[Bug 1816330] New: CVE-2020-8840 jackson-databind: Lacks certain xbean-reflect/JNDI blocking
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1816330
Bug ID: 1816330
Summary: CVE-2020-8840 jackson-databind: Lacks certain
xbean-reflect/JNDI blocking
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: aboyko(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
aos-bugs(a)redhat.com, asoldano(a)redhat.com,
atangrin(a)redhat.com, ataylor(a)redhat.com,
avibelli(a)redhat.com, bbaranow(a)redhat.com,
bbuckingham(a)redhat.com, bcourt(a)redhat.com,
bgeorges(a)redhat.com, bkearney(a)redhat.com,
bmaxwell(a)redhat.com, bmontgom(a)redhat.com,
brian.stansberry(a)redhat.com, btotty(a)redhat.com,
cbyrne(a)redhat.com, cdewolf(a)redhat.com,
chazlett(a)redhat.com, cmacedo(a)redhat.com,
darran.lofthouse(a)redhat.com, decathorpe(a)gmail.com,
dffrench(a)redhat.com, dkreling(a)redhat.com,
dosoudil(a)redhat.com, drieden(a)redhat.com,
drusso(a)redhat.com, eparis(a)redhat.com,
etirelli(a)redhat.com, ganandan(a)redhat.com,
ggaughan(a)redhat.com, gmalinko(a)redhat.com,
hhorak(a)redhat.com, hhudgeon(a)redhat.com,
ibek(a)redhat.com, iweiss(a)redhat.com,
janstey(a)redhat.com, java-maint(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jbalunas(a)redhat.com,
jburrell(a)redhat.com, jcantril(a)redhat.com,
jmadigan(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jorton(a)redhat.com,
jpallich(a)redhat.com, jperkins(a)redhat.com,
jshepherd(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, krathod(a)redhat.com,
kverlaen(a)redhat.com, kwills(a)redhat.com,
lef(a)fedoraproject.org, lgao(a)redhat.com,
lthon(a)redhat.com, lzap(a)redhat.com, mmccune(a)redhat.com,
mnovotny(a)redhat.com, msochure(a)redhat.com,
msvehla(a)redhat.com, mszynkie(a)redhat.com,
ngough(a)redhat.com, nstielau(a)redhat.com,
nwallace(a)redhat.com, paradhya(a)redhat.com,
pdrozd(a)redhat.com, pgallagh(a)redhat.com,
pjindal(a)redhat.com, pmackay(a)redhat.com,
psotirop(a)redhat.com, puntogil(a)libero.it,
pwright(a)redhat.com, rchan(a)redhat.com,
rguimara(a)redhat.com, rhcs-maint(a)redhat.com,
rjerrido(a)redhat.com, rrajasek(a)redhat.com,
rruss(a)redhat.com, rsvoboda(a)redhat.com,
rsynek(a)redhat.com, sdaley(a)redhat.com,
smaestri(a)redhat.com, sokeeffe(a)redhat.com,
sponnaga(a)redhat.com,
stewardship-sig(a)lists.fedoraproject.org,
sthorger(a)redhat.com, swoodman(a)redhat.com,
tbrisker(a)redhat.com, tom.jenkinson(a)redhat.com,
trepel(a)redhat.com
Target Milestone: ---
Classification: Other
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain
xbean-reflect/JNDI blocking, as demonstrated by
org.apache.xbean.propertyeditor.JndiConverter.
Upstream issue:
https://github.com/FasterXML/jackson-databind/issues/2620
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 7 months
[Bug 1816332] New: CVE-2020-9546 jackson-databind: Serialization gadgets in shaded-hikari-config
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1816332
Bug ID: 1816332
Summary: CVE-2020-9546 jackson-databind: Serialization gadgets
in shaded-hikari-config
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: aboyko(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
aos-bugs(a)redhat.com, asoldano(a)redhat.com,
atangrin(a)redhat.com, ataylor(a)redhat.com,
avibelli(a)redhat.com, bbaranow(a)redhat.com,
bbuckingham(a)redhat.com, bcourt(a)redhat.com,
bgeorges(a)redhat.com, bkearney(a)redhat.com,
bmaxwell(a)redhat.com, bmontgom(a)redhat.com,
brian.stansberry(a)redhat.com, btotty(a)redhat.com,
cbyrne(a)redhat.com, cdewolf(a)redhat.com,
chazlett(a)redhat.com, cmacedo(a)redhat.com,
darran.lofthouse(a)redhat.com, decathorpe(a)gmail.com,
dffrench(a)redhat.com, dkreling(a)redhat.com,
dosoudil(a)redhat.com, drieden(a)redhat.com,
drusso(a)redhat.com, eparis(a)redhat.com,
etirelli(a)redhat.com, ganandan(a)redhat.com,
ggaughan(a)redhat.com, gmalinko(a)redhat.com,
hhorak(a)redhat.com, hhudgeon(a)redhat.com,
ibek(a)redhat.com, iweiss(a)redhat.com,
janstey(a)redhat.com, java-maint(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jbalunas(a)redhat.com,
jburrell(a)redhat.com, jcantril(a)redhat.com,
jmadigan(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jorton(a)redhat.com,
jpallich(a)redhat.com, jperkins(a)redhat.com,
jshepherd(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, krathod(a)redhat.com,
kverlaen(a)redhat.com, kwills(a)redhat.com,
lef(a)fedoraproject.org, lgao(a)redhat.com,
lthon(a)redhat.com, lzap(a)redhat.com, mmccune(a)redhat.com,
mnovotny(a)redhat.com, msochure(a)redhat.com,
msvehla(a)redhat.com, mszynkie(a)redhat.com,
ngough(a)redhat.com, nstielau(a)redhat.com,
nwallace(a)redhat.com, paradhya(a)redhat.com,
pdrozd(a)redhat.com, pgallagh(a)redhat.com,
pjindal(a)redhat.com, pmackay(a)redhat.com,
psotirop(a)redhat.com, puntogil(a)libero.it,
pwright(a)redhat.com, rchan(a)redhat.com,
rguimara(a)redhat.com, rhcs-maint(a)redhat.com,
rjerrido(a)redhat.com, rrajasek(a)redhat.com,
rruss(a)redhat.com, rsvoboda(a)redhat.com,
rsynek(a)redhat.com, sdaley(a)redhat.com,
smaestri(a)redhat.com, sokeeffe(a)redhat.com,
sponnaga(a)redhat.com,
stewardship-sig(a)lists.fedoraproject.org,
sthorger(a)redhat.com, swoodman(a)redhat.com,
tbrisker(a)redhat.com, tom.jenkinson(a)redhat.com,
trepel(a)redhat.com
Target Milestone: ---
Classification: Other
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction
between serialization gadgets and typing, related to
org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded
hikari-config).
Upstream issue:
https://github.com/FasterXML/jackson-databind/issues/2631
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 7 months
[Bug 1796225] New: CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1796225
Bug ID: 1796225
Summary: CVE-2020-7238 netty: HTTP Request Smuggling due to
Transfer-Encoding whitespace mishandling
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: aboyko(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
asoldano(a)redhat.com, atangrin(a)redhat.com,
ataylor(a)redhat.com, avibelli(a)redhat.com,
bbaranow(a)redhat.com, bbuckingham(a)redhat.com,
bcourt(a)redhat.com, bgeorges(a)redhat.com,
bkearney(a)redhat.com, bmaxwell(a)redhat.com,
bmontgom(a)redhat.com, brian.stansberry(a)redhat.com,
btotty(a)redhat.com, cdewolf(a)redhat.com,
chazlett(a)redhat.com, darran.lofthouse(a)redhat.com,
dbecker(a)redhat.com, decathorpe(a)gmail.com,
dkreling(a)redhat.com, dosoudil(a)redhat.com,
drieden(a)redhat.com, eparis(a)redhat.com,
esammons(a)redhat.com, etirelli(a)redhat.com,
ganandan(a)redhat.com, ggaughan(a)redhat.com,
gvarsami(a)redhat.com, hhudgeon(a)redhat.com,
ibek(a)redhat.com, iweiss(a)redhat.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jbalunas(a)redhat.com,
jburrell(a)redhat.com, jcoleman(a)redhat.com,
jerboaa(a)gmail.com, jjoyce(a)redhat.com,
jochrist(a)redhat.com, jokerman(a)redhat.com,
jolee(a)redhat.com, jpallich(a)redhat.com,
jperkins(a)redhat.com, jross(a)redhat.com,
jschatte(a)redhat.com, jschluet(a)redhat.com,
jstastny(a)redhat.com, jwon(a)redhat.com,
kbasil(a)redhat.com, kconner(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
kwills(a)redhat.com, ldimaggi(a)redhat.com,
lgao(a)redhat.com, lhh(a)redhat.com, loleary(a)redhat.com,
lpeer(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com,
mburns(a)redhat.com, mcressma(a)redhat.com,
mkolesni(a)redhat.com, mmccune(a)redhat.com,
mnovotny(a)redhat.com, msochure(a)redhat.com,
msvehla(a)redhat.com, mszynkie(a)redhat.com,
nstielau(a)redhat.com, nwallace(a)redhat.com,
paradhya(a)redhat.com, pdrozd(a)redhat.com,
pgallagh(a)redhat.com, pjindal(a)redhat.com,
pmackay(a)redhat.com, psotirop(a)redhat.com,
rchan(a)redhat.com, rguimara(a)redhat.com,
rjerrido(a)redhat.com, rrajasek(a)redhat.com,
rruss(a)redhat.com, rsvoboda(a)redhat.com,
rsynek(a)redhat.com, rwagner(a)redhat.com,
sclewis(a)redhat.com, scohen(a)redhat.com,
sdaley(a)redhat.com, slinaber(a)redhat.com,
smaestri(a)redhat.com, sochotni(a)redhat.com,
sokeeffe(a)redhat.com, spinder(a)redhat.com,
sponnaga(a)redhat.com,
stewardship-sig(a)lists.fedoraproject.org,
sthorger(a)redhat.com, swoodman(a)redhat.com,
tbrisker(a)redhat.com, tcunning(a)redhat.com,
theute(a)redhat.com, tkirby(a)redhat.com,
tom.jenkinson(a)redhat.com, vhalbert(a)redhat.com
Target Milestone: ---
Classification: Other
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles
Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line)
and a later Content-Length header. This issue exists because of an incomplete
fix for CVE-2019-16869.
References:
https://github.com/jdordonezn/CVE-2020-72381/issues/1
https://netty.io/news/
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 7 months
[Bug 1819652] New: CVE-2019-16538 jenkins-script-security-plugin: sandbox protection bypass leads to execute arbitrary code in sandboxed scripts
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1819652
Bug ID: 1819652
Summary: CVE-2019-16538 jenkins-script-security-plugin: sandbox
protection bypass leads to execute arbitrary code in
sandboxed scripts
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: darunesh(a)redhat.com
CC: abenaiss(a)redhat.com, aos-bugs(a)redhat.com,
bmontgom(a)redhat.com, eparis(a)redhat.com,
extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jokerman(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
nstielau(a)redhat.com, pbhattac(a)redhat.com,
sponnaga(a)redhat.com, vbobade(a)redhat.com
Target Milestone: ---
Classification: Other
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.67 and
earlier related to the handling of default parameter expressions in closures
allowed attackers to execute arbitrary code in sandboxed scripts.
Reference:
http://www.openwall.com/lists/oss-security/2019/11/21/1
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 8 months
[Bug 1819078] New: CVE-2020-2135 jenkins-2-plugins: sandbox protection bypass leads to arbitrary code execution
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1819078
Bug ID: 1819078
Summary: CVE-2020-2135 jenkins-2-plugins: sandbox protection
bypass leads to arbitrary code execution
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: darunesh(a)redhat.com
CC: abenaiss(a)redhat.com, aos-bugs(a)redhat.com,
bmontgom(a)redhat.com, eparis(a)redhat.com,
extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jokerman(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
nstielau(a)redhat.com, pbhattac(a)redhat.com,
sponnaga(a)redhat.com, vbobade(a)redhat.com
Target Milestone: ---
Classification: Other
A vulnerability was found in Jenkins Script Security Plugin 1.70 and earlier,
where sandbox protection earlier could be circumvented through crafted method
calls on objects that implement GroovyInterceptable.
Reference:
http://www.openwall.com/lists/oss-security/2020/03/09/1
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 8 months
[Bug 1819093] New: CVE-2020-2110 jenkins-2-plugins: sandbox protection bypass during script compilation phase by applying AST transforming annotations
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1819093
Bug ID: 1819093
Summary: CVE-2020-2110 jenkins-2-plugins: sandbox protection
bypass during script compilation phase by applying AST
transforming annotations
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: darunesh(a)redhat.com
CC: abenaiss(a)redhat.com, aos-bugs(a)redhat.com,
bmontgom(a)redhat.com, eparis(a)redhat.com,
extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jokerman(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
nstielau(a)redhat.com, pbhattac(a)redhat.com,
sponnaga(a)redhat.com, vbobade(a)redhat.com
Target Milestone: ---
Classification: Other
A vulnerability was found in Jenkins Script Security Plugin 1.69 and earlier,
where sandbox protection could be circumvented during the script compilation
phase by applying AST transforming annotations to imports or by using them
inside of other annotations.
Reference:
http://www.openwall.com/lists/oss-security/2020/02/12/3
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 8 months
[Bug 1819091] New: CVE-2020-2134 jenkins-2-plugins: sandbox protection bypass via crafted constructor calls and crafted constructor bodies
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1819091
Bug ID: 1819091
Summary: CVE-2020-2134 jenkins-2-plugins: sandbox protection
bypass via crafted constructor calls and crafted
constructor bodies
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: darunesh(a)redhat.com
CC: abenaiss(a)redhat.com, aos-bugs(a)redhat.com,
bmontgom(a)redhat.com, eparis(a)redhat.com,
extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jokerman(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
nstielau(a)redhat.com, pbhattac(a)redhat.com,
sponnaga(a)redhat.com, vbobade(a)redhat.com
Target Milestone: ---
Classification: Other
A vulnerability was found in Jenkins Script Security Plugin 1.70 and earlier,
where sandbox protection could be circumvented through crafted constructor
calls and crafted constructor bodies.
Reference:
http://www.openwall.com/lists/oss-security/2020/03/09/1
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 8 months
[Bug 1819190] New: CVE-2020-2160 jenkins: CSRF protection bypass via crafted URLs
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1819190
Bug ID: 1819190
Summary: CVE-2020-2160 jenkins: CSRF protection bypass via
crafted URLs
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: darunesh(a)redhat.com
CC: abenaiss(a)redhat.com, aos-bugs(a)redhat.com,
bmontgom(a)redhat.com, eparis(a)redhat.com,
extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jokerman(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
nstielau(a)redhat.com, pbhattac(a)redhat.com,
sponnaga(a)redhat.com, vbobade(a)redhat.com
Target Milestone: ---
Classification: Other
A vulnerability was found in Jenkins 2.227 and earlier, LTS 2.204.5 and earlier
uses different representations of request URL paths, which allows attackers to
craft URLs that allow bypassing CSRF protection of any target URL.
Reference:
http://www.openwall.com/lists/oss-security/2020/03/25/2
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 8 months
[Bug 1771158] New: easymock-4.1 is available
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1771158
Bug ID: 1771158
Summary: easymock-4.1 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: easymock
Keywords: FutureFeature, Triaged
Assignee: stewardship-sig(a)lists.fedoraproject.org
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com, dbhole(a)redhat.com,
decathorpe(a)gmail.com, fnasser(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
mhroncok(a)redhat.com, mizdebsk(a)redhat.com,
stewardship-sig(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
Latest upstream release: 4.1
Current version/release in rawhide: 3.6-4.fc31
URL: http://www.easymock.org
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/649/
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 8 months