[Bug 1756388] New: CVE-2019-15052 gradle: sends authentication credentials originally destined for the configured host
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1756388
Bug ID: 1756388
Summary: CVE-2019-15052 gradle: sends authentication
credentials originally destined for the configured
host
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: csutherl(a)redhat.com, dan(a)danieljamesscott.org,
decathorpe(a)gmail.com, gzaronik(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jclere(a)redhat.com, jjelen(a)redhat.com, lgao(a)redhat.com,
lkundrak(a)v3.sk, mbabacek(a)redhat.com,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
myarboro(a)redhat.com, twalsh(a)redhat.com,
weli(a)redhat.com
Target Milestone: ---
Classification: Other
The HTTP client in Gradle before 5.6 sends authentication credentials
originally destined for the configured host. If that host returns a 30x
redirect, Gradle also sends those credentials to all subsequent hosts that the
request redirects to. This is similar to CVE-2018-1000007.
References:
https://github.com/gradle/gradle/issues/10278
https://github.com/gradle/gradle/pull/10176
https://github.com/gradle/gradle/security/advisories/GHSA-4cwg-f7qc-6r95
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 5 months
[Bug 1756390] New: CVE-2019-15052 gradle: sends authentication credentials originally destined for the configured host [epel-6]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1756390
Bug ID: 1756390
Summary: CVE-2019-15052 gradle: sends authentication
credentials originally destined for the configured
host [epel-6]
Product: Fedora EPEL
Version: el6
Status: NEW
Component: gradle
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: mizdebsk(a)redhat.com
Reporter: gsuckevi(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: dan(a)danieljamesscott.org,
java-sig-commits(a)lists.fedoraproject.org,
lkundrak(a)v3.sk, mizdebsk(a)redhat.com,
msimacek(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 5 months
[Bug 1767371] New: elasticsearch dependencies
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1767371
Bug ID: 1767371
Summary: elasticsearch dependencies
Product: Fedora
Version: 31
Status: NEW
Component: elasticsearch
Assignee: bazanluis20(a)gmail.com
Reporter: mail(a)lukaszposadowski.pl
QA Contact: extras-qa(a)fedoraproject.org
CC: bazanluis20(a)gmail.com, bobjensen(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
jvanek(a)redhat.com, pahan(a)hubbitus.info,
zbyszek(a)in.waw.pl
Target Milestone: ---
Classification: Fedora
Description of problem:
elascticsearchpackage has unmet dependencies.
Version-Release number of selected component (if applicable):
elasticsearch.noarch
1.7.1-3.fc24 fedora
How reproducible:
Steps to Reproduce:
1. dnf install elasticsearch
2.
3.
Actual results:
dnf install elasticsearch
Last metadata expiration check: 2:08:15 ago on Thu Oct 31 08:58:08 2019.
Error:
Problem: conflicting requests
- nothing provides mvn(org.apache.lucene:lucene-analyzers-common:4.10.4)
needed by elasticsearch-1.7.1-3.fc24.noarch
- nothing provides mvn(org.apache.lucene:lucene-core:4.10.4) needed by
elasticsearch-1.7.1-3.fc24.noarch
- nothing provides mvn(org.apache.lucene:lucene-highlighter:4.10.4) needed by
elasticsearch-1.7.1-3.fc24.noarch
- nothing provides mvn(org.apache.lucene:lucene-join:4.10.4) needed by
elasticsearch-1.7.1-3.fc24.noarch
- nothing provides mvn(org.apache.lucene:lucene-memory:4.10.4) needed by
elasticsearch-1.7.1-3.fc24.noarch
- nothing provides mvn(org.apache.lucene:lucene-queries:4.10.4) needed by
elasticsearch-1.7.1-3.fc24.noarch
- nothing provides mvn(org.apache.lucene:lucene-queryparser:4.10.4) needed by
elasticsearch-1.7.1-3.fc24.noarch
- nothing provides mvn(org.apache.lucene:lucene-sandbox:4) needed by
elasticsearch-1.7.1-3.fc24.noarch
- nothing provides mvn(org.apache.lucene:lucene-spatial:4.10.4) needed by
elasticsearch-1.7.1-3.fc24.noarch
- nothing provides mvn(org.apache.lucene:lucene-suggest:4.10.4) needed by
elasticsearch-1.7.1-3.fc24.noarch
(try to add '--skip-broken' to skip uninstallable packages)
Expected results:
Additional info:
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 5 months
[Bug 1797068] New: CVE-2020-2105 jenkins: REST APIs vulnerable to clickjacking
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1797068
Bug ID: 1797068
Summary: CVE-2020-2105 jenkins: REST APIs vulnerable to
clickjacking
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: abenaiss(a)redhat.com, adam.kaplan(a)redhat.com,
aos-bugs(a)redhat.com, bmontgom(a)redhat.com,
eparis(a)redhat.com, extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jokerman(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
nstielau(a)redhat.com, pbhattac(a)redhat.com,
sponnaga(a)redhat.com, vbobade(a)redhat.com,
wzheng(a)redhat.com
Target Milestone: ---
Classification: Other
REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier were
vulnerable to clickjacking attacks.
References:
https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1704
http://www.openwall.com/lists/oss-security/2020/01/29/1
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 5 months
[Bug 1797069] New: CVE-2020-2105 jenkins: REST APIs vulnerable to clickjacking [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1797069
Bug ID: 1797069
Summary: CVE-2020-2105 jenkins: REST APIs vulnerable to
clickjacking [fedora-all]
Product: Fedora
Version: 31
Status: NEW
Component: jenkins
Keywords: Security, SecurityTracking
Severity: low
Priority: low
Assignee: extras-orphan(a)fedoraproject.org
Reporter: psampaio(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 5 months
[Bug 1797066] New: CVE-2020-2104 jenkins: Memory usage graphs accessible to anyone with Overall/Read [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1797066
Bug ID: 1797066
Summary: CVE-2020-2104 jenkins: Memory usage graphs accessible
to anyone with Overall/Read [fedora-all]
Product: Fedora
Version: 31
Status: NEW
Component: jenkins
Keywords: Security, SecurityTracking
Severity: low
Priority: low
Assignee: extras-orphan(a)fedoraproject.org
Reporter: psampaio(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 5 months
[Bug 1797087] New: CVE-2020-2100 jenkins: UDP multicast/broadcast service amplification reflection attack
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1797087
Bug ID: 1797087
Summary: CVE-2020-2100 jenkins: UDP multicast/broadcast service
amplification reflection attack
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: abenaiss(a)redhat.com, adam.kaplan(a)redhat.com,
aos-bugs(a)redhat.com, bmontgom(a)redhat.com,
eparis(a)redhat.com, extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jokerman(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
nstielau(a)redhat.com, pbhattac(a)redhat.com,
sponnaga(a)redhat.com, vbobade(a)redhat.com,
wzheng(a)redhat.com
Target Milestone: ---
Classification: Other
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier was vulnerable to a UDP
amplification reflection denial of service attack on port 33848.
References:
https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1641
http://www.openwall.com/lists/oss-security/2020/01/29/1
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 5 months
[Bug 1797088] New: CVE-2020-2100 jenkins: UDP multicast/broadcast service amplification reflection attack [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1797088
Bug ID: 1797088
Summary: CVE-2020-2100 jenkins: UDP multicast/broadcast service
amplification reflection attack [fedora-all]
Product: Fedora
Version: 31
Status: NEW
Component: jenkins
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: extras-orphan(a)fedoraproject.org
Reporter: psampaio(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 5 months
[Bug 1797084] New: CVE-2020-2101 jenkins: Non-constant time comparison of inbound TCP agent connection secret
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1797084
Bug ID: 1797084
Summary: CVE-2020-2101 jenkins: Non-constant time comparison of
inbound TCP agent connection secret
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: abenaiss(a)redhat.com, adam.kaplan(a)redhat.com,
aos-bugs(a)redhat.com, bmontgom(a)redhat.com,
eparis(a)redhat.com, extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jokerman(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
nstielau(a)redhat.com, pbhattac(a)redhat.com,
sponnaga(a)redhat.com, vbobade(a)redhat.com,
wzheng(a)redhat.com
Target Milestone: ---
Classification: Other
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time
comparison function for validating connection secrets, which could potentially
allow an attacker to use a timing attack to obtain this secret.
References:
https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1659
http://www.openwall.com/lists/oss-security/2020/01/29/1
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 5 months
[Bug 1797085] New: CVE-2020-2101 jenkins: Non-constant time comparison of inbound TCP agent connection secret [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1797085
Bug ID: 1797085
Summary: CVE-2020-2101 jenkins: Non-constant time comparison of
inbound TCP agent connection secret [fedora-all]
Product: Fedora
Version: 31
Status: NEW
Component: jenkins
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: extras-orphan(a)fedoraproject.org
Reporter: psampaio(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 5 months