[Bug 1713215] New: CVE-2016-10750 hazelcast: java deserialization in join cluster procedure leading to remote code execution
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1713215
Bug ID: 1713215
Summary: CVE-2016-10750 hazelcast: java deserialization in join
cluster procedure leading to remote code execution
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=important,public=20160426,reported=20190522,sou
rce=cve,cvss3=8.1/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H
/I:H/A:H,cwe=CWE-502,fedora-all/hazelcast=affected,fus
e-6/hazelcast=new,fuse-7/hazelcast=new
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: mrehak(a)redhat.com
CC: aileenc(a)redhat.com, chazlett(a)redhat.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jochrist(a)redhat.com, puntogil(a)libero.it
Target Milestone: ---
Classification: Other
In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote
code execution via Java deserialization.
Upstream issue:
https://github.com/hazelcast/hazelcast/issues/8024
Upstream pull:
https://github.com/hazelcast/hazelcast/pull/12230
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years, 1 month
[Bug 1701056] New: CVE-2019-0232 tomcat: Remote Code Execution on Windows
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1701056
Bug ID: 1701056
Summary: CVE-2019-0232 tomcat: Remote Code Execution on Windows
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=important,public=20190410,reported=20190416,sou
rce=cve,cvss3=5.9/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N
/I:N/A:H,cwe=CWE-20,fedora-all/tomcat=notaffected,rhsc
l-3/rh-java-common-tomcat=notaffected,bpms-6/tomcat=no
taffected,brms-6/tomcat=notaffected,epel-all/tomcat=no
taffected,brms-5/jbossweb=notaffected,eap-6/jbossweb=n
otaffected,eap-5/jbossweb=notaffected,jdg-6/jbossweb=n
otaffected,jdg-7/tomcat=notaffected,jdv-6/jbossweb=not
affected,fuse-6/tomcat=notaffected,fuse-7/tomcat=notaf
fected,fsw-6/jbossweb=notaffected,soap-5/jbossweb=nota
ffected,springboot-1/tomcat=notaffected,jbews-2/tomcat
6=new,jws-3/tomcat7=new,rhel-7/tomcat=notaffected,jbew
s-2/tomcat7=new,jws-3/tomcat8=new,rhel-6/tomcat6=notaf
fected,jon-3/jbossweb=notaffected,jws-5/tomcat=new,rhe
l-8/pki-deps:10.6/pki-servlet-container=notaffected
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: lpardo(a)redhat.com
CC: aileenc(a)redhat.com, alazarot(a)redhat.com,
alee(a)redhat.com, anstephe(a)redhat.com,
avibelli(a)redhat.com, bgeorges(a)redhat.com,
bmaxwell(a)redhat.com, cdewolf(a)redhat.com,
chazlett(a)redhat.com, cmoulliard(a)redhat.com,
coolsvap(a)gmail.com, csutherl(a)redhat.com,
darran.lofthouse(a)redhat.com, dimitris(a)redhat.com,
dosoudil(a)redhat.com, drieden(a)redhat.com,
etirelli(a)redhat.com, fgavrilo(a)redhat.com,
gvarsami(a)redhat.com, gzaronik(a)redhat.com,
hhorak(a)redhat.com, ibek(a)redhat.com,
ikanello(a)redhat.com, ivan.afonichev(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jbalunas(a)redhat.com,
jclere(a)redhat.com, jcoleman(a)redhat.com,
jdoyle(a)redhat.com, jochrist(a)redhat.com,
jolee(a)redhat.com, jondruse(a)redhat.com,
jorton(a)redhat.com, jpallich(a)redhat.com,
jschatte(a)redhat.com, jshepherd(a)redhat.com,
jstastny(a)redhat.com, kconner(a)redhat.com,
krathod(a)redhat.com, krzysztof.daniel(a)gmail.com,
kverlaen(a)redhat.com, ldimaggi(a)redhat.com,
lgao(a)redhat.com, loleary(a)redhat.com,
lpetrovi(a)redhat.com, lthon(a)redhat.com,
mbabacek(a)redhat.com, mizdebsk(a)redhat.com,
mszynkie(a)redhat.com, myarboro(a)redhat.com,
nwallace(a)redhat.com, paradhya(a)redhat.com,
pgallagh(a)redhat.com, pgier(a)redhat.com,
pjurak(a)redhat.com, ppalaga(a)redhat.com,
psakar(a)redhat.com, pslavice(a)redhat.com,
rhcs-maint(a)redhat.com, rnetuka(a)redhat.com,
rrajasek(a)redhat.com, rruss(a)redhat.com,
rstancel(a)redhat.com, rsvoboda(a)redhat.com,
rsynek(a)redhat.com, rwagner(a)redhat.com,
rzhang(a)redhat.com, sdaley(a)redhat.com,
spinder(a)redhat.com, tcunning(a)redhat.com,
theute(a)redhat.com, tkirby(a)redhat.com,
trogers(a)redhat.com, twalsh(a)redhat.com,
vhalbert(a)redhat.com, vtunka(a)redhat.com,
weli(a)redhat.com
Blocks: 1700240
Target Milestone: ---
Classification: Other
Blocks: 1700240
A vulnerability was found in in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to
8.5.39 and 7.0.0 to 7.0.93. When running on Windows with enableCmdLineArguments
enabled, the CGI Servlet is vulnerable to Remote Code Execution due to a bug in
the way the JRE passes command line arguments to Windows. The CGI Servlet is
disabled by default. The CGI option enableCmdLineArguments is disable by
default in Tomcat 9.0.x (and will be disabled by default in all versions in
response to this vulnerability).
References:
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-9.html
Upstream Patch:
https://github.com/apache/tomcat/commit/7f0221b
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years, 1 month
[Bug 1698508] New: CVE-2019-11065 gradle: Insecure HTTP URL used to download dependencies leading to possibly maliciously compromised artifacts.
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1698508
Bug ID: 1698508
Summary: CVE-2019-11065 gradle: Insecure HTTP URL used to
download dependencies leading to possibly maliciously
compromised artifacts.
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=important,public=20190409,reported=20190410,sou
rce=internet,cvss3=8.1/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:
U/C:H/I:H/A:N,cwe=CWE-345,fedora-28/gradle=affected,fe
dora-29/gradle=affected,epel-6/gradle=affected,jbews-3
/gradle=new
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: mrehak(a)redhat.com
CC: csutherl(a)redhat.com, dan(a)danieljamesscott.org,
gzaronik(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jclere(a)redhat.com, jjelen(a)redhat.com, lgao(a)redhat.com,
lkundrak(a)v3.sk, mbabacek(a)redhat.com,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
myarboro(a)redhat.com,
stewardship-sig(a)lists.fedoraproject.org,
twalsh(a)redhat.com, weli(a)redhat.com
Target Milestone: ---
Classification: Other
Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download
dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are
used. Dependency artifacts could have been maliciously compromised by a MITM
attack against the ajax.googleapis.com web site.
External Referencies:
https://nvd.nist.gov/vuln/detail/CVE-2019-11065
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11065
Upstream Repository:
https://github.com/gradle/gradle/pull/8927
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years, 1 month
[Bug 1696034] New: CVE-2019-7611 elasticsearch: Improper permission issue when attaching a new name to an index
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1696034
Bug ID: 1696034
Summary: CVE-2019-7611 elasticsearch: Improper permission issue
when attaching a new name to an index
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=moderate,public=20190219,reported=20190219,sour
ce=cve,cvss3=6.8/CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/
I:H/A:N,cwe=CWE-285,openshift-enterprise-3.11/elastics
earch=new,openshift-enterprise-3.10/elasticsearch=new,
openshift-enterprise-3.9/elasticsearch=new,openshift-e
nterprise-3.7/elasticsearch=new,openshift-enterprise-3
.6/elasticsearch=new,openshift-enterprise-3.1/elastics
earch=new,openshift-enterprise-3.0/elasticsearch=new,o
penstack-8-optools/elasticsearch=new,openshift-enterpr
ise-3.5/elasticsearch=new,openshift-enterprise-3.4/ela
sticsearch=new,openshift-enterprise-3.3/elasticsearch=
new,openshift-enterprise-3.2/elasticsearch=new,opensta
ck-9-optools/elasticsearch=new,fedora-all/elasticsearc
h=affected,sam-1/elasticsearch=new,fuse-7/elasticsearc
h=new,rhdm-7/elasticsearch=new,fuse-6/elasticsearch=ne
w,rhpam-7/elasticsearch=new
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: ahardin(a)redhat.com, alazarot(a)redhat.com,
anstephe(a)redhat.com, bkearney(a)redhat.com,
bleanhar(a)redhat.com, bobjensen(a)gmail.com,
cbillett(a)redhat.com, ccoleman(a)redhat.com,
chazlett(a)redhat.com, dbecker(a)redhat.com,
dedgar(a)redhat.com, emmanuel(a)seyman.fr,
eparis(a)redhat.com, etirelli(a)redhat.com,
ibek(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jjoyce(a)redhat.com,
jokerman(a)redhat.com, jschluet(a)redhat.com,
jvanek(a)redhat.com, kbasil(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
lhh(a)redhat.com, lpeer(a)redhat.com, lpetrovi(a)redhat.com,
mburns(a)redhat.com, mchappel(a)redhat.com,
mmagr(a)redhat.com, pahan(a)hubbitus.info,
paradhya(a)redhat.com, rrajasek(a)redhat.com,
rsynek(a)redhat.com, rzhang(a)redhat.com,
sclewis(a)redhat.com, sdaley(a)redhat.com,
slinaber(a)redhat.com, tomckay(a)redhat.com,
zbyszek(a)in.waw.pl
Target Milestone: ---
Classification: Other
A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1
when Field Level Security and Document Level Security are disabled and the
_aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file
has xpack.security.dls_fls.enabled set to false, certain permission checks are
skipped when users perform one of the actions mentioned above, to make existing
data available under a new index/alias name. This could result in an attacker
gaining additional permissions against a restricted index.
References:
https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-upda...
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years, 1 month
[Bug 1796685] New: maven-parent-34 is available
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1796685
Bug ID: 1796685
Summary: maven-parent-34 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: maven-parent
Keywords: FutureFeature, Triaged
Assignee: stewardship-sig(a)lists.fedoraproject.org
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: decathorpe(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
mhroncok(a)redhat.com, mizdebsk(a)redhat.com,
sochotni(a)redhat.com,
stewardship-sig(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
Latest upstream release: 34
Current version/release in rawhide: 33-2.fc31
URL: https://maven.apache.org/pom/maven/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/20380/
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years, 1 month
[Bug 1713275] New: CVE-2019-0221 tomcat: XSS in SSI printenv
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1713275
Bug ID: 1713275
Summary: CVE-2019-0221 tomcat: XSS in SSI printenv
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=moderate,public=20190413,reported=20190523,sour
ce=customer,cvss3=6.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U
/C:L/I:L/A:L,epel-all/tomcat=affected,fedora-all/tomca
t=affected,eap-5/jbossweb=affected,eap-6/jbossweb=affe
cted,jdg-6/jbossweb=affected,jdg-7/tomcat=affected,jon
-3/jbossweb=affected,rhel-6/tomcat6=new,rhel-7/tomcat=
new,rhel-8/pki-deps:10.6/pki-servlet-container=new,bpm
s-6/tomcat=affected,brms-5/jbossweb=affected,brms-6/to
mcat=affected,jdv-6/jbossweb=affected,fuse-6/tomcat=af
fected,fuse-7/tomcat=affected
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: darunesh(a)redhat.com
CC: aileenc(a)redhat.com, akoufoud(a)redhat.com,
alazarot(a)redhat.com, alee(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
bmaxwell(a)redhat.com, cdewolf(a)redhat.com,
chazlett(a)redhat.com, coolsvap(a)gmail.com,
csutherl(a)redhat.com, darran.lofthouse(a)redhat.com,
dosoudil(a)redhat.com, drieden(a)redhat.com,
etirelli(a)redhat.com, fgavrilo(a)redhat.com,
ibek(a)redhat.com, ivan.afonichev(a)gmail.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jkurik(a)redhat.com,
jochrist(a)redhat.com, jolee(a)redhat.com,
jondruse(a)redhat.com, jschatte(a)redhat.com,
jstastny(a)redhat.com, krathod(a)redhat.com,
krzysztof.daniel(a)gmail.com, kverlaen(a)redhat.com,
lgao(a)redhat.com, loleary(a)redhat.com,
lpetrovi(a)redhat.com, mnovotny(a)redhat.com,
paradhya(a)redhat.com, pgier(a)redhat.com,
pjurak(a)redhat.com, ppalaga(a)redhat.com,
psakar(a)redhat.com, pslavice(a)redhat.com,
rhcs-maint(a)redhat.com, rnetuka(a)redhat.com,
rrajasek(a)redhat.com, rstancel(a)redhat.com,
rsvoboda(a)redhat.com, rsynek(a)redhat.com,
sdaley(a)redhat.com, spinder(a)redhat.com,
theute(a)redhat.com, tom.jenkinson(a)redhat.com,
twalsh(a)redhat.com, vhalbert(a)redhat.com,
vtunka(a)redhat.com
Target Milestone: ---
Classification: Other
The SSI printenv command echoes user provided data without escaping and is,
therefore, vulnerable to XSS. SSI is disabled by default. The printenv command
is intended for debugging and is unlikely to be present in a production
website.
Reference:
http://tomcat.apache.org/security-9.html
Upstream commit:
https://github.com/apache/tomcat/commit/15fcd16
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years, 1 month
[Bug 1800880] New: apache-commons-compress-1.20 is available
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1800880
Bug ID: 1800880
Summary: apache-commons-compress-1.20 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: apache-commons-compress
Keywords: FutureFeature, Triaged
Assignee: stewardship-sig(a)lists.fedoraproject.org
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: decathorpe(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
jjelen(a)redhat.com, mizdebsk(a)redhat.com,
mkoncek(a)redhat.com, SpikeFedora(a)gmail.com,
stewardship-sig(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
Latest upstream release: 1.20
Current version/release in rawhide: 1.19-2.fc32
URL: http://commons.apache.org/proper/commons-compress/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/62/
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years, 1 month
[Bug 1785864] New: felix-utils-1.11.4 is available
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1785864
Bug ID: 1785864
Summary: felix-utils-1.11.4 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: felix-utils
Keywords: FutureFeature, Triaged
Assignee: stewardship-sig(a)lists.fedoraproject.org
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: decathorpe(a)gmail.com, jaromir.capik(a)email.cz,
java-sig-commits(a)lists.fedoraproject.org,
mhroncok(a)redhat.com, mizdebsk(a)redhat.com,
stewardship-sig(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
Latest upstream release: 1.11.4
Current version/release in rawhide: 1.11.2-1.fc32
URL: http://www.apache.org/dist/felix/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/799/
--
You are receiving this mail because:
You are on the CC list for the bug.
4 years, 1 month