June 2018 - java-sig-commits - Fedora Mailing-Lists

[Bug 1372124] CVE-2016-6347 RESTEasy: Use of the default exception handler in RESTEasy can lead to reflected XSS attack

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1372124 --- Comment #9 from Kurt Seifried <kseifried(a)redhat.com> --- Statement: This issue affects the versions of RESTEasy as shipped with Red Hat Satellite 6. Red Hat Product Security has rated this issue as having a security impact of Moderate. Additionally Red Hat Satellite does not use the default ExceptionMapper, and the custom exception handler does not allow return type of text/html. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 11 months

1
0
0 / 0

[Bug 1372124] CVE-2016-6347 RESTEasy: Use of the default exception handler in RESTEasy can lead to reflected XSS attack

by bugzilla＠redhat.com

5 years, 11 months

1
0
0 / 0

[Bug 1535411] CVE-2018-1051 resteasy: Unsafe unmarshalling in YamlProvider allows code execution

by bugzilla＠redhat.com

5 years, 11 months

1
0
0 / 0

[Bug 1549276] CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries

by bugzilla＠redhat.com

5 years, 11 months

1
0
0 / 0

[Bug 1584392] CVE-2018-1002200 plexus-archiver: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1584392 errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2018:1837 -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 11 months

1
0
0 / 0

[Bug 1584392] CVE-2018-1002200 plexus-archiver: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1584392 --- Comment #13 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Via RHSA-2018:1837 https://access.redhat.com/errata/RHSA-2018:1837 -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 11 months

1
0
0 / 0

[Bug 1584392] CVE-2018-1002200 plexus-archiver: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1584392 errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2018:1836 -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 11 months

1
0
0 / 0

[Bug 1584392] CVE-2018-1002200 plexus-archiver: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1584392 --- Comment #12 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:1836 https://access.redhat.com/errata/RHSA-2018:1836 -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 11 months

1
0
0 / 0

[Bug 1540033] New: CVE-2017-8030 springframework: spring-framework: Improper URL path validation allows for bypassing of security checks on static resources [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1540033 Bug ID: 1540033 Summary: CVE-2017-8030 springframework: spring-framework: Improper URL path validation allows for bypassing of security checks on static resources [fedora-all] Product: Fedora Version: 27 Component: springframework Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: puntogil(a)libero.it Reporter: sfowler(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: dchen(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, lef(a)fedoraproject.org, puntogil(a)libero.it This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 11 months

1
4
0 / 0

[Bug 1557542] New: CVE-2018-1324 apache-commons-compress: Infinite loop via extra field parser in ZipFile and ZipArchiveInputStream classes

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1557542 Bug ID: 1557542 Summary: CVE-2018-1324 apache-commons-compress: Infinite loop via extra field parser in ZipFile and ZipArchiveInputStream classes Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: bmcclain(a)redhat.com, dblechte(a)redhat.com, eedri(a)redhat.com, hhorak(a)redhat.com, java-maint(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jorton(a)redhat.com, mgoldboi(a)redhat.com, michal.skrivanek(a)redhat.com, mizdebsk(a)redhat.com, msimacek(a)redhat.com, sandro(a)mathys.io, sbonazzo(a)redhat.com, sherold(a)redhat.com, SpikeFedora(a)gmail.com, ykaul(a)redhat.com, ylavi(a)redhat.com A flaw was found in Apache Commons Compress versions 1.11 to 1.15. A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package. Upstream patch: https://git-wip-us.apache.org/repos/asf?p=commons-compress.git;a=blobdiff... Upstream issue: https://issues.apache.org/jira/browse/COMPRESS-432 -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 11 months

1
18
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits June 2018