[Bug 1548909] slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1548909
Doran Moppert <dmoppert(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=important,public=201 |impact=important,public=201
|80222,reported=20180226,sou |80222,reported=20180226,sou
|rce=researcher,cvss3=8.1/CV |rce=researcher,cvss3=8.1/CV
|SS:3.0/AV:N/AC:H/PR:N/UI:N/ |SS:3.0/AV:N/AC:H/PR:N/UI:N/
|S:U/C:H/I:H/A:H,cwe=CWE-502 |S:U/C:H/I:H/A:H,cwe=CWE-502
|,fedora-all/slf4j=affected, |,fedora-all/slf4j=affected,
|fedora-all/slf4j-jboss-logm |fedora-all/slf4j-jboss-logm
|anager=affected,openshift-1 |anager=affected,openshift-1
|/slf4j=affected,rhscl-3/rh- |/slf4j=affected,rhscl-3/rh-
|java-common-slf4j=affected, |java-common-slf4j=affected,
|sam-1/slf4j=wontfix,jws-3/s |sam-1/slf4j=wontfix,jws-3/s
|lf4j=new,brms-5/slf4j=new,b |lf4j=new,brms-5/slf4j=new,b
|rms-6/slf4j=new,amq-6/slf4j |rms-6/slf4j=new,amq-6/slf4j
|=new,soap-5/slf4j=new,eap-5 |=new,soap-5/slf4j=new,eap-5
|/slf4j=new,eap-6/slf4j=affe |/slf4j=new,eap-6/slf4j=affe
|cted,eap-7/slf4j=affected,j |cted,eap-7/slf4j=affected,j
|bds-11/slf4j=new,jdg-6/slf4 |bds-11/slf4j=new,jdg-6/slf4
|j=new,jdg-7/slf4j=new,jdv-6 |j=new,jdg-7/slf4j=new,jdv-6
|/slf4j=new,fsw-6/slf4j=new, |/slf4j=new,fsw-6/slf4j=new,
|fuse-6/slf4j=new,jon-3/slf4 |fuse-6/slf4j=new,jon-3/slf4
|j=new,jpp-6/slf4j=new,rhsso |j=new,jpp-6/slf4j=new,rhsso
|-7/slf4j=new,rhn_satellite_ |-7/slf4j=new,rhn_satellite_
|6/spacewalk-slf4j=affected, |6/spacewalk-slf4j=affected,
|rhn_satellite_6/slf4j=affec |rhn_satellite_6/slf4j=affec
|ted,rhel-6/slf4j=affected,r |ted,rhel-6/slf4j=wontfix,rh
|hel-7/slf4j=affected,rhel-8 |el-7/slf4j=affected,rhel-8/
|/slf4j=affected,rhev-m-4/jb |slf4j=affected,rhev-m-4/jbo
|oss=affected,vertx-3/slf4j= |ss=affected,vertx-3/slf4j=n
|new,openstack-8/slf4j-api=n |ew,openstack-8/slf4j-api=no
|otaffected,openstack-9/slf4 |taffected,openstack-9/slf4j
|j-api=notaffected,openstack |-api=notaffected,openstack-
|-10/slf4j-api=notaffected,o |10/slf4j-api=notaffected,op
|penstack-11/slf4j-api=notaf |enstack-11/slf4j-api=notaff
|fected,openstack-12/slf4j-a |ected,openstack-12/slf4j-ap
|pi=notaffected,openstack-13 |i=notaffected,openstack-13/
|/slf4j-api=notaffected,rhsc |slf4j-api=notaffected,rhscl
|l-3/rh-maven35-slf4j=affect |-3/rh-maven35-slf4j=affecte
|ed |d
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 1 month
[Bug 1537610] New: Please retire this package in rawhide
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1537610
Bug ID: 1537610
Summary: Please retire this package in rawhide
Product: Fedora
Version: rawhide
Component: jackson-module-jaxb-annotations
Assignee: puntogil(a)libero.it
Reporter: mat.booth(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
lef(a)fedoraproject.org, puntogil(a)libero.it
Jackson upstream merged this module into the jackson-modules-base repo
Accordingly, in rawhide/F28+ the jackson-modules-base package was updated and
it now provides a jackson-module-jaxb-annotations sub-package that obsoletes
this standalone RPM. See this build of jackson-modules-base:
https://koji.fedoraproject.org/koji/buildinfo?buildID=1020083
Please retire this package in Fedora 28 onwards.
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 1 month
[Bug 1538332] CVE-2018-5968 jackson-databind: unsafe deserialization due to incomplete blacklist ( incomplete fix for CVE-2017-7525 and CVE-2017-17485)
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1538332
Doran Moppert <dmoppert(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=moderate,public=2018 |impact=moderate,public=2018
|0118,reported=20180122,sour |0118,reported=20180122,sour
|ce=cve,cvss3=8.1/CVSS:3.0/A |ce=cve,cvss3=8.1/CVSS:3.0/A
|V:N/AC:H/PR:N/UI:N/S:U/C:H/ |V:N/AC:H/PR:N/UI:N/S:U/C:H/
|I:H/A:H,cwe=CWE-502,jdv-6/j |I:H/A:H,cwe=CWE-502,jdv-6/j
|ackson-databind=new,jbds-10 |ackson-databind=new,jbds-10
|/jackson-databind=wontfix,a |/jackson-databind=wontfix,a
|mq-6/jackson-databind=new,b |mq-6/jackson-databind=new,b
|pms-6/jackson-databind=new, |pms-6/jackson-databind=new,
|jdg-7/jackson-databind=new, |jdg-7/jackson-databind=new,
|jbds-8/jackson-databind=won |jbds-8/jackson-databind=won
|tfix,eap-7/jackson-databind |tfix,eap-7/jackson-databind
|=affected/impact=moderate/c |=affected/impact=moderate/c
|vss3=8.1/CVSS:3.0/AV:N/AC:H |vss3=8.1/CVSS:3.0/AV:N/AC:H
|/PR:N/UI:N/S:U/C:H/I:H/A:H, |/PR:N/UI:N/S:U/C:H/I:H/A:H,
|fuse-6/jackson-databind=new |fuse-6/jackson-databind=new
|,rhsso-7/jackson-databind=n |,rhsso-7/jackson-databind=n
|ew,sam-1/jackson-databind=w |ew,sam-1/jackson-databind=w
|ontfix,rhscl-3/rh-eclipse46 |ontfix,rhscl-3/rh-eclipse46
|-jackson-databind=new,rhev- |-jackson-databind=affected,
|m-4/jackson-databind=new,fe |rhev-m-4/jackson-databind=a
|dora-all/jackson-databind=a |ffected,fedora-all/jackson-
|ffected,openshift-1/jackson |databind=affected,openshift
|-databind=new,rhscl-3/rh-ma |-1/jackson-databind=new,rhs
|ven35-jackson-databind=new, |cl-3/rh-maven35-jackson-dat
|rhn_satellite_6/jackson-dat |abind=affected,rhn_satellit
|abind=wontfix,eap-6/jackson |e_6/jackson-databind=wontfi
|-databind=affected/impact=m |x,eap-6/jackson-databind=af
|oderate/cvss3=8.1/CVSS:3.0/ |fected/impact=moderate/cvss
|AV:N/AC:H/PR:N/UI:N/S:U/C:H |3=8.1/CVSS:3.0/AV:N/AC:H/PR
|/I:H/A:H |:N/UI:N/S:U/C:H/I:H/A:H
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 1 month
[Bug 1413466] CVE-2016-6814 Apache Groovy: Remote code execution via deserialization
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1413466
Kurt Seifried <kseifried(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=important,public=201 |impact=important,public=201
|70114,reported=20170112,sou |70114,reported=20170112,sou
|rce=internet,cvss3=9.6/CVSS |rce=internet,cvss3=9.6/CVSS
|:3.0/AV:N/AC:L/PR:N/UI:R/S: |:3.0/AV:N/AC:L/PR:N/UI:R/S:
|C/C:H/I:H/A:H,cwe=CWE-502,a |C/C:H/I:H/A:H,cwe=CWE-502,a
|mq-6/groovy=affected,jdv-6/ |mq-6/groovy=affected,jdv-6/
|groovy=affected/cvss3=8.3/C |groovy=affected/impact=mode
|VSS:3.0/AV:N/AC:H/PR:N/UI:R |rate/cvss3=8.3/CVSS:3.0/AV:
|/S:C/C:H/I:H/A:H/impact=mod |N/AC:H/PR:N/UI:R/S:C/C:H/I:
|erate,eap-5/groovy=wontfix, |H/A:H,eap-5/groovy=wontfix,
|brms-5/groovy=wontfix,soap- |brms-5/groovy=wontfix,soap-
|5/groovy=wontfix,eds-5/groo |5/groovy=wontfix,eds-5/groo
|vy=wontfix,fsw-6/camel=affe |vy=wontfix,fsw-6/camel=affe
|cted,fuse-6/camel=affected, |cted,fuse-6/camel=affected,
|jon-3/groovy=notaffected,ep |jon-3/groovy=notaffected,ep
|p-5/groovy=new,openshift-en |p-5/groovy=new,openshift-en
|terprise-2/jenkins=wontfix, |terprise-2/jenkins=wontfix,
|rhev-m-3/jasperreports-serv |rhev-m-3/jasperreports-serv
|er-pro=wontfix,rhel-7/groov |er-pro=wontfix,rhel-7/groov
|y=affected,rhn_satellite_6/ |y=affected,rhn_satellite_6/
|groovy=notaffected,rhscl-2/ |groovy=notaffected,rhscl-2/
|rh-maven33-groovy=affected, |rh-maven33-groovy=affected,
|fedora-all/groovy=affected, |fedora-all/groovy=affected,
|fedora-all/groovy18=affecte |fedora-all/groovy18=affecte
|d |d
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 1 month
[Bug 1548909] slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1548909
Doran Moppert <dmoppert(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=important,public=201 |impact=important,public=201
|80222,reported=20180226,sou |80222,reported=20180226,sou
|rce=researcher,cvss3=8.1/CV |rce=researcher,cvss3=8.1/CV
|SS:3.0/AV:N/AC:H/PR:N/UI:N/ |SS:3.0/AV:N/AC:H/PR:N/UI:N/
|S:U/C:H/I:H/A:H,cwe=CWE-502 |S:U/C:H/I:H/A:H,cwe=CWE-502
|,fedora-all/slf4j=affected, |,fedora-all/slf4j=affected,
|fedora-all/slf4j-jboss-logm |fedora-all/slf4j-jboss-logm
|anager=affected,openshift-1 |anager=affected,openshift-1
|/slf4j=affected,rhscl-3/rh- |/slf4j=affected,rhscl-3/rh-
|java-common-slf4j=new,sam-1 |java-common-slf4j=affected,
|/slf4j=wontfix,jws-3/slf4j= |sam-1/slf4j=wontfix,jws-3/s
|new,brms-5/slf4j=new,brms-6 |lf4j=new,brms-5/slf4j=new,b
|/slf4j=new,amq-6/slf4j=new, |rms-6/slf4j=new,amq-6/slf4j
|soap-5/slf4j=new,eap-5/slf4 |=new,soap-5/slf4j=new,eap-5
|j=new,eap-6/slf4j=affected, |/slf4j=new,eap-6/slf4j=affe
|eap-7/slf4j=affected,jbds-1 |cted,eap-7/slf4j=affected,j
|1/slf4j=new,jdg-6/slf4j=new |bds-11/slf4j=new,jdg-6/slf4
|,jdg-7/slf4j=new,jdv-6/slf4 |j=new,jdg-7/slf4j=new,jdv-6
|j=new,fsw-6/slf4j=new,fuse- |/slf4j=new,fsw-6/slf4j=new,
|6/slf4j=new,jon-3/slf4j=new |fuse-6/slf4j=new,jon-3/slf4
|,jpp-6/slf4j=new,rhsso-7/sl |j=new,jpp-6/slf4j=new,rhsso
|f4j=new,rhn_satellite_6/spa |-7/slf4j=new,rhn_satellite_
|cewalk-slf4j=affected,rhn_s |6/spacewalk-slf4j=affected,
|atellite_6/slf4j=affected,r |rhn_satellite_6/slf4j=affec
|hel-6/slf4j=new,rhel-7/slf4 |ted,rhel-6/slf4j=affected,r
|j=new,rhel-8/slf4j=new,rhev |hel-7/slf4j=affected,rhel-8
|-m-4/jboss=new,vertx-3/slf4 |/slf4j=affected,rhev-m-4/jb
|j=new,openstack-8/slf4j-api |oss=affected,vertx-3/slf4j=
|=notaffected,openstack-9/sl |new,openstack-8/slf4j-api=n
|f4j-api=notaffected,opensta |otaffected,openstack-9/slf4
|ck-10/slf4j-api=notaffected |j-api=notaffected,openstack
|,openstack-11/slf4j-api=not |-10/slf4j-api=notaffected,o
|affected,openstack-12/slf4j |penstack-11/slf4j-api=notaf
|-api=notaffected,openstack- |fected,openstack-12/slf4j-a
|13/slf4j-api=notaffected |pi=notaffected,openstack-13
| |/slf4j-api=notaffected,rhsc
| |l-3/rh-maven35-slf4j=affect
| |ed
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 1 month