October 2018 - java-sig-commits - Fedora Mailing-Lists

[Bug 1632470] New: CVE-2018-11762 tika: XML entity expansion vulnerability due to lack of limit configuration [ fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1632470 Bug ID: 1632470 Summary: CVE-2018-11762 tika: XML entity expansion vulnerability due to lack of limit configuration [fedora-all] Product: Fedora Version: 28 Component: tika Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: puntogil(a)libero.it Reporter: lpardo(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, lef(a)fedoraproject.org, puntogil(a)libero.it This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 6 months

1
4
0 / 0

[Bug 1632469] CVE-2018-11762 tika: Zip Slip vulnerability in tika-app

by bugzilla＠redhat.com

5 years, 6 months

1
0
0 / 0

[Bug 1632462] CVE-2018-11761 tika: XML entity expansion vulnerability due to lack of limit configuration

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1632462 Tomas Hoger <thoger(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC|java-maint(a)redhat.com | Whiteboard|impact=moderate,public=2018 |impact=moderate,public=2018 |0919,reported=20180919,sour |0919,reported=20180919,sour |ce=cve,cvss3=7.5/CVSS:3.0/A |ce=cve,cvss3=7.5/CVSS:3.0/A |V:N/AC:L/PR:N/UI:N/S:U/C:N/ |V:N/AC:L/PR:N/UI:N/S:U/C:N/ |I:N/A:H,cwe=CWE-776,rhel-8/ |I:N/A:H,cwe=CWE-776,fedora- |tika=affected,fedora-all/ti |all/tika=affected,rhscl-3/r |ka=affected,rhscl-3/rh-ecli |h-eclipse46-tika=affected,f |pse46-tika=new,fis-2/tika-c |is-2/tika-core=new,fuse-7/c |ore=new,fuse-7/camel-tika=n |amel-tika=new,fsw-6/tika-co |ew,fsw-6/tika-core=new,brms |re=new,brms-5/tika-core=new |-5/tika-core=new,brms-6/tik |,brms-6/tika-core=new,bpms- |a-core=new,bpms-6/tika-core |6/tika-core=new,jdv-6/tika- |=new,jdv-6/tika-core=new,rh |core=new,rhn_satellite_5/ti |n_satellite_5/tika=new |ka=new --- Comment #2 from Tomas Hoger <thoger(a)redhat.com> --- Upstream commit: https://github.com/apache/tika/commit/bd9d75d8b0a85af2937047bfad04288c304... Note that this commit would only apply cleanly to version 1.17 and later, which added XMLReaderUtils as part of the refactoring of XML parsers: https://github.com/apache/tika/commit/c0c2eafe46224e5c316f2dede395308930a... A fix for older versions would likely have to set entityExpansionLimit in all places XML parsers are created. -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 6 months

1
0
0 / 0

[Bug 1607582] New: CVE-2018-8037 tomcat: Due to a mishandling of close in NIO/ NIO2 connectors user sessions can get mixed up

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1607582 Bug ID: 1607582 Summary: CVE-2018-8037 tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: abhgupta(a)redhat.com, aileenc(a)redhat.com, alazarot(a)redhat.com, alee(a)redhat.com, anstephe(a)redhat.com, apintea(a)redhat.com, avibelli(a)redhat.com, bgeorges(a)redhat.com, bkundal(a)redhat.com, bmaxwell(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, cmoulliard(a)redhat.com, coolsvap(a)gmail.com, csutherl(a)redhat.com, darran.lofthouse(a)redhat.com, dbaker(a)redhat.com, dimitris(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, etirelli(a)redhat.com, fgavrilo(a)redhat.com, gvarsami(a)redhat.com, gzaronik(a)redhat.com, hghasemb(a)redhat.com, hhorak(a)redhat.com, ibek(a)redhat.com, ikanello(a)redhat.com, ivan.afonichev(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, jawilson(a)redhat.com, jbalunas(a)redhat.com, jclere(a)redhat.com, jcoleman(a)redhat.com, jdoyle(a)redhat.com, jokerman(a)redhat.com, jolee(a)redhat.com, jondruse(a)redhat.com, jorton(a)redhat.com, jpallich(a)redhat.com, jschatte(a)redhat.com, jshepherd(a)redhat.com, jstastny(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, krzysztof.daniel(a)gmail.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lgao(a)redhat.com, loleary(a)redhat.com, lpetrovi(a)redhat.com, lthon(a)redhat.com, mbabacek(a)redhat.com, mizdebsk(a)redhat.com, mszynkie(a)redhat.com, myarboro(a)redhat.com, nwallace(a)redhat.com, paradhya(a)redhat.com, pgallagh(a)redhat.com, pgier(a)redhat.com, pjurak(a)redhat.com, ppalaga(a)redhat.com, psakar(a)redhat.com, pslavice(a)redhat.com, pszubiak(a)redhat.com, rnetuka(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rstancel(a)redhat.com, rsvoboda(a)redhat.com, rsynek(a)redhat.com, rwagner(a)redhat.com, rzhang(a)redhat.com, sdaley(a)redhat.com, spinder(a)redhat.com, sstavrev(a)redhat.com, sthangav(a)redhat.com, tcunning(a)redhat.com, theute(a)redhat.com, tkirby(a)redhat.com, trankin(a)redhat.com, trogers(a)redhat.com, twalsh(a)redhat.com, vhalbert(a)redhat.com, vtunka(a)redhat.com, weli(a)redhat.com Flaw affecting tomcat 9.0.0.M9 to 9.0.9. A bug in the tracking of connection closures can lead to reuse of user sessions in a new connection. Upstream patch: http://svn.apache.org/viewvc?view=rev&rev=1833906 References: https://tomcat.apache.org/security-8.html https://tomcat.apache.org/security-9.html -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 6 months

1
29
0 / 0

[Bug 1629990] New: CVE-2018-16999 nasm: Invalid memory write ( segmentation fault) in expand_smacro in preproc.c

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1629990 Bug ID: 1629990 Summary: CVE-2018-16999 nasm: Invalid memory write (segmentation fault) in expand_smacro in preproc.c Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, nickc(a)redhat.com Netwide Assembler (NASM) 2.14rc15 has an invalid memory write (segmentation fault) in expand_smacro in preproc.c, which allows attackers to cause a denial of service via a crafted input file. Upstream bug: https://bugzilla.nasm.us/show_bug.cgi?id=3392508 -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 6 months

1
5
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits October 2018