August 2018 - java-sig-commits - Fedora Mailing-Lists

[Bug 1581542] New: CVE-2018-8012 zookeeper: No authentication or authorization is enforced when a server joins a quorum

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1581542 Bug ID: 1581542 Summary: CVE-2018-8012 zookeeper: No authentication or authorization is enforced when a server joins a quorum Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: sfowler(a)redhat.com CC: aileenc(a)redhat.com, alazarot(a)redhat.com, anstephe(a)redhat.com, avibelli(a)redhat.com, bgeorges(a)redhat.com, chazlett(a)redhat.com, cmoulliard(a)redhat.com, ctubbsii(a)fedoraproject.org, drieden(a)redhat.com, etirelli(a)redhat.com, greg.hellings(a)gmail.com, gvarsami(a)redhat.com, hghasemb(a)redhat.com, ibek(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jbalunas(a)redhat.com, jcoleman(a)redhat.com, jolee(a)redhat.com, jpallich(a)redhat.com, jschatte(a)redhat.com, jshepherd(a)redhat.com, jstastny(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lpetrovi(a)redhat.com, lthon(a)redhat.com, mluscon(a)gmail.com, mszynkie(a)redhat.com, nwallace(a)redhat.com, paradhya(a)redhat.com, pavelp(a)redhat.com, pgallagh(a)redhat.com, pszubiak(a)redhat.com, rhel8-maint(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rsynek(a)redhat.com, rwagner(a)redhat.com, rzhang(a)redhat.com, sdaley(a)redhat.com, s(a)shk.io, tcunning(a)redhat.com, tkirby(a)redhat.com, trogers(a)redhat.com, tstclair(a)heptio.com, vhalbert(a)redhat.com Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta does not enforce any authentication/authorization when a server attempts to join a quorum in . As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader. External References: http://openwall.com/lists/oss-security/2018/05/21/6 https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutua... https://issues.apache.org/jira/browse/ZOOKEEPER-1045 -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 9 months

1
14
0 / 0

[Bug 1600426] New: Reconsider auto-requires: javapackages-tools

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1600426 Bug ID: 1600426 Summary: Reconsider auto-requires: javapackages-tools Product: Fedora Version: rawhide Component: javapackages-tools Assignee: mizdebsk(a)redhat.com Reporter: sgehwolf(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: ctubbsii(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, mat.booth(a)redhat.com, mizdebsk(a)redhat.com, msimacek(a)redhat.com, msrb(a)redhat.com, sochotni(a)redhat.com Description of problem: In rawhide when I build a Java package I get a run-time requirement of javapackakges-tools whether I want that or not. This wouldn't concern me as much if javapackages-tools wouldn't drag in java-1.8.0-openjdk-headless. So for a java package that runs fine with, say JDK 10, I'd get JDK 8 too, due to javapackages-tools auto-requires. Example from the byteman build: ------------------------------- [INFO osgi.prov] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/byteman/contrib/jboss-modules-system/byteman-jboss-modules-plugin.jar'] [INFO osgi.req] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/byteman/contrib/jboss-modules-system/byteman-jboss-modules-plugin.jar'] [INFO osgi.prov] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/byteman/lib/byteman-install.jar'] [INFO osgi.req] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/byteman/lib/byteman-install.jar'] [INFO osgi.prov] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/byteman/lib/byteman-sample.jar'] [INFO osgi.req] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/byteman/lib/byteman-sample.jar'] [INFO osgi.prov] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/byteman/lib/byteman-submit.jar'] [INFO osgi.req] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/byteman/lib/byteman-submit.jar'] [INFO osgi.prov] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/byteman/lib/byteman.jar'] [INFO osgi.req] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/byteman/lib/byteman.jar'] [INFO osgi.prov] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/java/byteman/byteman-agent.jar'] [INFO osgi.req] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/java/byteman/byteman-agent.jar'] [INFO osgi.prov] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/java/byteman/byteman-install.jar'] [INFO osgi.prov] osgi(org.jboss.byteman.agent.install) = 4.0.4 [INFO osgi.req] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/java/byteman/byteman-install.jar'] [INFO osgi.prov] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/java/byteman/byteman-jboss-modules-plugin.jar'] [INFO osgi.req] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/java/byteman/byteman-jboss-modules-plugin.jar'] [INFO osgi.prov] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/java/byteman/byteman-jigsaw.jar'] [INFO osgi.req] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/java/byteman/byteman-jigsaw.jar'] [INFO osgi.prov] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/java/byteman/byteman-layer.jar'] [INFO osgi.req] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/java/byteman/byteman-layer.jar'] [INFO osgi.prov] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/java/byteman/byteman-sample.jar'] [INFO osgi.req] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/java/byteman/byteman-sample.jar'] [INFO osgi.prov] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/java/byteman/byteman-submit.jar'] [INFO osgi.prov] osgi(org.jboss.byteman.agent.submit) = 4.0.4 [INFO osgi.req] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/java/byteman/byteman-submit.jar'] [INFO osgi.prov] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/java/byteman/byteman.jar'] [INFO osgi.req] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/java/byteman/byteman.jar'] [INFO maven.prov] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/maven-metadata/byteman.xml'] [INFO maven.prov] mvn(org.jboss.byteman:byteman-jigsaw:pom:) = 4.0.4, mvn(org.jboss.byteman:byteman-submit:pom:) = 4.0.4, mvn(org.jboss.byteman:byteman-jboss-modules-plugin) = 4.0.4, mvn(org.jboss.byteman:byteman-submit) = 4.0.4, mvn(org.jboss.byteman:byteman) = 4.0.4, mvn(org.jboss.byteman:byteman-install:pom:) = 4.0.4, mvn(org.jboss.byteman:byteman-jboss-modules:pom:) = 4.0.4, mvn(org.jboss.byteman:tests:pom:) = 4.0.4, mvn(org.jboss.byteman:byteman:pom:) = 4.0.4, mvn(org.jboss.byteman:byteman-jboss-modules-plugin:pom:) = 4.0.4, mvn(org.jboss.byteman:byteman-jigsaw) = 4.0.4, mvn(org.jboss.byteman:byteman-install) = 4.0.4, mvn(org.jboss.byteman:byteman-layer:pom:) = 4.0.4, mvn(org.jboss.byteman:byteman-sample) = 4.0.4, mvn(org.jboss.byteman:byteman-sample:pom:) = 4.0.4, mvn(org.jboss.byteman:byteman-root:pom:) = 4.0.4, mvn(org.jboss.byteman:byteman-agent) = 4.0.4, mvn(org.jboss.byteman:byteman-layer) = 4.0.4, mvn(org.jboss.byteman:byteman-agent:pom:) = 4.0.4 [INFO maven.req] input: ['/builddir/build/BUILDROOT/byteman-4.0.4-1.module_1916+32d410e4.noarch/usr/share/maven-metadata/byteman.xml'] [INFO maven.req] javapackages-tools, mvn(org.ow2.asm:asm-commons), mvn(org.ow2.asm:asm-tree), mvn(org.ow2.asm:asm-analysis), java-headless >= 1:1.9, mvn(org.ow2.asm:asm), mvn(java_cup:java_cup) Provides: bundled(java_cup) = 1:0.11b-8 bundled(objectweb-asm) = 6.2 byteman = 4.0.4-1.module_1916+32d410e4 mvn(org.jboss.byteman:byteman) = 4.0.4 mvn(org.jboss.byteman:byteman-agent) = 4.0.4 mvn(org.jboss.byteman:byteman-agent:pom:) = 4.0.4 mvn(org.jboss.byteman:byteman-install) = 4.0.4 mvn(org.jboss.byteman:byteman-install:pom:) = 4.0.4 mvn(org.jboss.byteman:byteman-jboss-modules-plugin) = 4.0.4 mvn(org.jboss.byteman:byteman-jboss-modules-plugin:pom:) = 4.0.4 mvn(org.jboss.byteman:byteman-jboss-modules:pom:) = 4.0.4 mvn(org.jboss.byteman:byteman-jigsaw) = 4.0.4 mvn(org.jboss.byteman:byteman-jigsaw:pom:) = 4.0.4 mvn(org.jboss.byteman:byteman-layer) = 4.0.4 mvn(org.jboss.byteman:byteman-layer:pom:) = 4.0.4 mvn(org.jboss.byteman:byteman-root:pom:) = 4.0.4 mvn(org.jboss.byteman:byteman-sample) = 4.0.4 mvn(org.jboss.byteman:byteman-sample:pom:) = 4.0.4 mvn(org.jboss.byteman:byteman-submit) = 4.0.4 mvn(org.jboss.byteman:byteman-submit:pom:) = 4.0.4 mvn(org.jboss.byteman:byteman:pom:) = 4.0.4 mvn(org.jboss.byteman:tests:pom:) = 4.0.4 osgi(org.jboss.byteman.agent.install) = 4.0.4 osgi(org.jboss.byteman.agent.submit) = 4.0.4 Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 Requires: /bin/bash /bin/sh javapackages-tools ------------------------------- The byteman package doesn't have any explicit 'Requires: javapackages-tools' in its spec[1]. What is the reason for auto-requires of javapackages-tools? If it's the directory structure this should get switched to javapackages-filesystem instead which won't have a dep on the JDK. Please re-assign component as necessary. [1] https://src.fedoraproject.org/rpms/byteman/blob/byteman/f/byteman.spec -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 9 months

1
14
0 / 0

[Bug 1622774] New: CVE-2018-8006 activemq: Cross-site scripting (XSS) via QueueFilter parameter

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1622774 Bug ID: 1622774 Summary: CVE-2018-8006 activemq: Cross-site scripting (XSS) via QueueFilter parameter Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: sfowler(a)redhat.com CC: agrimm(a)gmail.com, aileenc(a)redhat.com, alazarot(a)redhat.com, anstephe(a)redhat.com, bkundal(a)redhat.com, bmaxwell(a)redhat.com, bmcclain(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, csutherl(a)redhat.com, darran.lofthouse(a)redhat.com, dblechte(a)redhat.com, dfediuck(a)redhat.com, dimitris(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, eedri(a)redhat.com, etirelli(a)redhat.com, gvarsami(a)redhat.com, hghasemb(a)redhat.com, ibek(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jawilson(a)redhat.com, jcoleman(a)redhat.com, jshepherd(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lgao(a)redhat.com, lpetrovi(a)redhat.com, mgoldboi(a)redhat.com, michal.skrivanek(a)redhat.com, myarboro(a)redhat.com, nwallace(a)redhat.com, paradhya(a)redhat.com, pdrozd(a)redhat.com, pgier(a)redhat.com, psakar(a)redhat.com, pslavice(a)redhat.com, psotirop(a)redhat.com, pszubiak(a)redhat.com, puntogil(a)libero.it, rnetuka(a)redhat.com, rrajasek(a)redhat.com, rsvoboda(a)redhat.com, rsynek(a)redhat.com, rwagner(a)redhat.com, rzhang(a)redhat.com, sbonazzo(a)redhat.com, sdaley(a)redhat.com, sherold(a)redhat.com, s(a)shk.io, sthorger(a)redhat.com, tcunning(a)redhat.com, tdawson(a)redhat.com, tkirby(a)redhat.com, twalsh(a)redhat.com, vtunka(a)redhat.com, ylavi(a)redhat.com Apache ActiveMQ before version 5.15.5 is vulnerable to cross-site scripting (XSS) flaw via the QueueFilter parameter. An attacker could exploit this by feeding a URL encoded script to the QueueFilter parameter in the URI. External Reference: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL20... Upstream Bug: https://issues.apache.org/jira/browse/AMQ-6954 Upstream Patches: https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=d25de5d https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=d8c80a9 -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 9 months

1
4
0 / 0

[Bug 1593527] CVE-2018-10862 wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (Zip Slip)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1593527 --- Doc Text *updated* by Eric Christensen <sparks(a)redhat.com> --- It was found that the explode function of the deployment utility in jboss-cli and console that allows extraction of files from an archive does not perform necessary validation for directory traversal. This can lead to remote code execution. -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 9 months

1
0
0 / 0

[Bug 1593527] CVE-2018-10862 wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (Zip Slip)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1593527 --- Doc Text *updated* by Bharti Kundal <bkundal(a)redhat.com> --- It was found that the explode function of the deployment utility in jboss-cli and console that allows extraction of files from an archive does not perform necessary validation for directory traversal which can lead to remote code execution. -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 9 months

1
0
0 / 0

[Bug 1593527] CVE-2018-10862 wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (Zip Slip)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1593527 Steve Goodman <steve.goodman(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |steve.goodman(a)redhat.com Flags| |needinfo?(security-response | |-team(a)redhat.com) --- Comment #16 from Steve Goodman <steve.goodman(a)redhat.com> --- If this bug requires doc text for errata release, please set the 'Doc Type' and provide draft text according to the template in the 'Doc Text' field. The documentation team will review, edit, and approve the text. If this bug does not require doc text, please set the 'requires_doc_text' flag to -. -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 9 months

1
0
0 / 0

[Bug 1607584] New: CVE-2018-8037 tomcat: Due to a mishandling of close in NIO/ NIO2 connectors user sessions can get mixed up [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1607584 Bug ID: 1607584 Summary: CVE-2018-8037 tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up [fedora-all] Product: Fedora Version: 28 Component: tomcat Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: ivan.afonichev(a)gmail.com Reporter: psampaio(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: alee(a)redhat.com, coolsvap(a)gmail.com, csutherl(a)redhat.com, ivan.afonichev(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, krzysztof.daniel(a)gmail.com This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 9 months

1
7
0 / 0

[Bug 1607580] New: CVE-2018-8034 tomcat: host name verification missing in WebSocket client

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1607580 Bug ID: 1607580 Summary: CVE-2018-8034 tomcat: host name verification missing in WebSocket client Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: abhgupta(a)redhat.com, aileenc(a)redhat.com, alazarot(a)redhat.com, alee(a)redhat.com, anstephe(a)redhat.com, apintea(a)redhat.com, avibelli(a)redhat.com, bgeorges(a)redhat.com, bkundal(a)redhat.com, bmaxwell(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, cmoulliard(a)redhat.com, coolsvap(a)gmail.com, csutherl(a)redhat.com, darran.lofthouse(a)redhat.com, dbaker(a)redhat.com, dimitris(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, etirelli(a)redhat.com, fgavrilo(a)redhat.com, gvarsami(a)redhat.com, gzaronik(a)redhat.com, hghasemb(a)redhat.com, hhorak(a)redhat.com, ibek(a)redhat.com, ikanello(a)redhat.com, ivan.afonichev(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, jawilson(a)redhat.com, jbalunas(a)redhat.com, jclere(a)redhat.com, jcoleman(a)redhat.com, jdoyle(a)redhat.com, jokerman(a)redhat.com, jolee(a)redhat.com, jondruse(a)redhat.com, jorton(a)redhat.com, jpallich(a)redhat.com, jschatte(a)redhat.com, jshepherd(a)redhat.com, jstastny(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, krzysztof.daniel(a)gmail.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lgao(a)redhat.com, loleary(a)redhat.com, lpetrovi(a)redhat.com, lthon(a)redhat.com, mbabacek(a)redhat.com, mizdebsk(a)redhat.com, mszynkie(a)redhat.com, myarboro(a)redhat.com, nwallace(a)redhat.com, paradhya(a)redhat.com, pgallagh(a)redhat.com, pgier(a)redhat.com, pjurak(a)redhat.com, ppalaga(a)redhat.com, psakar(a)redhat.com, pslavice(a)redhat.com, pszubiak(a)redhat.com, rnetuka(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rstancel(a)redhat.com, rsvoboda(a)redhat.com, rsynek(a)redhat.com, rwagner(a)redhat.com, rzhang(a)redhat.com, sdaley(a)redhat.com, spinder(a)redhat.com, sstavrev(a)redhat.com, sthangav(a)redhat.com, tcunning(a)redhat.com, theute(a)redhat.com, tkirby(a)redhat.com, trankin(a)redhat.com, trogers(a)redhat.com, twalsh(a)redhat.com, vhalbert(a)redhat.com, vtunka(a)redhat.com, weli(a)redhat.com Flaw affecting tomcat . The host name verification when using TLS with the WebSocket client was not enabled by default. Upstream patch: http://svn.apache.org/viewvc?view=revision&revision=1833757 References: https://tomcat.apache.org/security-8.html https://tomcat.apache.org/security-9.html -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 9 months

1
26
0 / 0

[Bug 1607586] New: CVE-2018-8034 tomcat: host name verification missing in WebSocket client [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1607586 Bug ID: 1607586 Summary: CVE-2018-8034 tomcat: host name verification missing in WebSocket client [fedora-all] Product: Fedora Version: 28 Component: tomcat Keywords: Security, SecurityTracking Severity: low Priority: low Assignee: ivan.afonichev(a)gmail.com Reporter: psampaio(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: alee(a)redhat.com, coolsvap(a)gmail.com, csutherl(a)redhat.com, ivan.afonichev(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, krzysztof.daniel(a)gmail.com This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 9 months

1
9
0 / 0

[Bug 1579612] New: CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1579612 Bug ID: 1579612 Summary: CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins [fedora-all] Product: Fedora Version: 28 Component: tomcat Keywords: Security, SecurityTracking Severity: low Priority: low Assignee: ivan.afonichev(a)gmail.com Reporter: sfowler(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: alee(a)redhat.com, csutherl(a)redhat.com, ivan.afonichev(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, krzysztof.daniel(a)gmail.com, me(a)coolsvap.net This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

5 years, 9 months

1
10
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits August 2018