[Bug 1280159] EPEL7 branch for zookeeper
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1280159
greg.hellings(a)gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |CLOSED
CC| |greg.hellings(a)gmail.com
Resolution|--- |WONTFIX
Last Closed| |2021-02-19 17:38:18
--- Comment #22 from greg.hellings(a)gmail.com ---
The zookeeper package has been retired.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 3 months
[Bug 1881197] New: objectweb-asm-9.0 is available
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1881197
Bug ID: 1881197
Summary: objectweb-asm-9.0 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: objectweb-asm
Keywords: FutureFeature, Triaged
Assignee: java-maint-sig(a)lists.fedoraproject.org
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: decathorpe(a)gmail.com, dwalluck(a)redhat.com,
fnasser(a)redhat.com,
java-maint-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jerboaa(a)gmail.com, mizdebsk(a)redhat.com
Target Milestone: ---
Classification: Fedora
Latest upstream release: 9.0
Current version/release in rawhide: 8.0.1-1.fc34
URL: http://asm.ow2.org/
Please consult the package updates policy before you issue an update to a
stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/7177/
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 3 months
[Bug 1887664] CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1887664
--- Comment #61 from Paramvir jindal <pjindal(a)redhat.com> ---
Statement:
* Red Hat Enterprise Linux 8 ships a vulnerable version of jackson-databind in
the pki-deps:10.6 module. pki-deps:10.6 is for pki-core dependencies, but
pki-core does not use the vulnerable DOMDeserializer class and thus has been
set to low impact. Future updates may include fixed version of
jackson-databind.
* Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable
jackson-databind code. However, OpenDaylight does not expose jackson-databind
in a way that would make it vulnerable, lowering the impact of the
vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix
for OpenDaylight at this time.
* Red Hat Virtualization ships a vulnerable version of jackson-databind,
however the vulnerable DOMDeserializer class is not used in the code, therefore
reducing impact to low.
* Red Hat OpenShift Container Platform (OCP) ships a vulnerable version of
jackson-databind, but in the affected containers the DOMDeserializer class is
not used. Additionally access to the containers is restricted to authenticated
users only (OpenShift OAuth authentication) reducing the severity of this
vulnerability to Low.
In OCP 4 there are no plans to maintain ose-logging-elasticsearch5 container,
hence marked as wontfix.
* Red Hat Satellite ships affected version of jackson-databind through
Candlepin, however, product code does not use DOMDeserializer class and
jackson-databind in a vulnerable way. Thus impact has been set to low. A future
release may update jackson-databind to a fixed version.
* Red Hat Single Sign-On (RH-SSO) ships affected version of jackson-databind,
however, none of the product code is using the affected class
(DOMDeserializer). Thus impact has been set to low. RH-SSO will consume the
fixed artifact from EAP in the next CP.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 3 months
[Bug 1887779] New: CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1887779
Bug ID: 1887779
Summary: CVE-2020-25649 jackson-databind: FasterXML
DOMDeserializer insecure entity expansion is
vulnerable to XML external entity (XXE) [fedora-all]
Product: Fedora
Version: 32
Status: NEW
Component: jackson-databind
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: java-maint-sig(a)lists.fedoraproject.org
Reporter: mrehak(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: decathorpe(a)gmail.com,
java-maint-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
lef(a)fedoraproject.org, puntogil(a)libero.it
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 3 months