[Bug 1764370] New: CVE-2019-10406 jenkins: XSS vulnerability in Jenkins URL setting
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1764370
Bug ID: 1764370
Summary: CVE-2019-10406 jenkins: XSS vulnerability in Jenkins
URL setting
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: abenaiss(a)redhat.com, adam.kaplan(a)redhat.com,
aos-bugs(a)redhat.com, bmontgom(a)redhat.com,
eparis(a)redhat.com, extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jokerman(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
nstielau(a)redhat.com, sponnaga(a)redhat.com,
vbobade(a)redhat.com, wzheng(a)redhat.com
Target Milestone: ---
Classification: Other
Jenkins did not validate or otherwise limit the possible values administrators
could specify as Jenkins root URL. This resulted in a cross-site scripting
vulnerability exploitable by users with Overall/Administer permission.
References:
https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1471
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 7 months
[Bug 1764369] New: CVE-2019-10405 jenkins: Diagnostic web page exposed Cookie HTTP header
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1764369
Bug ID: 1764369
Summary: CVE-2019-10405 jenkins: Diagnostic web page exposed
Cookie HTTP header
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: abenaiss(a)redhat.com, adam.kaplan(a)redhat.com,
aos-bugs(a)redhat.com, bmontgom(a)redhat.com,
eparis(a)redhat.com, extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jokerman(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
nstielau(a)redhat.com, sponnaga(a)redhat.com,
vbobade(a)redhat.com, wzheng(a)redhat.com
Target Milestone: ---
Classification: Other
Jenkins shows various technical information about the current user on the
/whoAmI URL. The information shown includes HTTP request headers. This allowed
attackers able to exploit another cross-site scripting vulnerability to obtain
the Cookie header’s value even if the HttpOnly flag would prevent direct access
via JavaScript.
References:
https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1505
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 7 months
[Bug 1764367] New: CVE-2019-10404 jenkins: Stored XSS vulnerability in queue item tooltip
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1764367
Bug ID: 1764367
Summary: CVE-2019-10404 jenkins: Stored XSS vulnerability in
queue item tooltip
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: abenaiss(a)redhat.com, adam.kaplan(a)redhat.com,
aos-bugs(a)redhat.com, bmontgom(a)redhat.com,
eparis(a)redhat.com, extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jokerman(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
nstielau(a)redhat.com, sponnaga(a)redhat.com,
vbobade(a)redhat.com, wzheng(a)redhat.com
Target Milestone: ---
Classification: Other
Jenkins did not escape the reason a queue item is blocked in tooltips. This
resulted in a cross-site scripting vulnerability exploitable by attackers able
to control the reason a queue item is blocked, for example a label expression
that does not match idle executors.
References:
https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1537%20(2)
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 7 months
[Bug 1764366] New: CVE-2019-10403 jenkins: Stored XSS vulnerability in SCM tag action tooltip
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1764366
Bug ID: 1764366
Summary: CVE-2019-10403 jenkins: Stored XSS vulnerability in
SCM tag action tooltip
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: abenaiss(a)redhat.com, adam.kaplan(a)redhat.com,
aos-bugs(a)redhat.com, bmontgom(a)redhat.com,
eparis(a)redhat.com, extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jokerman(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
nstielau(a)redhat.com, sponnaga(a)redhat.com,
vbobade(a)redhat.com, wzheng(a)redhat.com
Target Milestone: ---
Classification: Other
Jenkins did not escape the tag name on the tooltip for tag actions shown in the
build history. This resulted in a cross-site scripting vulnerability
exploitable by attackers able to control the SCM tag name for these actions.
References:
https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1537%20(1)
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 7 months
[Bug 1764363] New: CVE-2019-10402 jenkins: XSS vulnerability in combobox form control
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1764363
Bug ID: 1764363
Summary: CVE-2019-10402 jenkins: XSS vulnerability in combobox
form control
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: abenaiss(a)redhat.com, adam.kaplan(a)redhat.com,
aos-bugs(a)redhat.com, bmontgom(a)redhat.com,
eparis(a)redhat.com, extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jokerman(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
nstielau(a)redhat.com, sponnaga(a)redhat.com,
vbobade(a)redhat.com, wzheng(a)redhat.com
Target Milestone: ---
Classification: Other
Jenkins interpreted items added to f:combobox form controls as HTML. This
resulted in a cross-site scripting vulnerability exploitable by attackers able
to control the contents of f:combobox form controls.
References:
https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1525
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 7 months
[Bug 1742075] New: glassfish-fastinfoset-1.2.16 is available
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1742075
Bug ID: 1742075
Summary: glassfish-fastinfoset-1.2.16 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: glassfish-fastinfoset
Keywords: FutureFeature, Triaged
Assignee: ascheel(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: ascheel(a)redhat.com, decathorpe(a)gmail.com,
dmoluguw(a)redhat.com, edewata(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
puntogil(a)libero.it,
stewardship-sig(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
Latest upstream release: 1.2.16
Current version/release in rawhide: 1.2.13-12.fc31
URL: https://github.com/eclipse-ee4j/jaxb-fi
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/21051/
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 7 months
[Bug 1769162] New: batik-1.12 is available
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1769162
Bug ID: 1769162
Summary: batik-1.12 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: batik
Keywords: FutureFeature, Triaged
Assignee: stewardship-sig(a)lists.fedoraproject.org
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com, c.david86(a)gmail.com,
decathorpe(a)gmail.com, extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jvanek(a)redhat.com, mizdebsk(a)redhat.com,
stewardship-sig(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
Latest upstream release: 1.12
Current version/release in rawhide: 1.11-2.fc31
URL: https://xmlgraphics.apache.org/batik/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/168/
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 8 months
[Bug 1709770] New: apache-ivy-2.5.0-rc1 is available
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1709770
Bug ID: 1709770
Summary: apache-ivy-2.5.0-rc1 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: apache-ivy
Keywords: FutureFeature, Triaged
Assignee: stewardship-sig(a)lists.fedoraproject.org
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
jjelen(a)redhat.com, lkundrak(a)v3.sk,
mizdebsk(a)redhat.com,
stewardship-sig(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
Latest upstream release: 2.5.0-rc1
Current version/release in rawhide: 2.4.0-16.fc30
URL: http://ant.apache.org/ivy/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/14014/
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 8 months
[Bug 1765857] New: junit-4.13-rc-1 is available
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1765857
Bug ID: 1765857
Summary: junit-4.13-rc-1 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: junit
Keywords: FutureFeature, Triaged
Assignee: stewardship-sig(a)lists.fedoraproject.org
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: dbhole(a)redhat.com, decathorpe(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
krzysztof.daniel(a)gmail.com, mhroncok(a)redhat.com,
mizdebsk(a)redhat.com, sochotni(a)redhat.com,
stewardship-sig(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
Latest upstream release: 4.13-rc-1
Current version/release in rawhide: 4.12-12.fc31
URL: https://github.com/junit-team/junit4
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/1480/
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 8 months