[Bug 1732715] New: CVE-2019-14248 nasm: NULL pointer dereference in asm/pragma.c leading to Segmentation fault [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1732715
Bug ID: 1732715
Summary: CVE-2019-14248 nasm: NULL pointer dereference in
asm/pragma.c leading to Segmentation fault
[fedora-all]
Product: Fedora
Version: 30
Status: NEW
Component: nasm
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: i.gnatenko.brain(a)gmail.com
Reporter: mrehak(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: dominik(a)greysector.net, fdc(a)fcami.net,
i.gnatenko.brain(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, pbonzini(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 11 months
[Bug 1730878] New: CVE-2019-10353 jenkins: CSRF protection tokens did not expire (SECURITY-626) [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1730878
Bug ID: 1730878
Summary: CVE-2019-10353 jenkins: CSRF protection tokens did not
expire (SECURITY-626) [fedora-all]
Product: Fedora
Version: 30
Status: NEW
Component: jenkins
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: msrb(a)redhat.com
Reporter: lpardo(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 11 months
[Bug 1730877] New: CVE-2019-10353 jenkins: CSRF protection tokens did not expire (SECURITY-626)
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1730877
Bug ID: 1730877
Summary: CVE-2019-10353 jenkins: CSRF protection tokens did not
expire (SECURITY-626)
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=important,public=20190717,reported=20190717,sou
rce=internet,cvss3=7.1/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:
U/C:H/I:H/A:L,cwe=CWE-352,openshift-enterprise-3.6/jen
kins=new,openshift-enterprise-3.7/jenkins=new,openshif
t-enterprise-3.9/jenkins=new,openshift-enterprise-3.10
/jenkins=new,openshift-enterprise-3.11/jenkins=new,ope
nshift-enterprise-4.1/jenkins=new,fedora-all/jenkins=a
ffected
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: lpardo(a)redhat.com
CC: abenaiss(a)redhat.com, adam.kaplan(a)redhat.com,
ahardin(a)redhat.com, aos-bugs(a)redhat.com,
bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dedgar(a)redhat.com, eparis(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jokerman(a)redhat.com,
mchappel(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com, vbobade(a)redhat.com, wzheng(a)redhat.com
Target Milestone: ---
Classification: Other
A vulnerability was found in Jenkins versions weekly before 2.186 and LTS
before 2.176.2. By default, CSRF tokens in Jenkins only checked user
authentication and IP address. This allowed attackers able to obtain a CSRF
token for another user to implement CSRF attacks as long as the victim’s IP
address remained unchanged.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 11 months
[Bug 1730869] New: CVE-2019-10354 jenkins: Unauthorized view fragment access (SECURITY-534)
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1730869
Bug ID: 1730869
Summary: CVE-2019-10354 jenkins: Unauthorized view fragment
access (SECURITY-534)
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=moderate,public=20190717,reported=20190717,sour
ce=internet,cvss3=4.3/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U
/C:L/I:N/A:N,cwe=CWE-200,openshift-enterprise-3.6/jenk
ins=new,openshift-enterprise-3.7/jenkins=new,openshift
-enterprise-3.9/jenkins=new,openshift-enterprise-3.10/
jenkins=new,openshift-enterprise-3.11/jenkins=new,open
shift-enterprise-4.1/jenkins=new,fedora-all/jenkins=af
fected
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: lpardo(a)redhat.com
CC: abenaiss(a)redhat.com, adam.kaplan(a)redhat.com,
ahardin(a)redhat.com, aos-bugs(a)redhat.com,
bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dedgar(a)redhat.com, eparis(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jokerman(a)redhat.com,
mchappel(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com, vbobade(a)redhat.com, wzheng(a)redhat.com
Target Milestone: ---
Classification: Other
A vulnerability was found in Jenkins versions weekly before 2.186 and LTS
before 2.176.2. Jenkins uses the Stapler web framework to render its UI views.
These views are frequently comprised of several view fragments, enabling
plugins to extend existing views with more content. In some cases attackers
could directly access a view fragment containing sensitive information,
bypassing any permission checks in the corresponding view.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 11 months
[Bug 1730876] New: CVE-2019-10354 jenkins: Unauthorized view fragment access (SECURITY-534) [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1730876
Bug ID: 1730876
Summary: CVE-2019-10354 jenkins: Unauthorized view fragment
access (SECURITY-534) [fedora-all]
Product: Fedora
Version: 30
Status: NEW
Component: jenkins
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: msrb(a)redhat.com
Reporter: lpardo(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 11 months
[Bug 1730824] New: CVE-2019-10352 jenkins: Arbitrary file write vulnerability using file parameter definitions (SECURITY-1424)
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1730824
Bug ID: 1730824
Summary: CVE-2019-10352 jenkins: Arbitrary file write
vulnerability using file parameter definitions
(SECURITY-1424)
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=moderate,public=20190717,reported=20190717,sour
ce=internet,cvss3=6.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U
/C:N/I:H/A:N,cwe=CWE-22,openshift-enterprise-3.6/jenki
ns=new,openshift-enterprise-3.7/jenkins=new,openshift-
enterprise-3.9/jenkins=new,openshift-enterprise-3.10/j
enkins=new,openshift-enterprise-3.11/jenkins=new,opens
hift-enterprise-4.1/jenkins=new,fedora-all/jenkins=aff
ected
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: lpardo(a)redhat.com
CC: abenaiss(a)redhat.com, adam.kaplan(a)redhat.com,
ahardin(a)redhat.com, aos-bugs(a)redhat.com,
bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dedgar(a)redhat.com, eparis(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jokerman(a)redhat.com,
mchappel(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com, vbobade(a)redhat.com, wzheng(a)redhat.com
Target Milestone: ---
Classification: Other
A vulnerability was found in Jenkins versions weekly before 2.186 and LTS
before 2.176.2. Users with Job/Configure permission could specify a relative
path escaping the base directory in the file name portion of a file parameter
definition. This path would be used to store the uploaded file on the Jenkins
master, resulting in an arbitrary file write vulnerability. This vulnerability
is the result of an incomplete fix for SECURITY-1074. File parameters that
escape the base directory are no longer accepted and the build will fail.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 11 months
[Bug 1730827] New: CVE-2019-10352 jenkins: Arbitrary file write vulnerability using file parameter definitions (SECURITY-1424) [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1730827
Bug ID: 1730827
Summary: CVE-2019-10352 jenkins: Arbitrary file write
vulnerability using file parameter definitions
(SECURITY-1424) [fedora-all]
Product: Fedora
Version: 30
Status: NEW
Component: jenkins
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: msrb(a)redhat.com
Reporter: lpardo(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 11 months
[Bug 1701735] New: Jenkins fails to start due to a systemd-incompatible script being used
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1701735
Bug ID: 1701735
Summary: Jenkins fails to start due to a systemd-incompatible
script being used
Product: Fedora
Version: 30
Hardware: x86_64
OS: Linux
Status: NEW
Component: jenkins
Severity: high
Assignee: msrb(a)redhat.com
Reporter: rh.bugzilla(a)vadim.ws
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Target Milestone: ---
Classification: Fedora
Description of problem:
Jenkins fails to start when installed on a freshly installed VM with nothing on
it.
Apr 21 11:57:58 jenkins systemd[1]: Starting Jenkins continuous build server...
-- Subject: A start job for unit jenkins.service has begun execution
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- A start job for unit jenkins.service has begun execution.
--
-- The job identifier is 7725.
Apr 21 11:57:58 jenkins jenkins[22594]: /usr/libexec/jenkins/jenkins: line 45:
/etc/init.d/functions: No such file or directory
Apr 21 11:57:58 jenkins systemd[1]: jenkins.service: Control process exited,
code=exited, status=1/FAILURE
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- An ExecStart= process belonging to unit jenkins.service has exited.
--
-- The process' exit code is 'exited' and its exit status is 1.
This appears to indicate that Jenkins is packaged with a SysV-reliant script
that is not going to work on Fedora, since there is no package that provides
/etc/init.d/functions.
Version-Release number of selected component (if applicable):
1.651.3
How reproducible:
Completely.
Steps to Reproduce:
1. Install Fedora 30 (used netinstall iso)
2. dnf install jenkins
3. systemctl start jenkins
Actual results:
Job for jenkins.service failed because the control process exited with error
code.
See "systemctl status jenkins.service" and "journalctl -xe" for details.
Expected results:
Jenkins should start
Additional info:
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 11 months
[Bug 1687242] New: modello-1.10.0 is available
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1687242
Bug ID: 1687242
Summary: modello-1.10.0 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: modello
Keywords: FutureFeature, Triaged
Assignee: extras-orphan(a)fedoraproject.org
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: extras-orphan(a)fedoraproject.org, fnasser(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, yyang(a)redhat.com
Target Milestone: ---
Classification: Fedora
Latest upstream release: 1.10.0
Current version/release in rawhide: 1.9.1-8.fc30
URL: http://codehaus-plexus.github.io/modello
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/2002/
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 11 months