[Bug 1548909] CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1548909
Kunjan Rathod <krathod(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=important,public=201 |impact=important,public=201
|80222,reported=20180226,sou |80222,reported=20180226,sou
|rce=researcher,cvss3=8.1/CV |rce=researcher,cvss3=8.1/CV
|SS:3.0/AV:N/AC:H/PR:N/UI:N/ |SS:3.0/AV:N/AC:H/PR:N/UI:N/
|S:U/C:H/I:H/A:H,cwe=CWE-502 |S:U/C:H/I:H/A:H,cwe=CWE-502
|,fedora-all/slf4j=affected, |,fedora-all/slf4j=affected,
|fedora-all/slf4j-jboss-logm |fedora-all/slf4j-jboss-logm
|anager=affected,openshift-1 |anager=affected,openshift-1
|/slf4j=affected,rhscl-3/rh- |/slf4j=affected,rhscl-3/rh-
|java-common-slf4j=notaffect |java-common-slf4j=notaffect
|ed,sam-1/slf4j=wontfix,jws- |ed,sam-1/slf4j=wontfix,jws-
|3/slf4j=notaffected,brms-5/ |3/slf4j=notaffected,brms-5/
|slf4j=new,brms-6/slf4j=new, |slf4j=new,brms-6/slf4j=new,
|amq-6/slf4j=new,soap-5/slf4 |amq-6/slf4j=new,soap-5/slf4
|j=wontfix,eap-5/slf4j=new,e |j=wontfix,eap-5/slf4j=new,e
|ap-6/slf4j=affected,eap-7/s |ap-6/slf4j=affected,eap-7/s
|lf4j=affected,jbds-11/slf4j |lf4j=affected,jbds-11/slf4j
|=wontfix,jdg-6/slf4j=notaff |=wontfix,jdg-6/slf4j=notaff
|ected,jdg-7/slf4j=affected, |ected,jdg-7/slf4j=affected,
|jdv-6/slf4j=new,fsw-6/slf4j |jdv-6/slf4j=new,fsw-6/slf4j
|=new,fuse-6/slf4j=new,jon-3 |=new,fuse-6/slf4j=new,jon-3
|/slf4j=new,jpp-6/slf4j=nota |/slf4j=affected,jpp-6/slf4j
|ffected,rhsso-7/slf4j=affec |=notaffected,rhsso-7/slf4j=
|ted,rhn_satellite_6/spacewa |affected,rhn_satellite_6/sp
|lk-slf4j=notaffected,rhn_sa |acewalk-slf4j=notaffected,r
|tellite_6/slf4j=notaffected |hn_satellite_6/slf4j=notaff
|,rhel-6/slf4j=wontfix,rhel- |ected,rhel-6/slf4j=wontfix,
|7/slf4j=affected,rhel-8/slf |rhel-7/slf4j=affected,rhel-
|4j=affected,rhev-m-4/jboss= |8/slf4j=affected,rhev-m-4/j
|affected,vertx-3/slf4j=nota |boss=affected,vertx-3/slf4j
|ffected,openstack-8/slf4j-a |=notaffected,openstack-8/sl
|pi=notaffected,openstack-9/ |f4j-api=notaffected,opensta
|slf4j-api=notaffected,opens |ck-9/slf4j-api=notaffected,
|tack-10/slf4j-api=notaffect |openstack-10/slf4j-api=nota
|ed,openstack-11/slf4j-api=n |ffected,openstack-11/slf4j-
|otaffected,openstack-12/slf |api=notaffected,openstack-1
|4j-api=notaffected,openstac |2/slf4j-api=notaffected,ope
|k-13/slf4j-api=notaffected, |nstack-13/slf4j-api=notaffe
|rhscl-3/rh-maven35-slf4j=af |cted,rhscl-3/rh-maven35-slf
|fected,fis-2/slf4j=affected |4j=affected,fis-2/slf4j=aff
| |ected
--
You are receiving this mail because:
You are on the CC list for the bug.
5 years, 11 months
[Bug 1528565] CVE-2017-17485 jackson-databind: Unsafe deserialization due to incomplete black list ( incomplete fix for CVE-2017-15095)
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1528565
Kunjan Rathod <krathod(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |krathod(a)redhat.com
Whiteboard|impact=important,public=201 |impact=important,public=201
|71212,reported=20171206,sou |71212,reported=20171206,sou
|rce=researcher,cvss3=8.1/CV |rce=researcher,cvss3=8.1/CV
|SS:3.0/AV:N/AC:H/PR:N/UI:N/ |SS:3.0/AV:N/AC:H/PR:N/UI:N/
|S:U/C:H/I:H/A:H,eap-6/reste |S:U/C:H/I:H/A:H,eap-6/reste
|asy=affected,fedora-all/jac |asy=affected,fedora-all/jac
|kson-databind=affected,jdg- |kson-databind=affected,jdg-
|7/jackson-databind=notaffec |7/jackson-databind=notaffec
|ted,jon-3/resteasy=notaffec |ted,jon-3/resteasy=affected
|ted,openshift-enterprise-2/ |,openshift-enterprise-2/jac
|jackson-databind=affected,d |kson-databind=affected,dts-
|ts-4/devtoolset-4-jackson-d |4/devtoolset-4-jackson-data
|atabind=wontfix,rhev-m-3/ja |bind=wontfix,rhev-m-3/jaspe
|sperreports-server-pro=wont |rreports-server-pro=wontfix
|fix,rhev-m-4/eap7-jackson-d |,rhev-m-4/eap7-jackson-data
|atabind=affected,amq-6/jack |bind=affected,amq-6/jackson
|son-databind=notaffected,bp |-databind=notaffected,bpms-
|ms-6/jackson-databind=new,j |6/jackson-databind=new,jdv-
|dv-6/jackson-databind=notaf |6/jackson-databind=notaffec
|fected,fuse-6/jackson-datab |ted,fuse-6/jackson-databind
|ind=notaffected,rhmap-4/jac |=notaffected,rhmap-4/jackso
|kson-databind=notaffected,r |n-databind=notaffected,rhn_
|hn_satellite_6/jackson-data |satellite_6/jackson-databin
|bind=new,rhscl-3/rh-eclipse |d=new,rhscl-3/rh-eclipse46-
|46-jackson-databind=affecte |jackson-databind=affected,r
|d,rhscl-3/rh-maven35-jackso |hscl-3/rh-maven35-jackson-d
|n-databind=affected,sam-1/j |atabind=affected,sam-1/jack
|ackson-databind=wontfix,eap |son-databind=wontfix,eap-7/
|-7/resteasy=affected,brms-6 |resteasy=affected,brms-6/ja
|/jackson-databind=new |ckson-databind=new
--
You are receiving this mail because:
You are on the CC list for the bug.
5 years, 11 months
[Bug 1528565] CVE-2017-17485 jackson-databind: Unsafe deserialization due to incomplete black list ( incomplete fix for CVE-2017-15095)
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1528565
Chess Hazlett <chazlett(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Whiteboard|impact=important,public=201 |impact=important,public=201
|71212,reported=20171206,sou |71212,reported=20171206,sou
|rce=researcher,cvss3=8.1/CV |rce=researcher,cvss3=8.1/CV
|SS:3.0/AV:N/AC:H/PR:N/UI:N/ |SS:3.0/AV:N/AC:H/PR:N/UI:N/
|S:U/C:H/I:H/A:H,eap-6/reste |S:U/C:H/I:H/A:H,eap-6/reste
|asy=affected,fedora-all/jac |asy=affected,fedora-all/jac
|kson-databind=affected,jdg- |kson-databind=affected,jdg-
|7/jackson-databind=affected |7/jackson-databind=notaffec
|,jon-3/resteasy=notaffected |ted,jon-3/resteasy=notaffec
|,openshift-enterprise-2/jac |ted,openshift-enterprise-2/
|kson-databind=affected,dts- |jackson-databind=affected,d
|4/devtoolset-4-jackson-data |ts-4/devtoolset-4-jackson-d
|bind=wontfix,rhev-m-3/jaspe |atabind=wontfix,rhev-m-3/ja
|rreports-server-pro=wontfix |sperreports-server-pro=wont
|,rhev-m-4/eap7-jackson-data |fix,rhev-m-4/eap7-jackson-d
|bind=affected,amq-6/jackson |atabind=affected,amq-6/jack
|-databind=notaffected,bpms- |son-databind=notaffected,bp
|6/jackson-databind=new,jdv- |ms-6/jackson-databind=new,j
|6/jackson-databind=notaffec |dv-6/jackson-databind=notaf
|ted,fuse-6/jackson-databind |fected,fuse-6/jackson-datab
|=notaffected,rhmap-4/jackso |ind=notaffected,rhmap-4/jac
|n-databind=notaffected,rhn_ |kson-databind=notaffected,r
|satellite_6/jackson-databin |hn_satellite_6/jackson-data
|d=new,rhscl-3/rh-eclipse46- |bind=new,rhscl-3/rh-eclipse
|jackson-databind=affected,r |46-jackson-databind=affecte
|hscl-3/rh-maven35-jackson-d |d,rhscl-3/rh-maven35-jackso
|atabind=affected,sam-1/jack |n-databind=affected,sam-1/j
|son-databind=wontfix,eap-7/ |ackson-databind=wontfix,eap
|resteasy=affected,brms-6/ja |-7/resteasy=affected,brms-6
|ckson-databind=new |/jackson-databind=new
--
You are receiving this mail because:
You are on the CC list for the bug.
5 years, 11 months
[Bug 1585627] strange chnage in macro expansions in f29
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1585627
Severin Gehwolf <sgehwolf(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sgehwolf(a)redhat.com
--- Comment #6 from Severin Gehwolf <sgehwolf(a)redhat.com> ---
(In reply to jiri vanek from comment #5)
> hm. NVM. The buildrequires of javapackages-filesystem will solve it anyway.
This should be BuildRequires: javapackages-tools, right?
However, this will then drag in java-1.8.0-openjdk again for a JDK 10 build.
Bug 1500288 all over again. So what I'd think would be a better approach is to
move the directory macros from /usr/lib/rpm/macros.d/macros.jpackage to
javapackages-filesystem. E.g.
%_jvmdir %{_prefix}/lib/jvm
Macros which use java functions may stay in a separate macro file which then
may require java-1.8.0-openjdk. Thoughts?
--
You are receiving this mail because:
You are on the CC list for the bug.
5 years, 11 months
[Bug 1585627] strange chnage in macro expansions in f29
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1585627
jiri vanek <jvanek(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |CLOSED
Component|javapackages-tools |java-openjdk
Resolution|--- |NOTABUG
Assignee|mizdebsk(a)redhat.com |jvanek(a)redhat.com
Last Closed| |2018-06-04 07:28:54
--- Comment #5 from jiri vanek <jvanek(a)redhat.com> ---
hm. NVM. The buildrequires of javapackages-filesystem will solve it anyway.
--
You are receiving this mail because:
You are on the CC list for the bug.
5 years, 11 months
[Bug 1585627] strange chnage in macro expansions in f29
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1585627
jiri vanek <jvanek(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ctubbsii(a)fedoraproject.org,
| |java-sig-commits(a)lists.fedo
| |raproject.org,
| |mat.booth(a)redhat.com,
| |mizdebsk(a)redhat.com,
| |msimacek(a)redhat.com,
| |msrb(a)redhat.com,
| |sochotni(a)redhat.com
Component|java-openjdk |javapackages-tools
Assignee|jvanek(a)redhat.com |mizdebsk(a)redhat.com
--- Comment #4 from jiri vanek <jvanek(a)redhat.com> ---
Thanx.
Then the issue is when we mover *requires* from javapackages-tools to
javapackages-filesystem or default buildroot have chnaged. As there was recent
clean up of java buildroot, second is more likely.
Again, sorry for noise
Mikolai, may you confirm?
--
You are receiving this mail because:
You are on the CC list for the bug.
5 years, 11 months