March 2018 - java-sig-commits - Fedora Mailing-Lists

[Bug 1540828] New: CVE-2017-15706 tomcat: Incorrect documentation of CGI Servlet search algorithm may lead to misconfiguration

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1540828 Bug ID: 1540828 Summary: CVE-2017-15706 tomcat: Incorrect documentation of CGI Servlet search algorithm may lead to misconfiguration Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: sfowler(a)redhat.com CC: alee(a)redhat.com, apintea(a)redhat.com, bkundal(a)redhat.com, bmaxwell(a)redhat.com, ccoleman(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, csutherl(a)redhat.com, darran.lofthouse(a)redhat.com, dedgar(a)redhat.com, dimitris(a)redhat.com, dmcphers(a)redhat.com, dosoudil(a)redhat.com, fgavrilo(a)redhat.com, gzaronik(a)redhat.com, hchiorea(a)redhat.com, hhorak(a)redhat.com, ivan.afonichev(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, jawilson(a)redhat.com, jclere(a)redhat.com, jcoleman(a)redhat.com, jdoyle(a)redhat.com, jgoulding(a)redhat.com, jolee(a)redhat.com, jondruse(a)redhat.com, jorton(a)redhat.com, jshepherd(a)redhat.com, jstastny(a)redhat.com, krzysztof.daniel(a)gmail.com, lgao(a)redhat.com, mbabacek(a)redhat.com, me(a)coolsvap.net, mizdebsk(a)redhat.com, myarboro(a)redhat.com, nwallace(a)redhat.com, pavelp(a)redhat.com, pgier(a)redhat.com, pjurak(a)redhat.com, ppalaga(a)redhat.com, psakar(a)redhat.com, pslavice(a)redhat.com, rnetuka(a)redhat.com, rstancel(a)redhat.com, rsvoboda(a)redhat.com, sstavrev(a)redhat.com, twalsh(a)redhat.com, vhalbert(a)redhat.com, vtunka(a)redhat.com, weli(a)redhat.com The description of the search algorithm used by the CGI Servlet to identify which script to execute was incorrect. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that it is only the documentation that was incorrect, the behaviour of the CGI servlet remains unchanged. Versions Affected: Apache Tomcat 9.0.0.M22 to 9.0.1 Apache Tomcat 8.5.16 to 8.5.23 Apache Tomcat 8.0.45 to 8.0.47 Apache Tomcat 7.0.79 to 7.0.82 Upstream Advisory: http://tomcat.10.x6.nabble.com/SECURITY-CVE-2017-15706-Apache-Tomcat-Inco... -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 1 month

1
18
0 / 0

[Bug 1538332] CVE-2018-5968 jackson-databind: unsafe deserialization due to incomplete blacklist ( incomplete fix for CVE-2017-7525 and CVE-2017-17485)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1538332 --- Comment #18 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:0481 https://access.redhat.com/errata/RHSA-2018:0481 -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 1 month

1
0
0 / 0

[Bug 1528565] CVE-2017-17485 jackson-databind: Unsafe deserialization due to incomplete black list ( incomplete fix for CVE-2017-15095)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1528565 --- Comment #20 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:0481 https://access.redhat.com/errata/RHSA-2018:0481 -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 1 month

1
0
0 / 0

[Bug 1506612] CVE-2017-15095 jackson-databind: Unsafe deserialization due to incomplete black list ( incomplete fix for CVE-2017-7525)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1506612 --- Comment #34 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:0481 https://access.redhat.com/errata/RHSA-2018:0481 -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 1 month

1
0
0 / 0

[Bug 1538332] CVE-2018-5968 jackson-databind: unsafe deserialization due to incomplete blacklist ( incomplete fix for CVE-2017-7525 and CVE-2017-17485)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1538332 --- Comment #17 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:0479 https://access.redhat.com/errata/RHSA-2018:0479 -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 1 month

1
0
0 / 0

[Bug 1506612] CVE-2017-15095 jackson-databind: Unsafe deserialization due to incomplete black list ( incomplete fix for CVE-2017-7525)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1506612 --- Comment #33 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:0479 https://access.redhat.com/errata/RHSA-2018:0479 -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 1 month

1
0
0 / 0

[Bug 1538332] CVE-2018-5968 jackson-databind: unsafe deserialization due to incomplete blacklist ( incomplete fix for CVE-2017-7525 and CVE-2017-17485)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1538332 --- Comment #16 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2018:0480 https://access.redhat.com/errata/RHSA-2018:0480 -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 1 month

1
0
0 / 0

[Bug 1528565] CVE-2017-17485 jackson-databind: Unsafe deserialization due to incomplete black list ( incomplete fix for CVE-2017-15095)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1528565 --- Comment #18 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2018:0480 https://access.redhat.com/errata/RHSA-2018:0480 -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 1 month

1
0
0 / 0

[Bug 1506612] CVE-2017-15095 jackson-databind: Unsafe deserialization due to incomplete black list ( incomplete fix for CVE-2017-7525)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1506612 --- Comment #32 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2018:0480 https://access.redhat.com/errata/RHSA-2018:0480 -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 1 month

1
0
0 / 0

[Bug 1528565] CVE-2017-17485 jackson-databind: Unsafe deserialization due to incomplete black list ( incomplete fix for CVE-2017-15095)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1528565 --- Comment #17 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:0478 https://access.redhat.com/errata/RHSA-2018:0478 -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 1 month

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits March 2018