January 2020 - java-sig-commits - Fedora Mailing-Lists

[Bug 1756388] New: CVE-2019-15052 gradle: sends authentication credentials originally destined for the configured host

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1756388 Bug ID: 1756388 Summary: CVE-2019-15052 gradle: sends authentication credentials originally destined for the configured host Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: csutherl(a)redhat.com, dan(a)danieljamesscott.org, decathorpe(a)gmail.com, gzaronik(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jclere(a)redhat.com, jjelen(a)redhat.com, lgao(a)redhat.com, lkundrak(a)v3.sk, mbabacek(a)redhat.com, mizdebsk(a)redhat.com, msimacek(a)redhat.com, myarboro(a)redhat.com, twalsh(a)redhat.com, weli(a)redhat.com Target Milestone: --- Classification: Other The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007. References: https://github.com/gradle/gradle/issues/10278 https://github.com/gradle/gradle/pull/10176 https://github.com/gradle/gradle/security/advisories/GHSA-4cwg-f7qc-6r95 -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 5 months

1
8
0 / 0

[Bug 1756390] New: CVE-2019-15052 gradle: sends authentication credentials originally destined for the configured host [epel-6]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1756390 Bug ID: 1756390 Summary: CVE-2019-15052 gradle: sends authentication credentials originally destined for the configured host [epel-6] Product: Fedora EPEL Version: el6 Status: NEW Component: gradle Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: mizdebsk(a)redhat.com Reporter: gsuckevi(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: dan(a)danieljamesscott.org, java-sig-commits(a)lists.fedoraproject.org, lkundrak(a)v3.sk, mizdebsk(a)redhat.com, msimacek(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of epel-6. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 5 months

1
5
0 / 0

[Bug 1767371] New: elasticsearch dependencies

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1767371 Bug ID: 1767371 Summary: elasticsearch dependencies Product: Fedora Version: 31 Status: NEW Component: elasticsearch Assignee: bazanluis20(a)gmail.com Reporter: mail(a)lukaszposadowski.pl QA Contact: extras-qa(a)fedoraproject.org CC: bazanluis20(a)gmail.com, bobjensen(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, jvanek(a)redhat.com, pahan(a)hubbitus.info, zbyszek(a)in.waw.pl Target Milestone: --- Classification: Fedora Description of problem: elascticsearchpackage has unmet dependencies. Version-Release number of selected component (if applicable): elasticsearch.noarch 1.7.1-3.fc24 fedora How reproducible: Steps to Reproduce: 1. dnf install elasticsearch 2. 3. Actual results: dnf install elasticsearch Last metadata expiration check: 2:08:15 ago on Thu Oct 31 08:58:08 2019. Error: Problem: conflicting requests - nothing provides mvn(org.apache.lucene:lucene-analyzers-common:4.10.4) needed by elasticsearch-1.7.1-3.fc24.noarch - nothing provides mvn(org.apache.lucene:lucene-core:4.10.4) needed by elasticsearch-1.7.1-3.fc24.noarch - nothing provides mvn(org.apache.lucene:lucene-highlighter:4.10.4) needed by elasticsearch-1.7.1-3.fc24.noarch - nothing provides mvn(org.apache.lucene:lucene-join:4.10.4) needed by elasticsearch-1.7.1-3.fc24.noarch - nothing provides mvn(org.apache.lucene:lucene-memory:4.10.4) needed by elasticsearch-1.7.1-3.fc24.noarch - nothing provides mvn(org.apache.lucene:lucene-queries:4.10.4) needed by elasticsearch-1.7.1-3.fc24.noarch - nothing provides mvn(org.apache.lucene:lucene-queryparser:4.10.4) needed by elasticsearch-1.7.1-3.fc24.noarch - nothing provides mvn(org.apache.lucene:lucene-sandbox:4) needed by elasticsearch-1.7.1-3.fc24.noarch - nothing provides mvn(org.apache.lucene:lucene-spatial:4.10.4) needed by elasticsearch-1.7.1-3.fc24.noarch - nothing provides mvn(org.apache.lucene:lucene-suggest:4.10.4) needed by elasticsearch-1.7.1-3.fc24.noarch (try to add '--skip-broken' to skip uninstallable packages) Expected results: Additional info: -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 5 months

1
7
0 / 0

[Bug 1797068] New: CVE-2020-2105 jenkins: REST APIs vulnerable to clickjacking

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1797068 Bug ID: 1797068 Summary: CVE-2020-2105 jenkins: REST APIs vulnerable to clickjacking Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: abenaiss(a)redhat.com, adam.kaplan(a)redhat.com, aos-bugs(a)redhat.com, bmontgom(a)redhat.com, eparis(a)redhat.com, extras-orphan(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jokerman(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com, nstielau(a)redhat.com, pbhattac(a)redhat.com, sponnaga(a)redhat.com, vbobade(a)redhat.com, wzheng(a)redhat.com Target Milestone: --- Classification: Other REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier were vulnerable to clickjacking attacks. References: https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1704 http://www.openwall.com/lists/oss-security/2020/01/29/1 -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 5 months

1
11
0 / 0

[Bug 1797069] New: CVE-2020-2105 jenkins: REST APIs vulnerable to clickjacking [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1797069 Bug ID: 1797069 Summary: CVE-2020-2105 jenkins: REST APIs vulnerable to clickjacking [fedora-all] Product: Fedora Version: 31 Status: NEW Component: jenkins Keywords: Security, SecurityTracking Severity: low Priority: low Assignee: extras-orphan(a)fedoraproject.org Reporter: psampaio(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: extras-orphan(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msrb(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 5 months

1
4
0 / 0

[Bug 1797066] New: CVE-2020-2104 jenkins: Memory usage graphs accessible to anyone with Overall/Read [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1797066 Bug ID: 1797066 Summary: CVE-2020-2104 jenkins: Memory usage graphs accessible to anyone with Overall/Read [fedora-all] Product: Fedora Version: 31 Status: NEW Component: jenkins Keywords: Security, SecurityTracking Severity: low Priority: low Assignee: extras-orphan(a)fedoraproject.org Reporter: psampaio(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: extras-orphan(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msrb(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 5 months

1
4
0 / 0

[Bug 1797087] New: CVE-2020-2100 jenkins: UDP multicast/broadcast service amplification reflection attack

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1797087 Bug ID: 1797087 Summary: CVE-2020-2100 jenkins: UDP multicast/broadcast service amplification reflection attack Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: abenaiss(a)redhat.com, adam.kaplan(a)redhat.com, aos-bugs(a)redhat.com, bmontgom(a)redhat.com, eparis(a)redhat.com, extras-orphan(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jokerman(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com, nstielau(a)redhat.com, pbhattac(a)redhat.com, sponnaga(a)redhat.com, vbobade(a)redhat.com, wzheng(a)redhat.com Target Milestone: --- Classification: Other Jenkins 2.218 and earlier, LTS 2.204.1 and earlier was vulnerable to a UDP amplification reflection denial of service attack on port 33848. References: https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1641 http://www.openwall.com/lists/oss-security/2020/01/29/1 -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 5 months

1
10
0 / 0

[Bug 1797088] New: CVE-2020-2100 jenkins: UDP multicast/broadcast service amplification reflection attack [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1797088 Bug ID: 1797088 Summary: CVE-2020-2100 jenkins: UDP multicast/broadcast service amplification reflection attack [fedora-all] Product: Fedora Version: 31 Status: NEW Component: jenkins Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: extras-orphan(a)fedoraproject.org Reporter: psampaio(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: extras-orphan(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msrb(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 5 months

1
4
0 / 0

[Bug 1797084] New: CVE-2020-2101 jenkins: Non-constant time comparison of inbound TCP agent connection secret

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1797084 Bug ID: 1797084 Summary: CVE-2020-2101 jenkins: Non-constant time comparison of inbound TCP agent connection secret Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: abenaiss(a)redhat.com, adam.kaplan(a)redhat.com, aos-bugs(a)redhat.com, bmontgom(a)redhat.com, eparis(a)redhat.com, extras-orphan(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jokerman(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com, nstielau(a)redhat.com, pbhattac(a)redhat.com, sponnaga(a)redhat.com, vbobade(a)redhat.com, wzheng(a)redhat.com Target Milestone: --- Classification: Other Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which could potentially allow an attacker to use a timing attack to obtain this secret. References: https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1659 http://www.openwall.com/lists/oss-security/2020/01/29/1 -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 5 months

1
11
0 / 0

[Bug 1797085] New: CVE-2020-2101 jenkins: Non-constant time comparison of inbound TCP agent connection secret [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1797085 Bug ID: 1797085 Summary: CVE-2020-2101 jenkins: Non-constant time comparison of inbound TCP agent connection secret [fedora-all] Product: Fedora Version: 31 Status: NEW Component: jenkins Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: extras-orphan(a)fedoraproject.org Reporter: psampaio(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: extras-orphan(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, msrb(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 5 months

1
4
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits January 2020