bug ID: 1469356
Summary: aether-ant-tasks: Port to XMvn 3.0.0
Product: Fedora
Version: rawhide
Component: aether-ant-tasks
Assignee: mizdebsk(a)redhat.com
Reporter: mizdebsk(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: eclipse-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com
aether-ant-tasks needs porting to XMvn 3.0.0 (or retiring).
aether-ant-tasks has broken dependencies in the rawhide tree:
aether-ant-tasks-1.0.1-6.fc26.noarch requires xmvn-launcher
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 3 months
[Bug 1462702] CVE-2017-7525 jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1462702
Chess Hazlett <chazlett(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=important,public=201 |impact=important,public=201
|70714,reported=20170616,sou |70714,reported=20170616,sou
|rce=researcher,cvss3=8.1/CV |rce=researcher,cvss3=8.1/CV
|SS:3.0/AV:N/AC:H/PR:N/UI:N/ |SS:3.0/AV:N/AC:H/PR:N/UI:N/
|S:U/C:H/I:H/A:H,cwe=CWE-20, |S:U/C:H/I:H/A:H,cwe=CWE-20,
|amq-6/jackson-databind=nota |amq-6/jackson-databind=nota
|ffected,jdg-7/jackson-datab |ffected,jdg-7/jackson-datab
|ind=new,jdv-6/jackson-datab |ind=affected,jdv-6/jackson-
|ind=affected,eap-7/jackson- |databind=affected,eap-7/jac
|databind=affected,bpms-6/ja |kson-databind=affected,bpms
|ckson-databind=affected,brm |-6/jackson-databind=affecte
|s-6/jackson-databind=affect |d,brms-6/jackson-databind=a
|ed,fuse-6/jackson-databind= |ffected,fuse-6/jackson-data
|notaffected,openshift-enter |bind=notaffected,openshift-
|prise-2/jackson-databind=wo |enterprise-2/jackson-databi
|ntfix,rhn_satellite_6/jacks |nd=wontfix,rhn_satellite_6/
|on-databind=affected/impact |jackson-databind=affected/i
|=low,rhmap-4/jackson-databi |mpact=low,rhmap-4/jackson-d
|nd=notaffected,sam-1/jackso |atabind=notaffected,sam-1/j
|n-databind=wontfix,rhev-m-3 |ackson-databind=wontfix,rhe
|/jasperreports-server-pro=w |v-m-3/jasperreports-server-
|ontfix,rhev-m-4/eap7-jackso |pro=wontfix,rhev-m-4/eap7-j
|n-databind=affected,rhscl-2 |ackson-databind=affected,rh
|/rh-eclipse46-jackson-datab |scl-2/rh-eclipse46-jackson-
|ind=affected,fedora-all/jac |databind=affected,fedora-al
|kson-databind=affected,jon- |l/jackson-databind=affected
|3/Core |,jon-3/Core
|Server=notaffected,eap-6/ja |Server=notaffected,eap-6/ja
|ckson-databind=affected,dts |ckson-databind=affected,dts
|-4/devtoolset-4-jackson-dat |-4/devtoolset-4-jackson-dat
|abind=affected,rhscl-3/rh-m |abind=affected,rhscl-3/rh-m
|aven35-jackson-databind=aff |aven35-jackson-databind=aff
|ected,vertx-3/jackson-datab |ected,vertx-3/jackson-datab
|ind=notaffected,swarm-7/jac |ind=notaffected,swarm-7/jac
|kson-databind=notaffected |kson-databind=notaffected
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 3 months
[Bug 958733] New: plexus-utils: suspicious shell quoting in org.codehaus.plexus.util.cli
by Red Hat Bugzilla
Product: Fedora
https://bugzilla.redhat.com/show_bug.cgi?id=958733
Bug ID: 958733
Summary: plexus-utils: suspicious shell quoting in
org.codehaus.plexus.util.cli
Product: Fedora
Version: 18
Component: plexus-utils
Severity: unspecified
Priority: unspecified
Assignee: fnasser(a)redhat.com
Reporter: fweimer(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: fnasser(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com
Blocks: 958220
Category: ---
The shell quoting logic in this package (and the
org.codehaus.plexus.util.cli.shell) package looks fairly dangerous. It appears
to be mostly dead code. Client code should be migrated to
java.lang.ProcessBuilder.
The different quoting options (single quotes, double quotes) are difficult to
get right, and the reference to StringUtils is not particularly helpful because
the caller has to provide the correct set of characters to be escaped, which is
platform-dependent.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=JhGrfK5sg6&a=cc_unsubscribe
6 years, 3 months