October 2020 - java-sig-commits - Fedora Mailing-Lists

[Bug 1816332] New: CVE-2020-9546 jackson-databind: Serialization gadgets in shaded-hikari-config

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1816332 Bug ID: 1816332 Summary: CVE-2020-9546 jackson-databind: Serialization gadgets in shaded-hikari-config Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: aboyko(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, asoldano(a)redhat.com, atangrin(a)redhat.com, ataylor(a)redhat.com, avibelli(a)redhat.com, bbaranow(a)redhat.com, bbuckingham(a)redhat.com, bcourt(a)redhat.com, bgeorges(a)redhat.com, bkearney(a)redhat.com, bmaxwell(a)redhat.com, bmontgom(a)redhat.com, brian.stansberry(a)redhat.com, btotty(a)redhat.com, cbyrne(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, cmacedo(a)redhat.com, darran.lofthouse(a)redhat.com, decathorpe(a)gmail.com, dffrench(a)redhat.com, dkreling(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, drusso(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, ganandan(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, hhorak(a)redhat.com, hhudgeon(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com, janstey(a)redhat.com, java-maint(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jawilson(a)redhat.com, jbalunas(a)redhat.com, jburrell(a)redhat.com, jcantril(a)redhat.com, jmadigan(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jorton(a)redhat.com, jpallich(a)redhat.com, jperkins(a)redhat.com, jshepherd(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, kwills(a)redhat.com, lef(a)fedoraproject.org, lgao(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com, mmccune(a)redhat.com, mnovotny(a)redhat.com, msochure(a)redhat.com, msvehla(a)redhat.com, mszynkie(a)redhat.com, ngough(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, paradhya(a)redhat.com, pdrozd(a)redhat.com, pgallagh(a)redhat.com, pjindal(a)redhat.com, pmackay(a)redhat.com, psotirop(a)redhat.com, puntogil(a)libero.it, pwright(a)redhat.com, rchan(a)redhat.com, rguimara(a)redhat.com, rhcs-maint(a)redhat.com, rjerrido(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rsvoboda(a)redhat.com, rsynek(a)redhat.com, sdaley(a)redhat.com, smaestri(a)redhat.com, sokeeffe(a)redhat.com, sponnaga(a)redhat.com, stewardship-sig(a)lists.fedoraproject.org, sthorger(a)redhat.com, swoodman(a)redhat.com, tbrisker(a)redhat.com, tom.jenkinson(a)redhat.com, trepel(a)redhat.com Target Milestone: --- Classification: Other FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). Upstream issue: https://github.com/FasterXML/jackson-databind/issues/2631 -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 7 months

1
50
0 / 0

[Bug 1805501] CVE-2020-10693 hibernate-validator: Improper input validation in the interpolation of constraint error messages

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1805501 errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:4366 -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 7 months

1
0
0 / 0

[Bug 1805501] CVE-2020-10693 hibernate-validator: Improper input validation in the interpolation of constraint error messages

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1805501 --- Comment #37 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat Satellite 6.7 for RHEL 8 Via RHSA-2020:4366 https://access.redhat.com/errata/RHSA-2020:4366 -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 7 months

1
0
0 / 0

[Bug 1796225] New: CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1796225 Bug ID: 1796225 Summary: CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: aboyko(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, asoldano(a)redhat.com, atangrin(a)redhat.com, ataylor(a)redhat.com, avibelli(a)redhat.com, bbaranow(a)redhat.com, bbuckingham(a)redhat.com, bcourt(a)redhat.com, bgeorges(a)redhat.com, bkearney(a)redhat.com, bmaxwell(a)redhat.com, bmontgom(a)redhat.com, brian.stansberry(a)redhat.com, btotty(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, darran.lofthouse(a)redhat.com, dbecker(a)redhat.com, decathorpe(a)gmail.com, dkreling(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, eparis(a)redhat.com, esammons(a)redhat.com, etirelli(a)redhat.com, ganandan(a)redhat.com, ggaughan(a)redhat.com, gvarsami(a)redhat.com, hhudgeon(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jawilson(a)redhat.com, jbalunas(a)redhat.com, jburrell(a)redhat.com, jcoleman(a)redhat.com, jerboaa(a)gmail.com, jjoyce(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jolee(a)redhat.com, jpallich(a)redhat.com, jperkins(a)redhat.com, jross(a)redhat.com, jschatte(a)redhat.com, jschluet(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kbasil(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, kwills(a)redhat.com, ldimaggi(a)redhat.com, lgao(a)redhat.com, lhh(a)redhat.com, loleary(a)redhat.com, lpeer(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com, mburns(a)redhat.com, mcressma(a)redhat.com, mkolesni(a)redhat.com, mmccune(a)redhat.com, mnovotny(a)redhat.com, msochure(a)redhat.com, msvehla(a)redhat.com, mszynkie(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, paradhya(a)redhat.com, pdrozd(a)redhat.com, pgallagh(a)redhat.com, pjindal(a)redhat.com, pmackay(a)redhat.com, psotirop(a)redhat.com, rchan(a)redhat.com, rguimara(a)redhat.com, rjerrido(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rsvoboda(a)redhat.com, rsynek(a)redhat.com, rwagner(a)redhat.com, sclewis(a)redhat.com, scohen(a)redhat.com, sdaley(a)redhat.com, slinaber(a)redhat.com, smaestri(a)redhat.com, sochotni(a)redhat.com, sokeeffe(a)redhat.com, spinder(a)redhat.com, sponnaga(a)redhat.com, stewardship-sig(a)lists.fedoraproject.org, sthorger(a)redhat.com, swoodman(a)redhat.com, tbrisker(a)redhat.com, tcunning(a)redhat.com, theute(a)redhat.com, tkirby(a)redhat.com, tom.jenkinson(a)redhat.com, vhalbert(a)redhat.com Target Milestone: --- Classification: Other Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869. References: https://github.com/jdordonezn/CVE-2020-72381/issues/1 https://netty.io/news/ -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 7 months

1
63
0 / 0

[Bug 1640615] CVE-2018-3258 mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1640615 errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:4366 -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 7 months

1
0
0 / 0

[Bug 1640615] CVE-2018-3258 mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1640615 --- Comment #18 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> --- This issue has been addressed in the following products: Red Hat Satellite 6.7 for RHEL 8 Via RHSA-2020:4366 https://access.redhat.com/errata/RHSA-2020:4366 -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 7 months

1
0
0 / 0

[Bug 1889017] New: woodstox-core-6.2.3 is available

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1889017 Bug ID: 1889017 Summary: woodstox-core-6.2.3 is available Product: Fedora Version: rawhide Status: NEW Component: woodstox-core Keywords: FutureFeature, Triaged Assignee: elxreno(a)gmail.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: elxreno(a)gmail.com, jaromir.capik(a)email.cz, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora Latest upstream release: 6.2.3 Current version/release in rawhide: 6.2.2-1.fc34 URL: https://github.com/FasterXML/woodstox Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/5140/ -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 7 months

1
10
0 / 0

[Bug 1888003] New: woodstox-core-6.2.2 is available

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1888003 Bug ID: 1888003 Summary: woodstox-core-6.2.2 is available Product: Fedora Version: rawhide Status: NEW Component: woodstox-core Keywords: FutureFeature, Triaged Assignee: elxreno(a)gmail.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: decathorpe(a)gmail.com, elxreno(a)gmail.com, jaromir.capik(a)email.cz, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora Latest upstream release: 6.2.2 Current version/release in rawhide: 6.2.1-5.fc33 URL: https://github.com/FasterXML/woodstox Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/5140/ -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 7 months

1
16
0 / 0

[Bug 1640615] CVE-2018-3258 mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1640615 Cedric Buissart <cbuissar(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1865908 -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 7 months

1
0
0 / 0

[Bug 1887664] CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1887664 --- Doc Text *updated* by RaTasha Tillery-Smith <rtillery(a)redhat.com> --- A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity. -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 7 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits October 2020