[Bug 1687242] New: modello-1.10.0 is available
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1687242
Bug ID: 1687242
Summary: modello-1.10.0 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: modello
Keywords: FutureFeature, Triaged
Assignee: extras-orphan(a)fedoraproject.org
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: extras-orphan(a)fedoraproject.org, fnasser(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, yyang(a)redhat.com
Target Milestone: ---
Classification: Fedora
Latest upstream release: 1.10.0
Current version/release in rawhide: 1.9.1-8.fc30
URL: http://codehaus-plexus.github.io/modello
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/2002/
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 10 months
[Bug 1689873] New: CVE-2019-1003029 jenkins-plugin-script-security: sandbox bypass in script security plugin
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1689873
Bug ID: 1689873
Summary: CVE-2019-1003029 jenkins-plugin-script-security:
sandbox bypass in script security plugin
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=important,public=20190306,reported=20190309,sou
rce=cve,cvss3=8.8/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H
/I:H/A:H,fedora-all/jenkins-script-security-plugin=aff
ected,openshift-enterprise-3.11/jenkins-2-plugins=affe
cted,openshift-enterprise-4.0/jenkins-2-plugins=affect
ed,openshift-enterprise-3.4/jenkins-plugin-script-secu
rity=affected,openshift-enterprise-3.5/jenkins-plugin-
script-security=affected,openshift-enterprise-3.6/jenk
ins-plugin-script-security=affected,openshift-enterpri
se-3.7/jenkins-plugin-script-security=affected,openshi
ft-enterprise-3.9/jenkins-plugin-script-security=affec
ted,openshift-enterprise-3.10/jenkins-plugin-script-se
curity=affected
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: darunesh(a)redhat.com
CC: ahardin(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
eparis(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jokerman(a)redhat.com,
mchappel(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
Target Milestone: ---
Classification: Other
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53
and earlier in
src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java,
src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java
that allows attackers with Overall/Read permission to execute arbitrary code on
the Jenkins master JVM.
Reference:
https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 11 months
[Bug 1684556] New: CVE-2019-1003024 CVE-2019-1003024 jenkins-plugin-script-security: Sandbox Bypass in Script Security Plugin (SECURITY-1320)
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1684556
Bug ID: 1684556
Summary: CVE-2019-1003024 CVE-2019-1003024
jenkins-plugin-script-security: Sandbox Bypass in
Script Security Plugin (SECURITY-1320)
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=important,public=20190219,reported=20190219,sou
rce=internet,cvss3=8.8/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:
U/C:H/I:H/A:H,cwe=CWE-96,openshift-enterprise-3.2/jenk
ins-plugin-script-security=wontfix,openshift-enterpris
e-3.3/jenkins-plugin-script-security=wontfix,openshift
-enterprise-3.4/jenkins-plugin-script-security=wontfix
,openshift-enterprise-3.5/jenkins-plugin-script-securi
ty=wontfix,openshift-enterprise-3.7/jenkins-plugin-scr
ipt-security=wontfix,openshift-enterprise-3.6/jenkins-
plugin-script-security=wontfix,openshift-enterprise-3.
9/jenkins-plugin-script-security=wontfix,openshift-ent
erprise-3.10/jenkins-plugin-script-security=wontfix,op
enshift-enterprise-3.11/jenkins-2-plugins=affected,fed
ora-all/jenkins-script-security-plugin=affected,opensh
ift-enterprise-4.0/jenkins-2-plugins=affected
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: ahardin(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
eparis(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jokerman(a)redhat.com,
mchappel(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
Target Milestone: ---
Classification: Other
The previously implemented script security sandbox protections prohibiting the
use of unsafe AST transforming annotations such as @Grab (2019-01-08 fix for
SECURITY-1266) could be circumvented through use of various Groovy language
features:
* Use of AnnotationCollector
* Import aliasing
* Referencing annotation types using their full class name
This allowed users with Overall/Read permission, or the ability to control
Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the
sandbox protection and execute arbitrary code on the Jenkins master.
Using AnnotationCollector is now newly prohibited in sandboxed scripts such as
Pipelines. Importing any of the annotations considered unsafe will now result
in an error. During the compilation phase, both simple and full class names of
prohibited annotations are rejected for element annotations.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 11 months
[Bug 1662255] New: Suspend to disk (hibernate) broken after upgrade to Fedora 29
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1662255
Bug ID: 1662255
Summary: Suspend to disk (hibernate) broken after upgrade to
Fedora 29
Product: Fedora
Version: 29
Status: NEW
Component: hibernate
Assignee: puntogil(a)libero.it
Reporter: drbasic6(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
lef(a)fedoraproject.org, puntogil(a)libero.it
Target Milestone: ---
Classification: Fedora
Description of problem:
After upgrading to Fedora 29, hibernate is broken. It used to work until Fedora
28.
The hibernate option is missing from the KDE menu now. Suspend to RAM is still
there, but when the battery dies after a couple of days, all unsaved work is
lost.
Version-Release number of selected component (if applicable):
Fedora 29
How reproducible:
Always
Steps to Reproduce:
1. Use Fedora 28, hibernate...
2. Upgrade to F29 via gnome-software.
3. Hibernate feature unavailable.
Actual results:
Hibernate feature unavailable after upgrade.
It's not possible anymore to keep a bunch of programs running. Now, everything
has to be saved and closed and the system has to be shut down whenever the
laptop is removed from the station and taken to another location.
Expected results:
A basic system feature that has worked for years shouldn't suddenly be gone.
This is unacceptable.
Additional info:
As the KDE menu sometimes stops working after a few days (Bug 1634681), it's
often necessary to hibernate via the command line. The following command worked
until Fedora 28:
$ qdbus org.kde.Solid.PowerManagement /org/freedesktop/PowerManagement
CanHibernate && qdbus org.kde.Solid.PowerManagement
/org/freedesktop/PowerManagement Hibernate
false
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years, 4 months
[Bug 1668319] New: CVE-2019-6290 nasm: Infinite recursion in eval.c causing stack exhaustion problem resulting in a denial of service
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1668319
Bug ID: 1668319
Summary: CVE-2019-6290 nasm: Infinite recursion in eval.c
causing stack exhaustion problem resulting in a denial
of service
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=moderate,public=20190102,reported=20190115,sour
ce=cve,cvss3=5.5/CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/
I:N/A:H,cwe=CWE-400,fedora-all/nasm=affected,rhel-5/na
sm=new,rhel-6/nasm=new,rhel-7/nasm=new,rhel-8/nasm=new
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: darunesh(a)redhat.com
CC: dominik(a)greysector.net,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, nickc(a)redhat.com
Target Milestone: ---
Classification: Other
An infinite recursion issue was discovered in eval.c in Netwide Assembler
(NASM)
through 2.14.02. There is a stack exhaustion problem resulting from infinite
recursion in the functions expr, rexp, bexpr and cexpr in certain scenarios
involving lots of '{' characters. Remote attackers could leverage this
vulnerability to cause a denial-of-service via a crafted asm file.
Upstream Issue:
https://bugzilla.nasm.us/show_bug.cgi?id=3392548
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years, 4 months
[Bug 1668320] New: CVE-2019-6290 nasm: Infinite recursion in eval.c causing stack exhaustion problem resulting in a denial of service [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1668320
Bug ID: 1668320
Summary: CVE-2019-6290 nasm: Infinite recursion in eval.c
causing stack exhaustion problem resulting in a denial
of service [fedora-all]
Product: Fedora
Version: 29
Status: NEW
Component: nasm
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: mizdebsk(a)redhat.com
Reporter: darunesh(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: dominik(a)greysector.net,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years, 4 months
[Bug 1668321] New: CVE-2019-6291 nasm: Recursive calls in the function expr resulting in a denial of service
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1668321
Bug ID: 1668321
Summary: CVE-2019-6291 nasm: Recursive calls in the function
expr resulting in a denial of service
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=moderate,public=20190102,reported=20190115,sour
ce=cve,cvss3=5.5/CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/
I:N/A:H,cwe=CWE-400,fedora-all/nasm=affected,rhel-5/na
sm=new,rhel-6/nasm=new,rhel-7/nasm=new,rhel-8/nasm=new
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: darunesh(a)redhat.com
CC: dominik(a)greysector.net,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, nickc(a)redhat.com
Target Milestone: ---
Classification: Other
An issue was discovered in the function expr6 in eval.c in Netwide Assembler
(NASM) through 2.14.02. There is a stack exhaustion problem caused by the expr6
function making recursive calls to itself in certain scenarios involving lots
of
'!' or '+' or '-' characters. Remote attackers could leverage this
vulnerability
to cause a denial-of-service via a crafted asm file.
Upstream Issue:
https://bugzilla.nasm.us/show_bug.cgi?id=3392549
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years, 4 months
[Bug 1668322] New: CVE-2019-6291 nasm: Recursive calls in the function expr resulting in a denial of service [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1668322
Bug ID: 1668322
Summary: CVE-2019-6291 nasm: Recursive calls in the function
expr resulting in a denial of service [fedora-all]
Product: Fedora
Version: 29
Status: NEW
Component: nasm
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: mizdebsk(a)redhat.com
Reporter: darunesh(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: dominik(a)greysector.net,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years, 4 months
[Bug 1661627] New: CVE-2018-17244 elasticsearch: Information Exposure due to improper set request headers [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1661627
Bug ID: 1661627
Summary: CVE-2018-17244 elasticsearch: Information Exposure due
to improper set request headers [fedora-all]
Product: Fedora
Version: 29
Status: NEW
Component: elasticsearch
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: emmanuel(a)seyman.fr
Reporter: lpardo(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: bobjensen(a)gmail.com, emmanuel(a)seyman.fr,
java-sig-commits(a)lists.fedoraproject.org,
jvanek(a)redhat.com, pahan(a)hubbitus.info,
zbyszek(a)in.waw.pl
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years, 4 months
[Bug 1677637] New: CVE-2019-8343 nasm: use-after-free in paste_tokens in asm/preproc.c [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1677637
Bug ID: 1677637
Summary: CVE-2019-8343 nasm: use-after-free in paste_tokens in
asm/preproc.c [fedora-all]
Product: Fedora
Version: 29
Status: NEW
Component: nasm
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: i.gnatenko.brain(a)gmail.com
Reporter: darunesh(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: dominik(a)greysector.net, i.gnatenko.brain(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years, 4 months