February 2018 - java-sig-commits - Fedora Mailing-Lists

[Bug 1543718] CVE-2018-1298 qpid-java: Incorrect implementation of some SASL mechanisms can allow a remote unauthenticated attacker to cause a denial of service [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1543718 --- Comment #1 from Sam Fowler <sfowler(a)redhat.com> --- Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # testing, stable request=testing # Bug numbers: 1234,9876 bugs=1543717,1543718 # Description of your update notes=Security fix for [PUT CVEs HERE] # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi web interface to submit updates: https://bodhi.fedoraproject.org/updates/new -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 2 months

1
0
0 / 0

[Bug 1543206] New: nasm-2.13.03 is available

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1543206 Bug ID: 1543206 Summary: nasm-2.13.03 is available Product: Fedora Version: rawhide Component: nasm Keywords: FutureFeature, Triaged Assignee: mizdebsk(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msimacek(a)redhat.com Latest upstream release: 2.13.03 Current version/release in rawhide: 2.13.02-2.fc28 URL: http://www.nasm.us/pub/nasm/releasebuilds/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/2048/ -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 2 months

1
2
0 / 0

[Bug 1530463] New: CVE-2017-17485 jackson-databind: Unsafe deserialization due to incomplete black list ( incomplete fix for CVE-2017-15095) [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1530463 Bug ID: 1530463 Summary: CVE-2017-17485 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) [fedora-all] Product: Fedora Version: 27 Component: jackson-databind Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: puntogil(a)libero.it Reporter: dmoppert(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, lef(a)fedoraproject.org, puntogil(a)libero.it This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 2 months

1
19
0 / 0

[Bug 1538332] CVE-2018-5968 jackson-databind: unsafe deserialization due to incomplete blacklist ( incomplete fix for CVE-2017-7525 and CVE-2017-17485)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1538332 Bug 1538332 depends on bug 1538333, which changed state. Bug 1538333 Summary: CVE-2018-5968 jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1538333 What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 2 months

1
0
0 / 0

[Bug 1528565] CVE-2017-17485 jackson-databind: Unsafe deserialization due to incomplete black list ( incomplete fix for CVE-2017-15095)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1528565 Bug 1528565 depends on bug 1530463, which changed state. Bug 1530463 Summary: CVE-2017-17485 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1530463 What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 2 months

1
0
0 / 0

[Bug 1462702] CVE-2017-7525 jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1462702 Doran Moppert <dmoppert(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |jackson-databind 2.8.9, | |jackson-databind 2.9.0 -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 2 months

1
0
0 / 0

[Bug 1506612] CVE-2017-15095 jackson-databind: Unsafe deserialization due to incomplete black list ( incomplete fix for CVE-2017-7525)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1506612 Doran Moppert <dmoppert(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |jackson-databind 2.8.10, | |jackson-databind-2.9.2 -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 2 months

1
0
0 / 0

[Bug 1508110] CVE-2016-5002 xmlrpc: XML external entity vulnerability SSRF via a crafted DTD

by bugzilla＠redhat.com

6 years, 2 months

1
0
0 / 0

[Bug 1516791] New: CVE-2017-1000392 jenkins: Persisted XSS vulnerability in autocompletion suggestions

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1516791 Bug ID: 1516791 Summary: CVE-2017-1000392 jenkins: Persisted XSS vulnerability in autocompletion suggestions Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: anemec(a)redhat.com CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com, dedgar(a)redhat.com, dmcphers(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jgoulding(a)redhat.com, jkeck(a)redhat.com, kseifried(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters. Known previously unsafe sources for these suggestions include the names of loggers in the log recorder condition, and agent labels. External References: https://jenkins.io/security/advisory/2017-11-08/ -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 2 months

1
4
0 / 0

[Bug 1516788] New: CVE-2017-1000391 jenkins: Unsafe use of user names as directory names

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1516788 Bug ID: 1516788 Summary: CVE-2017-1000391 jenkins: Unsafe use of user names as directory names Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: anemec(a)redhat.com CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com, dedgar(a)redhat.com, dmcphers(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jgoulding(a)redhat.com, jkeck(a)redhat.com, kseifried(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com Jenkins stores metadata related to people, which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping. This potentially resulted in a number of problems, such as the following: 1. User names consisting of a single forward slash would have their user record stored in the parent directory; deleting this user deleted all user records. 2. User names containing character sequences such as .. could be used to clobber other configuration files in Jenkins. This is not limited to the Jenkins user database security realm, other security realms such as LDAP may allow users to create user names that result in problems in Jenkins. External References: https://jenkins.io/security/advisory/2017-11-08/ -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 2 months

1
4
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits February 2018