[Bug 1666424] New: CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1666424
Bug ID: 1666424
Summary: CVE-2018-14720 jackson-databind: exfiltration/XXE in
some JDK classes [fedora-all]
Product: Fedora
Version: 29
Status: NEW
Component: jackson-databind
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: puntogil(a)libero.it
Reporter: lpardo(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
lef(a)fedoraproject.org, puntogil(a)libero.it
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
5 years, 1 month
[Bug 1666429] New: CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1666429
Bug ID: 1666429
Summary: CVE-2018-14721 jackson-databind: server-side request
forgery (SSRF) in axis2-jaxws class [fedora-all]
Product: Fedora
Version: 29
Status: NEW
Component: jackson-databind
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: puntogil(a)libero.it
Reporter: lpardo(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
lef(a)fedoraproject.org, puntogil(a)libero.it
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
5 years, 1 month
[Bug 1666483] New: CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1666483
Bug ID: 1666483
Summary: CVE-2018-19360 jackson-databind: improper polymorphic
deserialization in axis2-transport-jms class
[fedora-all]
Product: Fedora
Version: 29
Status: NEW
Component: jackson-databind
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: puntogil(a)libero.it
Reporter: lpardo(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
lef(a)fedoraproject.org, puntogil(a)libero.it
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
5 years, 1 month
[Bug 1666486] New: CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1666486
Bug ID: 1666486
Summary: CVE-2018-19361 jackson-databind: improper polymorphic
deserialization in openjpa class [fedora-all]
Product: Fedora
Version: 29
Status: NEW
Component: jackson-databind
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: puntogil(a)libero.it
Reporter: lpardo(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
lef(a)fedoraproject.org, puntogil(a)libero.it
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
5 years, 1 month
[Bug 1666490] New: CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1666490
Bug ID: 1666490
Summary: CVE-2018-19362 jackson-databind: improper polymorphic
deserialization in jboss-common-core class
[fedora-all]
Product: Fedora
Version: 29
Status: NEW
Component: jackson-databind
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: puntogil(a)libero.it
Reporter: lpardo(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
lef(a)fedoraproject.org, puntogil(a)libero.it
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
5 years, 1 month
[Bug 1671098] New: CVE-2018-12022 jackson-databind: polymorphic deserialization of types from Jodd-db library [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1671098
Bug ID: 1671098
Summary: CVE-2018-12022 jackson-databind: polymorphic
deserialization of types from Jodd-db library
[fedora-all]
Product: Fedora
Version: 29
Status: NEW
Component: jackson-databind
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: puntogil(a)libero.it
Reporter: lpardo(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
lef(a)fedoraproject.org, puntogil(a)libero.it
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
5 years, 1 month
[Bug 1666688] New: Please update plantuml to a more recent release
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1666688
Bug ID: 1666688
Summary: Please update plantuml to a more recent release
Product: Fedora
Version: rawhide
Hardware: All
OS: All
Status: NEW
Component: plantuml
Severity: medium
Assignee: jsafrane(a)redhat.com
Reporter: markus.oehme(a)pg40.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
jsafrane(a)redhat.com, puntogil(a)libero.it
Target Milestone: ---
Classification: Fedora
Description of problem: plantuml has several new releases some of which fix
bugs I'm encountering.
Version-Release number of selected component (if applicable): current version
8033 is bad; version 1.2019.00 is good for me
--
You are receiving this mail because:
You are on the CC list for the bug.
5 years, 1 month
[Bug 1668215] New: javamail update causes broken dependencies in Fedora 29
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1668215
Bug ID: 1668215
Summary: javamail update causes broken dependencies in Fedora
29
Product: Fedora
Version: 29
Status: NEW
Component: javamail
Assignee: mizdebsk(a)redhat.com
Reporter: mattias.ellert(a)physics.uu.se
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
jkang(a)redhat.com, mefoster(a)gmail.com,
mizdebsk(a)redhat.com
Target Milestone: ---
Classification: Fedora
Description of problem:
The javamail update in Fedora 29 is uninstallable due to broken dependencies:
$ LANG=en_US.UTF-8 dnf --refresh update
Adobe Systems Incorporated 2.7 kB/s | 2.9 kB 00:01
EGI-trustanchors 2.1 kB/s | 2.5 kB 00:01
Fedora Modular 29 - x86_64 46 kB/s | 28 kB 00:00
Fedora Modular 29 - x86_64 - Updates 39 kB/s | 26 kB 00:00
Fedora 29 - x86_64 - Updates 30 kB/s | 28 kB 00:00
Fedora 29 - x86_64 112 kB/s | 28 kB 00:00
RPM Fusion for Fedora 29 - Free - Updates 7.9 kB/s | 9.1 kB 00:01
RPM Fusion for Fedora 29 - Free 18 kB/s | 10 kB 00:00
skype (stable) 2.7 kB/s | 2.9 kB 00:01
Dependencies resolved.
Problem: cannot install both javamail-1.6.3-2.module_2663+c0acbe74.noarch and
javamail-1.5.2-8.fc29.noarch
- package axiom-1.2.14-3.fc29.noarch requires mvn(javax.mail:mail), but none
of the providers can be installed
- cannot install the best update candidate for package
javamail-1.5.2-8.fc29.noarch
- cannot install the best update candidate for package
axiom-1.2.14-3.fc29.noarch
- package javamail-1.5.2-7.module_2512+68251d4e.noarch is excluded
- package javamail-1.5.2-8.fc29.noarch is excluded
================================================================================
Package Arch Version Repository Size
================================================================================
Skipping packages with conflicts:
(add '--best --allowerasing' to command line to force their upgrade):
javamail noarch 1.6.3-2.module_2663+c0acbe74 updates-modular 683 k
Transaction Summary
================================================================================
Skip 1 Package
Nothing to do.
Complete!
Version-Release number of selected component (if applicable):
javamail-1.6.3-2.module_2663+c0acbe74.noarch
How reproducible:
Always
Steps to Reproduce:
1. Try to update javamail in Fedora 29 while having a package requiring
mvn(javax.mail:mail) is installed
2. The update fails because the new javamail version no longer provides
mvn(javax.mail:mail)
Actual results:
Update fails
Expected results:
Update successful
Additional info:
Several packages in Fedora 29 requires mvn(javax.mail:mail):
$ LANG=en_US.UTF-8 dnf repoquery --whatrequires 'mvn(javax.mail:mail)'
Last metadata expiration check: 0:04:22 ago on Tue 22 Jan 2019 09:21:40 AM CET.
axiom-0:1.2.14-3.fc29.noarch
axis2-0:1.7.7-2.fc29.noarch
jenkins-core-0:1.651.3-8.fc29.noarch
jets3t-0:0.9.3-9.fc29.noarch
restlet-jse-0:2.3.1-8.fc29.noarch
subethasmtp-0:3.1.7-13.fc29.noarch
--
You are receiving this mail because:
You are on the CC list for the bug.
5 years, 1 month
[Bug 1670290] jenkins-plugin-groovy: Sandbox Bypass in Groovy Plugin (SECURITY-1293)
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1670290
Paul Harvey <pharvey(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |CLOSED
CC|ahardin(a)redhat.com, |java-sig-commits(a)lists.fedo
|aos-bugs(a)redhat.com, |raproject.org,
|bleanhar(a)redhat.com, |lkundrak(a)v3.sk,
|bparees(a)redhat.com, |mizdebsk(a)redhat.com,
|ccoleman(a)redhat.com, |msrb(a)redhat.com
|dedgar(a)redhat.com, |
|eparis(a)redhat.com, |
|jgoulding(a)redhat.com, |
|jokerman(a)redhat.com, |
|mchappel(a)redhat.com, |
|wzheng(a)redhat.com |
Resolution|--- |NOTABUG
Summary|jenkins-plugin-workflow-cps |jenkins-plugin-groovy:
|: Sandbox Bypass in Groovy |Sandbox Bypass in Groovy
|Plugin (SECURITY-1293) |Plugin (SECURITY-1293)
Whiteboard|impact=important,public=201 |impact=important,public=201
|90128,reported=20190128,sou |90128,reported=20190128,sou
|rce=oss-security,cvss3=8.8/ |rce=oss-security,cvss3=8.8/
|CVSS:3.0/AV:N/AC:L/PR:L/UI: |CVSS:3.0/AV:N/AC:L/PR:L/UI:
|N/S:U/C:H/I:H/A:H,cwe=CWE-9 |N/S:U/C:H/I:H/A:H,cwe=CWE-9
|6,openshift-enterprise-3.2/ |6,fedora-all/groovy=affecte
|jenkins-plugin-workflow-cps |d
|=wontfix,openshift-enterpri |
|se-3.3/jenkins-plugin-workf |
|low-cps=wontfix,openshift-e |
|nterprise-3.4/jenkins-plugi |
|n-workflow-cps=wontfix,open |
|shift-enterprise-3.5/jenkin |
|s-plugin-workflow-cps=wontf |
|ix,openshift-enterprise-3.7 |
|/jenkins-plugin-workflow-cp |
|s=wontfix,openshift-enterpr |
|ise-3.6/jenkins-plugin-work |
|flow-cps=wontfix,openshift- |
|enterprise-3.9/jenkins-plug |
|in-workflow-cps=wontfix,ope |
|nshift-enterprise-3.10/jenk |
|ins-plugin-workflow-cps=won |
|tfix,openshift-enterprise-3 |
|.11/jenkins-plugin-workflow |
|-cps=affected,fedora-all/gr |
|oovy-sandbox=affected,opens |
|hift-enterprise-4.0/jenkins |
|-plugin-workflow-cps=affect |
|ed |
Last Closed| |2019-01-31 15:26:13
--- Comment #2 from Paul Harvey <pharvey(a)redhat.com> ---
This flaw is actually referring to a sandbox escape in
https://plugins.jenkins.io/groovy aka
https://github.com/jenkinsci/groovy-plugin; *not* groovy-sandbox aka
https://github.com/jenkinsci/groovy-sandbox/
Removing openshift-enterprise-3.x.
--
You are receiving this mail because:
You are on the CC list for the bug.
5 years, 1 month