[Bug 1764752] New: CVE-2019-7619 elasticsearch: Username disclosure in API Key service [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1764752
Bug ID: 1764752
Summary: CVE-2019-7619 elasticsearch: Username disclosure in
API Key service [fedora-all]
Product: Fedora
Version: 30
Status: NEW
Component: elasticsearch
Keywords: Security, SecurityTracking
Severity: low
Priority: low
Assignee: bazanluis20(a)gmail.com
Reporter: psampaio(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: bazanluis20(a)gmail.com, bobjensen(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
jvanek(a)redhat.com, pahan(a)hubbitus.info,
zbyszek(a)in.waw.pl
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 11 months
[Bug 1764659] New: CVE-2019-12400 xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1764659
Bug ID: 1764659
Summary: CVE-2019-12400 xml-security: Apache Santuario
potentially loads XML parsing code from an untrusted
source [fedora-all]
Product: Fedora
Version: 30
Status: NEW
Component: xml-security
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: extras-orphan(a)fedoraproject.org
Reporter: psampaio(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: agrimm(a)gmail.com, extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
lef(a)fedoraproject.org, puntogil(a)libero.it
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 11 months
[Bug 1764477] New: CVE-2019-10401 CVE-2019-10402 CVE-2019-10403 CVE-2019-10404 CVE-2019-10405 CVE-2019-10406 jenkins: various flaws [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1764477
Bug ID: 1764477
Summary: CVE-2019-10401 CVE-2019-10402 CVE-2019-10403
CVE-2019-10404 CVE-2019-10405 CVE-2019-10406 jenkins:
various flaws [fedora-all]
Product: Fedora
Version: 30
Status: NEW
Component: jenkins
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: extras-orphan(a)fedoraproject.org
Reporter: sfowler(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 11 months
[Bug 1764390] New: CVE-2019-10431 jenkins-script-security: Sandbox bypass vulnerability in Script Security Plugin
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1764390
Bug ID: 1764390
Summary: CVE-2019-10431 jenkins-script-security: Sandbox bypass
vulnerability in Script Security Plugin
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: abenaiss(a)redhat.com, bmontgom(a)redhat.com,
eparis(a)redhat.com, extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jokerman(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
nstielau(a)redhat.com, sponnaga(a)redhat.com,
vbobade(a)redhat.com
Target Milestone: ---
Classification: Other
Sandbox protection in Script Security Plugin could be circumvented through
default parameter expressions in constructors. This allowed attackers able to
specify and run sandboxed scripts to execute arbitrary code in the context of
the Jenkins master JVM.
References:
https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1579
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 11 months
[Bug 1764391] New: CVE-2019-10431 jenkins-script-security-plugin: jenkins-script-security: Sandbox bypass vulnerability in Script Security Plugin [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1764391
Bug ID: 1764391
Summary: CVE-2019-10431 jenkins-script-security-plugin:
jenkins-script-security: Sandbox bypass vulnerability
in Script Security Plugin [fedora-all]
Product: Fedora
Version: 30
Status: NEW
Component: jenkins-script-security-plugin
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: extras-orphan(a)fedoraproject.org
Reporter: psampaio(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 11 months
[Bug 1758993] New: CVE-2019-16370 gradle: PGP signing plugin security bypass [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1758993
Bug ID: 1758993
Summary: CVE-2019-16370 gradle: PGP signing plugin security
bypass [fedora-all]
Product: Fedora
Version: 30
Status: NEW
Component: gradle
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: jjelen(a)redhat.com
Reporter: darunesh(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: dan(a)danieljamesscott.org, decathorpe(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
jjelen(a)redhat.com, lkundrak(a)v3.sk, mizdebsk(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 11 months
[Bug 1756389] New: CVE-2019-15052 gradle: sends authentication credentials originally destined for the configured host [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1756389
Bug ID: 1756389
Summary: CVE-2019-15052 gradle: sends authentication
credentials originally destined for the configured
host [fedora-all]
Product: Fedora
Version: 30
Status: NEW
Component: gradle
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: jjelen(a)redhat.com
Reporter: gsuckevi(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: dan(a)danieljamesscott.org, decathorpe(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
jjelen(a)redhat.com, lkundrak(a)v3.sk, mizdebsk(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 11 months
[Bug 1715197] New: CVE-2019-0201 zookeeper: Information disclosure in Apache ZooKeeper
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1715197
Bug ID: 1715197
Summary: CVE-2019-0201 zookeeper: Information disclosure in
Apache ZooKeeper
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=important,public=20190520,reported=20190520,sou
rce=oss-security,cvss3=7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:
N/S:U/C:H/I:N/A:N,cwe=CWE-732,fedora-all/zookeeper=aff
ected,amq-6/zookeeper=new,jdv-6/zookeeper=new,amq-st/z
ookeeper=new,bpms-6/zookeeper=new,brms-6/zookeeper=new
,fsw-6/zookeeper=new,fuse-6/zookeeper=new,fuse-7/zooke
eper=new,vertx-3/zookeeper=new
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: lpardo(a)redhat.com
CC: aileenc(a)redhat.com, akoufoud(a)redhat.com,
alazarot(a)redhat.com, almorale(a)redhat.com,
anstephe(a)redhat.com, ataylor(a)redhat.com,
avibelli(a)redhat.com, bgeorges(a)redhat.com,
chazlett(a)redhat.com, ctubbsii(a)fedoraproject.org,
drieden(a)redhat.com, etirelli(a)redhat.com,
gvarsami(a)redhat.com, ibek(a)redhat.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jbalunas(a)redhat.com, jcoleman(a)redhat.com,
jochrist(a)redhat.com, jolee(a)redhat.com,
jpallich(a)redhat.com, jschatte(a)redhat.com,
jstastny(a)redhat.com, kconner(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
ldimaggi(a)redhat.com, lpetrovi(a)redhat.com,
lthon(a)redhat.com, mluscon(a)gmail.com,
mnovotny(a)redhat.com, mszynkie(a)redhat.com,
nwallace(a)redhat.com, paradhya(a)redhat.com,
pgallagh(a)redhat.com, rrajasek(a)redhat.com,
rruss(a)redhat.com, rsynek(a)redhat.com,
rwagner(a)redhat.com, sdaley(a)redhat.com, s(a)shk.io,
tcunning(a)redhat.com, tkirby(a)redhat.com,
trogers(a)redhat.com, tstclair(a)heptio.com,
vhalbert(a)redhat.com
Target Milestone: ---
Classification: Other
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to
3.5.4-beta. ZooKeeper's getACL() command doesn't check any permission when
retrieves the ACLs of the requested node and returns all information contained
in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads
the Id field with the hash value that is used for user authentication. As a
consequence, if Digest Authentication is in use, the unsalted hash value will
be disclosed by getACL() request for unauthenticated or unprivileged users.
References:
http://www.securityfocus.com/bid/108427
https://issues.apache.org/jira/browse/ZOOKEEPER-1392
https://zookeeper.apache.org/security.html#CVE-2019-0201
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 11 months
[Bug 1715199] New: CVE-2019-0201 zookeeper: Information disclosure in Apache ZooKeeper [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1715199
Bug ID: 1715199
Summary: CVE-2019-0201 zookeeper: Information disclosure in
Apache ZooKeeper [fedora-all]
Product: Fedora
Version: 30
Status: NEW
Component: zookeeper
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: tstclair(a)heptio.com
Reporter: lpardo(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: ctubbsii(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
mluscon(a)gmail.com, s(a)shk.io, tstclair(a)heptio.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 11 months
[Bug 1747240] New: CVE-2019-7614 elasticsearch: Race condition in response headers on systems with multiple submitting requests
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1747240
Bug ID: 1747240
Summary: CVE-2019-7614 elasticsearch: Race condition in
response headers on systems with multiple submitting
requests
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: ahardin(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
bazanluis20(a)gmail.com, bleanhar(a)redhat.com,
bobjensen(a)gmail.com, ccoleman(a)redhat.com,
chazlett(a)redhat.com, dbecker(a)redhat.com,
dedgar(a)redhat.com, drieden(a)redhat.com,
eparis(a)redhat.com, etirelli(a)redhat.com,
ggaughan(a)redhat.com, ibek(a)redhat.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jjoyce(a)redhat.com,
jochrist(a)redhat.com, jokerman(a)redhat.com,
jschluet(a)redhat.com, jvanek(a)redhat.com,
kbasil(a)redhat.com, krathod(a)redhat.com,
kverlaen(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com,
lpetrovi(a)redhat.com, mburns(a)redhat.com,
mchappel(a)redhat.com, mmagr(a)redhat.com,
mnovotny(a)redhat.com, pahan(a)hubbitus.info,
paradhya(a)redhat.com, rrajasek(a)redhat.com,
rsynek(a)redhat.com, sclewis(a)redhat.com,
sdaley(a)redhat.com, slinaber(a)redhat.com,
zbyszek(a)in.waw.pl
Target Milestone: ---
Classification: Other
A race condition flaw was found in the response headers Elasticsearch versions
before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users
submitting requests, it could be possible for an attacker to gain access to
response header containing sensitive data from another user.
References:
https://www.elastic.co/pt/community/security/
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 11 months