April 2018 - java-sig-commits - Fedora Mailing-Lists

[Bug 1560603] New: jenkins is unmaintained

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1560603 Bug ID: 1560603 Summary: jenkins is unmaintained Product: Fedora Version: rawhide Component: jenkins Assignee: msrb(a)redhat.com Reporter: msimacek(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msrb(a)redhat.com There are 24 open bugs for the component (not counting plugins). There are 33 unfixed CVEs. The latest upstream version is 2.107, while the package version in Fedora is 1.651 Most of the plugins are FTBFS for multiple Fedora releases. The package is unmaintained. We should strive to avoid shipping broken software. If you don't have the time to maintain it, please orphan/retire it. -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 1 month

1
1
0 / 0

[Bug 1548909] CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1548909 --- Comment #20 from Doran Moppert <dmoppert(a)redhat.com> --- Statement: Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Important, and is not currently planned to be addressed in future updates. This issue did not affect the versions of Candlepin as shipped with Red Hat Satellite 6 as Candlepin uses slf4j-api and not the affected slf4j-ext (which is not on the Candlepin classpath). Red Hat Enterprise Virtualization Manager 4.1 is affected by this issue. Updated packages that address this issue are available through the Red Hat Enterprise Linux Server channels. Virtualization Manager hosts should be subscribed to these channels and obtain the updates via `yum update`. -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 1 month

1
0
0 / 0

[Bug 1556974] New: Aliases don't behave correctly for plugins

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1556974 Bug ID: 1556974 Summary: Aliases don't behave correctly for plugins Product: Fedora Version: rawhide Component: xmvn Assignee: mizdebsk(a)redhat.com Reporter: msimacek(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mat.booth(a)redhat.com, mizdebsk(a)redhat.com, msimacek(a)redhat.com, msrb(a)redhat.com Description of problem: Plugins used via an alias don't work correctly. For example: hawtjni recently renamed their maven-hawtjni-plugin to hawtjni-maven-plugin. I added an alias: %mvn_alias :hawtjni-maven-plugin :maven-hawtjni-plugin The plugin works fine when used via the primary name (hawtjni-maven-plugin), but doesn't work when used via the alias (maven-hawtjni-plugin). It resolves fine, but executes the plugin with incorrect configuration. Version-Release number of selected component (if applicable): xmvn-minimal-3.0.0-13.fc28.noarch maven-lib-3.5.3-1.fc29.noarch How reproducible: always Steps to Reproduce: 1. Clone netty (commit a001671 = current master) and try to build it in f29 mock with -X passed to %mvn_build 2. Observe it fails 3. Add the following to %prep: sed -i s/hawtjni-maven-plugin/maven-hawtjni-plugin/g `find -name pom.xml` 4. Observe it succeeds and was executed with different config (now contains generatedNativeSourceDirectory key) -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 1 month

1
10
0 / 0

[Bug 1557543] New: CVE-2018-1324 apache-commons-compress: Infinite loop via extra field parser in ZipFile and ZipArchiveInputStream classes [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1557543 Bug ID: 1557543 Summary: CVE-2018-1324 apache-commons-compress: Infinite loop via extra field parser in ZipFile and ZipArchiveInputStream classes [fedora-all] Product: Fedora Version: 27 Component: apache-commons-compress Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: mizdebsk(a)redhat.com Reporter: psampaio(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msimacek(a)redhat.com, sandro(a)mathys.io, SpikeFedora(a)gmail.com This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 1 month

1
13
0 / 0

[Bug 1501817] New: jenkins: "Queue Item" remote API disclosed information about inaccessible jobs (SECURITY-618)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1501817 Bug ID: 1501817 Summary: jenkins: "Queue Item" remote API disclosed information about inaccessible jobs (SECURITY-618) Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: amaris(a)redhat.com CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com, dedgar(a)redhat.com, dmcphers(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jgoulding(a)redhat.com, jkeck(a)redhat.com, kseifried(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com The remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Job/Read permission. External References: https://jenkins.io/security/advisory/2017-10-11/ -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 1 month

1
6
0 / 0

[Bug 1501816] New: jenkins: "Computer" remote API disclosed information about inaccessible jobs (SECURITY-611)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1501816 Bug ID: 1501816 Summary: jenkins: "Computer" remote API disclosed information about inaccessible jobs (SECURITY-611) Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: amaris(a)redhat.com CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com, dedgar(a)redhat.com, dmcphers(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jgoulding(a)redhat.com, jkeck(a)redhat.com, kseifried(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com The remote API at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Job/Read permission. External References: https://jenkins.io/security/advisory/2017-10-11/ -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 1 month

1
6
0 / 0

[Bug 1501814] New: jenkins: "User" remote API disclosed users' email addresses (SECURITY-514)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1501814 Bug ID: 1501814 Summary: jenkins: "User" remote API disclosed users' email addresses (SECURITY-514) Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: amaris(a)redhat.com CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com, dedgar(a)redhat.com, dmcphers(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jgoulding(a)redhat.com, jkeck(a)redhat.com, kseifried(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com Information about Jenkins user accounts is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. External References: https://jenkins.io/security/advisory/2017-10-11/ -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 1 month

1
6
0 / 0

[Bug 1501820] New: jenkins: Jenkins core bundled vulnerable version of the commons-httpclient library (SECURITY-555)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1501820 Bug ID: 1501820 Summary: jenkins: Jenkins core bundled vulnerable version of the commons-httpclient library (SECURITY-555) Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: amaris(a)redhat.com CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com, dedgar(a)redhat.com, dmcphers(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jgoulding(a)redhat.com, jkeck(a)redhat.com, kseifried(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com Jenkins bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. External References: https://jenkins.io/security/advisory/2017-10-11/ -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 1 month

1
10
0 / 0

[Bug 1501818] New: jenkins: "Job" remote API disclosed information about inaccessible upstream/ downstream jobs (SECURITY-617)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1501818 Bug ID: 1501818 Summary: jenkins: "Job" remote API disclosed information about inaccessible upstream/downstream jobs (SECURITY-617) Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: amaris(a)redhat.com CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com, dedgar(a)redhat.com, dmcphers(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jgoulding(a)redhat.com, jkeck(a)redhat.com, kseifried(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com The remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Job/Read permission. External References: https://jenkins.io/security/advisory/2017-10-11/ -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 1 month

1
5
0 / 0

[Bug 1434338] New: CVE-2017-2651 jenkins-mailer-plugin: Emails were sent to addresses not associated with actual users of Jenkins by Mailer Plugin

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1434338 Bug ID: 1434338 Summary: CVE-2017-2651 jenkins-mailer-plugin: Emails were sent to addresses not associated with actual users of Jenkins by Mailer Plugin Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: amaris(a)redhat.com CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com, dedgar(a)redhat.com, dmcphers(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jgoulding(a)redhat.com, jkeck(a)redhat.com, joelsmith(a)redhat.com, kseifried(a)redhat.com, mizdebsk(a)redhat.com, msimacek(a)redhat.com, msrb(a)redhat.com, tdawson(a)redhat.com The Mailer and Email Extension Plugins are able to send emails to a dynamically created list of users based on the changelogs, like authors of SCM changes since the last successful build. This could in some cases result in emails being sent to people who have no user account in Jenkins, and in rare cases even people who were not involved in whatever project was being built, due to some mapping based on the local-part of email addresses. Affected versions: up to and including version 1.19 External Reference: https://jenkins.io/security/advisory/2017-03-20/ -- You are receiving this mail because: You are on the CC list for the bug.

6 years, 1 month

1
7
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits April 2018