May 2019 - java-sig-commits - Fedora Mailing-Lists

[Bug 1713275] New: CVE-2019-0221 tomcat: XSS in SSI printenv

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1713275 Bug ID: 1713275 Summary: CVE-2019-0221 tomcat: XSS in SSI printenv Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=moderate,public=20190413,reported=20190523,sour ce=customer,cvss3=6.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U /C:L/I:L/A:L,epel-all/tomcat=affected,fedora-all/tomca t=affected,eap-5/jbossweb=affected,eap-6/jbossweb=affe cted,jdg-6/jbossweb=affected,jdg-7/tomcat=affected,jon -3/jbossweb=affected,rhel-6/tomcat6=new,rhel-7/tomcat= new,rhel-8/pki-deps:10.6/pki-servlet-container=new,bpm s-6/tomcat=affected,brms-5/jbossweb=affected,brms-6/to mcat=affected,jdv-6/jbossweb=affected,fuse-6/tomcat=af fected,fuse-7/tomcat=affected Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: darunesh(a)redhat.com CC: aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, alee(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, bmaxwell(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, coolsvap(a)gmail.com, csutherl(a)redhat.com, darran.lofthouse(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, etirelli(a)redhat.com, fgavrilo(a)redhat.com, ibek(a)redhat.com, ivan.afonichev(a)gmail.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jawilson(a)redhat.com, jkurik(a)redhat.com, jochrist(a)redhat.com, jolee(a)redhat.com, jondruse(a)redhat.com, jschatte(a)redhat.com, jstastny(a)redhat.com, krathod(a)redhat.com, krzysztof.daniel(a)gmail.com, kverlaen(a)redhat.com, lgao(a)redhat.com, loleary(a)redhat.com, lpetrovi(a)redhat.com, mnovotny(a)redhat.com, paradhya(a)redhat.com, pgier(a)redhat.com, pjurak(a)redhat.com, ppalaga(a)redhat.com, psakar(a)redhat.com, pslavice(a)redhat.com, rhcs-maint(a)redhat.com, rnetuka(a)redhat.com, rrajasek(a)redhat.com, rstancel(a)redhat.com, rsvoboda(a)redhat.com, rsynek(a)redhat.com, sdaley(a)redhat.com, spinder(a)redhat.com, theute(a)redhat.com, tom.jenkinson(a)redhat.com, twalsh(a)redhat.com, vhalbert(a)redhat.com, vtunka(a)redhat.com Target Milestone: --- Classification: Other The SSI printenv command echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website. Reference: http://tomcat.apache.org/security-9.html Upstream commit: https://github.com/apache/tomcat/commit/15fcd16 -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 1 month

1
25
0 / 0

[Bug 1710644] New: CVE-2017-2582 picketlink: picketlink, keycloak: SAML request parser replaces special strings with system properties [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1710644 Bug ID: 1710644 Summary: CVE-2017-2582 picketlink: picketlink, keycloak: SAML request parser replaces special strings with system properties [fedora-all] Product: Fedora Version: 30 Status: NEW Component: picketlink Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: puntogil(a)libero.it Reporter: jpadman(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, lef(a)fedoraproject.org, mgoldman(a)redhat.com, puntogil(a)libero.it Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 3 months

1
3
0 / 0

[Bug 1709380] New: CVE-2018-20200 okhttp: certificate pinning bypass [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1709380 Bug ID: 1709380 Summary: CVE-2018-20200 okhttp: certificate pinning bypass [fedora-all] Product: Fedora Version: 30 Status: NEW Component: okhttp Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: puntogil(a)libero.it Reporter: msiddiqu(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: gerard(a)ryan.lt, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, puntogil(a)libero.it Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 3 months

1
3
0 / 0

[Bug 1713216] New: CVE-2016-10750 hazelcast: java deserialization in join cluster procedure leading to remote code execution [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1713216 Bug ID: 1713216 Summary: CVE-2016-10750 hazelcast: java deserialization in join cluster procedure leading to remote code execution [fedora-all] Product: Fedora Version: 30 Status: NEW Component: hazelcast Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: puntogil(a)libero.it Reporter: mrehak(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, puntogil(a)libero.it Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 3 months

1
3
0 / 0

[Bug 1714041] New: maven-war-plugin-3.2.3 is available

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1714041 Bug ID: 1714041 Summary: maven-war-plugin-3.2.3 is available Product: Fedora Version: rawhide Status: NEW Component: maven-war-plugin Keywords: FutureFeature, Triaged Assignee: weli(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, weli(a)redhat.com Target Milestone: --- Classification: Fedora Latest upstream release: 3.2.3 Current version/release in rawhide: 3.2.2-3.fc30 URL: http://repo2.maven.org/maven2/org/apache/maven/plugins/maven-war-plugin/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoringPlease keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.Based on the information from anitya: https://release-monitoring.org/project/1945/ -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 3 months

1
2
0 / 0

[Bug 1711857] New: maven-checkstyle-plugin-3.1.0 is available

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1711857 Bug ID: 1711857 Summary: maven-checkstyle-plugin-3.1.0 is available Product: Fedora Version: rawhide Status: NEW Component: maven-checkstyle-plugin Keywords: FutureFeature, Triaged Assignee: SpikeFedora(a)gmail.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: ctubbsii(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, SpikeFedora(a)gmail.com Target Milestone: --- Classification: Fedora Latest upstream release: 3.1.0 Current version/release in rawhide: 3.0.0-4.fc30 URL: http://repo2.maven.org/maven2/org/apache/maven/plugins/maven-checkstyle-p... Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/1901/ -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 4 months

1
1
0 / 0

[Bug 1696062] New: CVE-2018-12545 jetty: large settings frames causing denial of service

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1696062 Bug ID: 1696062 Summary: CVE-2018-12545 jetty: large settings frames causing denial of service Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=moderate,public=20190320,reported=20190328,sour ce=cve,cvss3=4.2/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/ I:L/A:L,cwe=CWE-400,fedora-all/jetty=affected,rhel-6/j etty-eclipse=notaffected,rhel-7/jetty=new,fuse-6/jetty =affected,fuse-7/jetty=affected,rhn_satellite_5/jetty= affected,rhscl-3/rh-java-common-jetty=affected Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: darunesh(a)redhat.com CC: bkearney(a)redhat.com, chazlett(a)redhat.com, decathorpe(a)gmail.com, eclipse-sig(a)lists.fedoraproject.org, ggainey(a)redhat.com, hhorak(a)redhat.com, java-maint(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jjohnstn(a)redhat.com, jorton(a)redhat.com, krzysztof.daniel(a)gmail.com, mizdebsk(a)redhat.com, sochotni(a)redhat.com, stewardship-sig(a)lists.fedoraproject.org, tlestach(a)redhat.com Target Milestone: --- Classification: Other In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings Reference: https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096 -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 4 months

1
14
0 / 0

[Bug 1662255] New: Suspend to disk (hibernate) broken after upgrade to Fedora 29

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1662255 Bug ID: 1662255 Summary: Suspend to disk (hibernate) broken after upgrade to Fedora 29 Product: Fedora Version: 29 Status: NEW Component: hibernate Assignee: puntogil(a)libero.it Reporter: drbasic6(a)gmail.com QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, lef(a)fedoraproject.org, puntogil(a)libero.it Target Milestone: --- Classification: Fedora Description of problem: After upgrading to Fedora 29, hibernate is broken. It used to work until Fedora 28. The hibernate option is missing from the KDE menu now. Suspend to RAM is still there, but when the battery dies after a couple of days, all unsaved work is lost. Version-Release number of selected component (if applicable): Fedora 29 How reproducible: Always Steps to Reproduce: 1. Use Fedora 28, hibernate... 2. Upgrade to F29 via gnome-software. 3. Hibernate feature unavailable. Actual results: Hibernate feature unavailable after upgrade. It's not possible anymore to keep a bunch of programs running. Now, everything has to be saved and closed and the system has to be shut down whenever the laptop is removed from the station and taken to another location. Expected results: A basic system feature that has worked for years shouldn't suddenly be gone. This is unacceptable. Additional info: As the KDE menu sometimes stops working after a few days (Bug 1634681), it's often necessary to hibernate via the command line. The following command worked until Fedora 28: $ qdbus org.kde.Solid.PowerManagement /org/freedesktop/PowerManagement CanHibernate && qdbus org.kde.Solid.PowerManagement /org/freedesktop/PowerManagement Hibernate false -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 5 months

1
4
0 / 0

[Bug 1668319] New: CVE-2019-6290 nasm: Infinite recursion in eval.c causing stack exhaustion problem resulting in a denial of service

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1668319 Bug ID: 1668319 Summary: CVE-2019-6290 nasm: Infinite recursion in eval.c causing stack exhaustion problem resulting in a denial of service Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=moderate,public=20190102,reported=20190115,sour ce=cve,cvss3=5.5/CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/ I:N/A:H,cwe=CWE-400,fedora-all/nasm=affected,rhel-5/na sm=new,rhel-6/nasm=new,rhel-7/nasm=new,rhel-8/nasm=new Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: darunesh(a)redhat.com CC: dominik(a)greysector.net, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, nickc(a)redhat.com Target Milestone: --- Classification: Other An infinite recursion issue was discovered in eval.c in Netwide Assembler (NASM) through 2.14.02. There is a stack exhaustion problem resulting from infinite recursion in the functions expr, rexp, bexpr and cexpr in certain scenarios involving lots of '{' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted asm file. Upstream Issue: https://bugzilla.nasm.us/show_bug.cgi?id=3392548 -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 5 months

1
8
0 / 0

[Bug 1668320] New: CVE-2019-6290 nasm: Infinite recursion in eval.c causing stack exhaustion problem resulting in a denial of service [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1668320 Bug ID: 1668320 Summary: CVE-2019-6290 nasm: Infinite recursion in eval.c causing stack exhaustion problem resulting in a denial of service [fedora-all] Product: Fedora Version: 29 Status: NEW Component: nasm Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: mizdebsk(a)redhat.com Reporter: darunesh(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: dominik(a)greysector.net, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

4 years, 5 months

1
7
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits May 2019