January 2019 - java-sig-commits - Fedora Mailing-Lists

[Bug 1663907] New: CVE-2018-20535 nasm: Use-after-free at asm/preproc.c resulting in a denial of service

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1663907 Bug ID: 1663907 Summary: CVE-2018-20535 nasm: Use-after-free at asm/preproc.c resulting in a denial of service Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=low,public=20181118,reported=20181228,source=cv e,cvss3=3.3/CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A :L,cwe=CWE-416,fedora-all/nasm=affected,rhel-5/nasm=ne w,rhel-6/nasm=new,rhel-7/nasm=new,rhel-8/nasm=new Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: anemec(a)redhat.com CC: dominik(a)greysector.net, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, nickc(a)redhat.com Target Milestone: --- Classification: Other A use-after-free vulnerability was found in nasm. A specially crafted file could cause the application to crash. Upstream issue: https://bugzilla.nasm.us/show_bug.cgi?id=3392530 -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 4 months

1
6
0 / 0

[Bug 1663906] New: CVE-2018-1000886 nasm: Buffer overflow in asm/stdscan.c:130 resulting in a denial of service

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1663906 Bug ID: 1663906 Summary: CVE-2018-1000886 nasm: Buffer overflow in asm/stdscan.c:130 resulting in a denial of service Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=low,public=20180906,reported=20181221,source=cv e,cvss3=3.3/CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A :L,cwe=CWE-122,fedora-all/nasm=affected,rhel-5/nasm=ne w,rhel-6/nasm=new,rhel-7/nasm=new,rhel-8/nasm=new Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: anemec(a)redhat.com CC: dominik(a)greysector.net, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, nickc(a)redhat.com Target Milestone: --- Classification: Other A buffer overflow vulnerability was found in nasm. A specially crafted file could trigger endless macro generation and cause the application to crash. Upstream issue: https://bugzilla.nasm.us/show_bug.cgi?id=3392514 -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 4 months

1
6
0 / 0

[Bug 1663909] New: CVE-2018-1000886 CVE-2018-20535 CVE-2018-20538 nasm: various flaws [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1663909 Bug ID: 1663909 Summary: CVE-2018-1000886 CVE-2018-20535 CVE-2018-20538 nasm: various flaws [fedora-all] Product: Fedora Version: 29 Status: NEW Component: nasm Keywords: Security, SecurityTracking Severity: low Priority: low Assignee: mizdebsk(a)redhat.com Reporter: anemec(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: dominik(a)greysector.net, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 4 months

1
7
0 / 0

[Bug 1670704] New: CVE-2019-7147 nasm: Buffer over-read in function crc64ib in crc64.c resulting in denial of service.

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1670704 Bug ID: 1670704 Summary: CVE-2019-7147 nasm: Buffer over-read in function crc64ib in crc64.c resulting in denial of service. Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=moderate,public=20190101,reported=20190129,sour ce=cve,cvss3=6.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/ I:N/A:H,cwe=CWE-400,fedora-all/nasm=affected,rhel-5/na sm=new,rhel-6/nasm=new,rhel-7/nasm=new,rhel-8/nasm=new Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: darunesh(a)redhat.com CC: dominik(a)greysector.net, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, nickc(a)redhat.com Target Milestone: --- Classification: Other A buffer over-read exists in the function crc64ib in crc64.c in nasmlib in Netwide Assembler (NASM) 2.14rc16. A crafted asm input can cause segmentation faults, leading to denial-of-service. References: https://bugzilla.nasm.us/show_bug.cgi?id=3392544 -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 4 months

1
8
0 / 0

[Bug 1670705] New: CVE-2019-7147 nasm: Buffer over-read in function crc64ib in crc64.c resulting in denial of service. [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1670705 Bug ID: 1670705 Summary: CVE-2019-7147 nasm: Buffer over-read in function crc64ib in crc64.c resulting in denial of service. [fedora-all] Product: Fedora Version: 29 Status: NEW Component: nasm Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: mizdebsk(a)redhat.com Reporter: darunesh(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: dominik(a)greysector.net, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 4 months

1
7
0 / 0

[Bug 1670291] New: groovy-sandbox: jenkins-plugin-workflow-cps: Sandbox Bypass in Groovy Plugin (SECURITY-1293) [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1670291 Bug ID: 1670291 Summary: groovy-sandbox: jenkins-plugin-workflow-cps: Sandbox Bypass in Groovy Plugin (SECURITY-1293) [fedora-all] Product: Fedora Version: 29 Status: NEW Component: groovy-sandbox Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: msrb(a)redhat.com Reporter: sfowler(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msrb(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 4 months

1
7
0 / 0

[Bug 1670284] New: jenkins-script-security-plugin: jenkins-plugin-script-security: Sandbox Bypass in Script Security Plugin (SECURITY-1292) [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1670284 Bug ID: 1670284 Summary: jenkins-script-security-plugin: jenkins-plugin-script-security: Sandbox Bypass in Script Security Plugin (SECURITY-1292) [fedora-all] Product: Fedora Version: 29 Status: NEW Component: jenkins-script-security-plugin Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: msrb(a)redhat.com Reporter: sfowler(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msrb(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 4 months

1
5
0 / 0

[Bug 1667570] New: jenkins-script-security-plugin: jenkins-plugin-script-security: Sandbox Bypass in Script Security and Pipeline Plugins (SECURITY-1266) [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1667570 Bug ID: 1667570 Summary: jenkins-script-security-plugin: jenkins-plugin-script-security: Sandbox Bypass in Script Security and Pipeline Plugins (SECURITY-1266) [fedora-all] Product: Fedora Version: 29 Status: NEW Component: jenkins-script-security-plugin Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: msrb(a)redhat.com Reporter: lpardo(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msrb(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 4 months

1
6
0 / 0

[Bug 1667571] New: groovy-sandbox: jenkins-plugin-script-security: Sandbox Bypass in Script Security and Pipeline Plugins (SECURITY-1266) [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1667571 Bug ID: 1667571 Summary: groovy-sandbox: jenkins-plugin-script-security: Sandbox Bypass in Script Security and Pipeline Plugins (SECURITY-1266) [fedora-all] Product: Fedora Version: 29 Status: NEW Component: groovy-sandbox Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: msrb(a)redhat.com Reporter: lpardo(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msrb(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 4 months

1
6
0 / 0

[Bug 1668345] New: CVE-2019-1003003 Jenkins: cookie crafted using Jenkins script console allows unauthorised access to Jenkins instance

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1668345 Bug ID: 1668345 Summary: CVE-2019-1003003 Jenkins: cookie crafted using Jenkins script console allows unauthorised access to Jenkins instance Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=moderate,public=20190116,reported=20190116,sour ce=oss-security,cvss3=6.6/CVSS:3.0/AV:N/AC:H/PR:H/UI:N /S:U/C:H/I:H/A:H,cwe=CWE-384->CWE-613,fedora-28/jenkin s=affected Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: msiddiqu(a)redhat.com CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msrb(a)redhat.com Target Milestone: --- Classification: Other Users with the Overall/RunScripts permission (typically administrators) were able to use the Jenkins script console to craft a 'Remember me' cookie that would never expire. This allowed attackers access to a Jenkins instance while the corresponding user in the configured security realm exists, for example to persist access after another successful attack. -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 4 months

1
17
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits January 2019