February 2020 - java-sig-commits - Fedora Mailing-Lists

[Bug 1764370] New: CVE-2019-10406 jenkins: XSS vulnerability in Jenkins URL setting

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1764370 Bug ID: 1764370 Summary: CVE-2019-10406 jenkins: XSS vulnerability in Jenkins URL setting Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: abenaiss(a)redhat.com, adam.kaplan(a)redhat.com, aos-bugs(a)redhat.com, bmontgom(a)redhat.com, eparis(a)redhat.com, extras-orphan(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jokerman(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com, nstielau(a)redhat.com, sponnaga(a)redhat.com, vbobade(a)redhat.com, wzheng(a)redhat.com Target Milestone: --- Classification: Other Jenkins did not validate or otherwise limit the possible values administrators could specify as Jenkins root URL. This resulted in a cross-site scripting vulnerability exploitable by users with Overall/Administer permission. References: https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1471 -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 7 months

1
6
0 / 0

[Bug 1764369] New: CVE-2019-10405 jenkins: Diagnostic web page exposed Cookie HTTP header

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1764369 Bug ID: 1764369 Summary: CVE-2019-10405 jenkins: Diagnostic web page exposed Cookie HTTP header Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: abenaiss(a)redhat.com, adam.kaplan(a)redhat.com, aos-bugs(a)redhat.com, bmontgom(a)redhat.com, eparis(a)redhat.com, extras-orphan(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jokerman(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com, nstielau(a)redhat.com, sponnaga(a)redhat.com, vbobade(a)redhat.com, wzheng(a)redhat.com Target Milestone: --- Classification: Other Jenkins shows various technical information about the current user on the /whoAmI URL. The information shown includes HTTP request headers. This allowed attackers able to exploit another cross-site scripting vulnerability to obtain the Cookie header’s value even if the HttpOnly flag would prevent direct access via JavaScript. References: https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1505 -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 7 months

1
6
0 / 0

[Bug 1764367] New: CVE-2019-10404 jenkins: Stored XSS vulnerability in queue item tooltip

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1764367 Bug ID: 1764367 Summary: CVE-2019-10404 jenkins: Stored XSS vulnerability in queue item tooltip Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: abenaiss(a)redhat.com, adam.kaplan(a)redhat.com, aos-bugs(a)redhat.com, bmontgom(a)redhat.com, eparis(a)redhat.com, extras-orphan(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jokerman(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com, nstielau(a)redhat.com, sponnaga(a)redhat.com, vbobade(a)redhat.com, wzheng(a)redhat.com Target Milestone: --- Classification: Other Jenkins did not escape the reason a queue item is blocked in tooltips. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the reason a queue item is blocked, for example a label expression that does not match idle executors. References: https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1537%20(2) -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 7 months

1
7
0 / 0

[Bug 1764366] New: CVE-2019-10403 jenkins: Stored XSS vulnerability in SCM tag action tooltip

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1764366 Bug ID: 1764366 Summary: CVE-2019-10403 jenkins: Stored XSS vulnerability in SCM tag action tooltip Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: abenaiss(a)redhat.com, adam.kaplan(a)redhat.com, aos-bugs(a)redhat.com, bmontgom(a)redhat.com, eparis(a)redhat.com, extras-orphan(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jokerman(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com, nstielau(a)redhat.com, sponnaga(a)redhat.com, vbobade(a)redhat.com, wzheng(a)redhat.com Target Milestone: --- Classification: Other Jenkins did not escape the tag name on the tooltip for tag actions shown in the build history. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the SCM tag name for these actions. References: https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1537%20(1) -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 7 months

1
7
0 / 0

[Bug 1764363] New: CVE-2019-10402 jenkins: XSS vulnerability in combobox form control

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1764363 Bug ID: 1764363 Summary: CVE-2019-10402 jenkins: XSS vulnerability in combobox form control Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: abenaiss(a)redhat.com, adam.kaplan(a)redhat.com, aos-bugs(a)redhat.com, bmontgom(a)redhat.com, eparis(a)redhat.com, extras-orphan(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jokerman(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com, nstielau(a)redhat.com, sponnaga(a)redhat.com, vbobade(a)redhat.com, wzheng(a)redhat.com Target Milestone: --- Classification: Other Jenkins interpreted items added to f:combobox form controls as HTML. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the contents of f:combobox form controls. References: https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1525 -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 7 months

1
6
0 / 0

[Bug 1742075] New: glassfish-fastinfoset-1.2.16 is available

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1742075 Bug ID: 1742075 Summary: glassfish-fastinfoset-1.2.16 is available Product: Fedora Version: rawhide Status: NEW Component: glassfish-fastinfoset Keywords: FutureFeature, Triaged Assignee: ascheel(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: ascheel(a)redhat.com, decathorpe(a)gmail.com, dmoluguw(a)redhat.com, edewata(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, puntogil(a)libero.it, stewardship-sig(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Latest upstream release: 1.2.16 Current version/release in rawhide: 1.2.13-12.fc31 URL: https://github.com/eclipse-ee4j/jaxb-fi Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/21051/ -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 7 months

1
8
0 / 0

[Bug 1769162] New: batik-1.12 is available

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1769162 Bug ID: 1769162 Summary: batik-1.12 is available Product: Fedora Version: rawhide Status: NEW Component: batik Keywords: FutureFeature, Triaged Assignee: stewardship-sig(a)lists.fedoraproject.org Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: akurtako(a)redhat.com, c.david86(a)gmail.com, decathorpe(a)gmail.com, extras-orphan(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jvanek(a)redhat.com, mizdebsk(a)redhat.com, stewardship-sig(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Latest upstream release: 1.12 Current version/release in rawhide: 1.11-2.fc31 URL: https://xmlgraphics.apache.org/batik/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/168/ -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 8 months

1
5
0 / 0

[Bug 1699692] New: apache-commons-lang3-3.9 is available

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1699692 Bug ID: 1699692 Summary: apache-commons-lang3-3.9 is available Product: Fedora Version: rawhide Status: NEW Component: apache-commons-lang3 Keywords: FutureFeature, Triaged Assignee: stuart(a)gathman.org Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, stuart(a)gathman.org Target Milestone: --- Classification: Fedora Latest upstream release: 3.9 Current version/release in rawhide: 3.8.1-3.fc30 URL: http://archive.apache.org/dist/commons/lang/source/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/76/ -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 8 months

1
6
0 / 0

[Bug 1709770] New: apache-ivy-2.5.0-rc1 is available

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1709770 Bug ID: 1709770 Summary: apache-ivy-2.5.0-rc1 is available Product: Fedora Version: rawhide Status: NEW Component: apache-ivy Keywords: FutureFeature, Triaged Assignee: stewardship-sig(a)lists.fedoraproject.org Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, jjelen(a)redhat.com, lkundrak(a)v3.sk, mizdebsk(a)redhat.com, stewardship-sig(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Latest upstream release: 2.5.0-rc1 Current version/release in rawhide: 2.4.0-16.fc30 URL: http://ant.apache.org/ivy/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/14014/ -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 8 months

1
2
0 / 0

[Bug 1765857] New: junit-4.13-rc-1 is available

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1765857 Bug ID: 1765857 Summary: junit-4.13-rc-1 is available Product: Fedora Version: rawhide Status: NEW Component: junit Keywords: FutureFeature, Triaged Assignee: stewardship-sig(a)lists.fedoraproject.org Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: dbhole(a)redhat.com, decathorpe(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, krzysztof.daniel(a)gmail.com, mhroncok(a)redhat.com, mizdebsk(a)redhat.com, sochotni(a)redhat.com, stewardship-sig(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Latest upstream release: 4.13-rc-1 Current version/release in rawhide: 4.12-12.fc31 URL: https://github.com/junit-team/junit4 Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/1480/ -- You are receiving this mail because: You are on the CC list for the bug.

3 years, 8 months

1
3
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits February 2020