[Bug 1696012] New: CVE-2019-0222 activemq: Corrupt MQTT frame can cause broker shutdown
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1696012
Bug ID: 1696012
Summary: CVE-2019-0222 activemq: Corrupt MQTT frame can cause
broker shutdown
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=moderate,public=20190327,reported=20190327,sour
ce=cve,cvss3=5.9/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/
I:N/A:H,fedora-all/activemq=affected,jbds-11/activemq=
new,amq-6/activemq=new,jdg-7/activemq-artemis=new,eap-
7/activemq-artemis=new,fsw-6/activemq=new,fuse-6/activ
emq=new,rhdm-7/activemq-artemis=new,fuse-7/activemq=ne
w,rhpam-7/activemq-artemis=new,rhev-m-4/eap7-activemq-
artemis=new,rhsso-7/activemq-artemis=new
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: agrimm(a)gmail.com, aileenc(a)redhat.com,
alazarot(a)redhat.com, anstephe(a)redhat.com,
bmaxwell(a)redhat.com, bmcclain(a)redhat.com,
cdewolf(a)redhat.com, chazlett(a)redhat.com,
csutherl(a)redhat.com, darran.lofthouse(a)redhat.com,
dblechte(a)redhat.com, dfediuck(a)redhat.com,
dimitris(a)redhat.com, dosoudil(a)redhat.com,
drieden(a)redhat.com, eedri(a)redhat.com,
etirelli(a)redhat.com, gvarsami(a)redhat.com,
ibek(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jcoleman(a)redhat.com,
jshepherd(a)redhat.com, kconner(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
ldimaggi(a)redhat.com, lgao(a)redhat.com,
lpetrovi(a)redhat.com, mgoldboi(a)redhat.com,
michal.skrivanek(a)redhat.com, myarboro(a)redhat.com,
nwallace(a)redhat.com, paradhya(a)redhat.com,
pdrozd(a)redhat.com, pgier(a)redhat.com,
psakar(a)redhat.com, pslavice(a)redhat.com,
psotirop(a)redhat.com, puntogil(a)libero.it,
rnetuka(a)redhat.com, rrajasek(a)redhat.com,
rsvoboda(a)redhat.com, rsynek(a)redhat.com,
rwagner(a)redhat.com, rzhang(a)redhat.com,
sbonazzo(a)redhat.com, sdaley(a)redhat.com,
sherold(a)redhat.com, s(a)shk.io, sthorger(a)redhat.com,
tcunning(a)redhat.com, tdawson(a)redhat.com,
tkirby(a)redhat.com, twalsh(a)redhat.com,
vtunka(a)redhat.com
Target Milestone: ---
Classification: Other
In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to
broker Out of Memory exception making it unresponsive.
References:
http://activemq.apache.org/security-advisories.data/CVE-2019-0222-announc...
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years
[Bug 1705993] New: CVE-2019-10247 jetty: error path information disclosure
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1705993
Bug ID: 1705993
Summary: CVE-2019-10247 jetty: error path information
disclosure
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=moderate,public=20190418,reported=20190423,sour
ce=cve,cvss3=5.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/
I:N/A:N,cwe=CWE-200,fedora-all/jetty=affected,fuse-6/j
etty=new,fuse-7/jetty=new,rhn_satellite_5/jetty=new,rh
scl-3/rh-java-common-jetty=new,rhel-6/jetty-eclipse=ne
w,rhel-7/jetty=new
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: darunesh(a)redhat.com
CC: aileenc(a)redhat.com, bkearney(a)redhat.com,
chazlett(a)redhat.com, decathorpe(a)gmail.com,
eclipse-sig(a)lists.fedoraproject.org,
ggainey(a)redhat.com, hhorak(a)redhat.com,
janstey(a)redhat.com, java-maint(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jjohnstn(a)redhat.com, jochrist(a)redhat.com,
jorton(a)redhat.com, krzysztof.daniel(a)gmail.com,
mizdebsk(a)redhat.com, sochotni(a)redhat.com,
stewardship-sig(a)lists.fedoraproject.org,
tlestach(a)redhat.com
Target Milestone: ---
Classification: Other
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and
9.4.16 and older, the server running on any OS and Jetty version combination
will reveal the configured fully qualified directory base resource location on
the output of the 404 error for not finding a Context that matches the
requested path. The default server behavior on jetty-distribution and
jetty-home will include at the end of the Handler tree a DefaultHandler, which
is responsible for reporting this 404 error, it presents the various configured
contexts as HTML for users to click through to. This produced HTML includes
output that contains the configured fully qualified directory base resource
location for each context.
Reference:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=546577
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years
[Bug 1705924] New: CVE-2019-10241 jetty: using specially formatted URL against DefaultServlet or ResourceHandler leads to XSS conditions
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1705924
Bug ID: 1705924
Summary: CVE-2019-10241 jetty: using specially formatted URL
against DefaultServlet or ResourceHandler leads to XSS
conditions
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=moderate,public=20190422,reported=20190423,sour
ce=cve,cvss3=4.7/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/
I:L/A:N,cwe=CWE-79,fedora-all/jetty=affected,rhel-6/je
tty-eclipse=new,rhel-7/jetty=new,fuse-6/jetty=new,fuse
-7/jetty=new,rhn_satellite_5/jetty=new,rhscl-3/rh-java
-common-jetty=new
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: mrehak(a)redhat.com
CC: aileenc(a)redhat.com, bkearney(a)redhat.com,
chazlett(a)redhat.com, decathorpe(a)gmail.com,
eclipse-sig(a)lists.fedoraproject.org,
ggainey(a)redhat.com, hhorak(a)redhat.com,
janstey(a)redhat.com, java-maint(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jjohnstn(a)redhat.com, jochrist(a)redhat.com,
jorton(a)redhat.com, krzysztof.daniel(a)gmail.com,
mizdebsk(a)redhat.com, sochotni(a)redhat.com,
stewardship-sig(a)lists.fedoraproject.org,
tlestach(a)redhat.com
Target Milestone: ---
Classification: Other
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and
older, the server is vulnerable to XSS conditions if a remote client USES a
specially formatted URL against the DefaultServlet or ResourceHandler that is
configured for showing a Listing of directory contents.
External References:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=546121
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years
[Bug 1742728] New: jboss-marshalling-2.0.8.Final is available
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1742728
Bug ID: 1742728
Summary: jboss-marshalling-2.0.8.Final is available
Product: Fedora
Version: rawhide
Status: NEW
Component: jboss-marshalling
Keywords: FutureFeature, Triaged
Assignee: decathorpe(a)gmail.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: decathorpe(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, puntogil(a)libero.it,
stewardship-sig(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
Latest upstream release: 2.0.8.Final
Current version/release in rawhide: 1.4.11-7.fc31
URL: https://jbossmarshalling.jboss.org/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/20665/
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years
[Bug 1791766] New: CVE-2019-17570 xmlrpc: Deserialization of server-side exception from faultCause in XMLRPC error response [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1791766
Bug ID: 1791766
Summary: CVE-2019-17570 xmlrpc: Deserialization of server-side
exception from faultCause in XMLRPC error response
[fedora-all]
Product: Fedora
Version: 31
Status: NEW
Component: xmlrpc
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: extras-orphan(a)fedoraproject.org
Reporter: msiddiqu(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: dbhole(a)redhat.com, decathorpe(a)gmail.com,
extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
krzysztof.daniel(a)gmail.com, mizdebsk(a)redhat.com,
puntogil(a)libero.it, sochotni(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years
[Bug 1741311] New: classpath predefined
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1741311
Bug ID: 1741311
Summary: classpath predefined
Product: Fedora EPEL
Version: epel7
Hardware: x86_64
OS: Linux
Status: NEW
Component: tomcat
Assignee: ivan.afonichev(a)gmail.com
Reporter: ssoto(a)blazent.com
QA Contact: extras-qa(a)fedoraproject.org
CC: alee(a)redhat.com, coolsvap(a)gmail.com,
csutherl(a)redhat.com, ivan.afonichev(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
krzysztof.daniel(a)gmail.com
Target Milestone: ---
Classification: Fedora
Description of problem:
Inside /usr/libexec/tomcat/preamble the following is found.
CLASSPATH="${CLASSPATH}${CATALINA_HOME}/bin/bootstrap.jar"
CLASSPATH="${CLASSPATH}:${CATALINA_HOME}/bin/tomcat-juli.jar"
CLASSPATH="${CLASSPATH}:$(build-classpath commons-daemon 2>/dev/null)"
by coding the tomcat-juli.jar to CATALINA_HOME instead of CATALINA_BASE which
will default to CATALINA_HOME if not defined then you prevent the usage of
using other types of logging specifically log4j for tomcat, when multiple
catalina_base's are set.
From the documentation of tomcat:
If you are running Tomcat with separate $CATALINA_HOME and $CATALINA_BASE and
want to configure to use log4j in a single $CATALINA_BASE only:
Create $CATALINA_BASE/bin and $CATALINA_BASE/lib directories if they do not
exist.
Put log4j.jar and tomcat-juli-adapters.jar from "extras" into
$CATALINA_BASE/lib
Put tomcat-juli.jar from "extras" as $CATALINA_BASE/bin/tomcat-juli.jar
https://tomcat.apache.org/tomcat-8.0-doc/logging.html
https://tomcat.apache.org/tomcat-7.0-doc/logging.html
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1. Install tomcat
2. set a base in /var/lib/tomcats/
3. create unit file for new base
4) start tomcat and view output
Actual results:
Expected results:
Additional info:
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years
[Bug 1806319] New: pdfbox-2.0.19 is available
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1806319
Bug ID: 1806319
Summary: pdfbox-2.0.19 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: pdfbox
Keywords: FutureFeature, Triaged
Assignee: sergio(a)serjux.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
puntogil(a)libero.it, sergio(a)serjux.com
Target Milestone: ---
Classification: Fedora
Latest upstream release: 2.0.19
Current version/release in rawhide: 2.0.18-2.fc32
URL: http://pdfbox.apache.org/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/9648/
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years
[Bug 1806805] New: CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1806805
Bug ID: 1806805
Summary: CVE-2020-1938 tomcat: Apache Tomcat AJP File
Read/Inclusion Vulnerability [fedora-all]
Product: Fedora
Version: 31
Status: NEW
Component: tomcat
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: ivan.afonichev(a)gmail.com
Reporter: dmoppert(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: alee(a)redhat.com, coolsvap(a)gmail.com,
csutherl(a)redhat.com, ivan.afonichev(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
krzysztof.daniel(a)gmail.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years
[Bug 1801729] New: tomcat-9.0.31 is available
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1801729
Bug ID: 1801729
Summary: tomcat-9.0.31 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: tomcat
Keywords: FutureFeature, Triaged
Assignee: ivan.afonichev(a)gmail.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: alee(a)redhat.com, coolsvap(a)gmail.com,
csutherl(a)redhat.com, ivan.afonichev(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
krzysztof.daniel(a)gmail.com
Target Milestone: ---
Classification: Fedora
Latest upstream release: 9.0.31
Current version/release in rawhide: 9.0.30-2.fc32
URL: http://tomcat.apache.org/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/17032/
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years