November 2022 - java-sig-commits - Fedora Mailing-Lists

[Bug 2034067] New: CVE-2021-45105 log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2034067 Bug ID: 2034067 Summary: CVE-2021-45105 log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: jwon(a)redhat.com CC: aboyko(a)redhat.com, ahenning(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, asoldano(a)redhat.com, atangrin(a)redhat.com, avibelli(a)redhat.com, bbaranow(a)redhat.com, bdettelb(a)redhat.com, bgeorges(a)redhat.com, bmaxwell(a)redhat.com, bmontgom(a)redhat.com, brian.stansberry(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, clement.escoffier(a)redhat.com, crarobin(a)redhat.com, dandread(a)redhat.com, darran.lofthouse(a)redhat.com, dbhole(a)redhat.com, devrim(a)gunduz.org, dkreling(a)redhat.com, dosoudil(a)redhat.com, eleandro(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, ewolinet(a)redhat.com, fjuma(a)redhat.com, gsmet(a)redhat.com, hamadhan(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcantril(a)redhat.com, jmadigan(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jpallich(a)redhat.com, jperkins(a)redhat.com, jrokos(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kaycoth(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, kwills(a)redhat.com, lgao(a)redhat.com, lthon(a)redhat.com, mizdebsk(a)redhat.com, mnovotny(a)redhat.com, msochure(a)redhat.com, msvehla(a)redhat.com, mszynkie(a)redhat.com, ngough(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, pamccart(a)redhat.com, paul.wouters(a)aiven.io, peholase(a)redhat.com, pgallagh(a)redhat.com, pjindal(a)redhat.com, pmackay(a)redhat.com, probinso(a)redhat.com, pskopek(a)redhat.com, rguimara(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rstancel(a)redhat.com, rsvoboda(a)redhat.com, sbiarozk(a)redhat.com, sd-operator-metering(a)redhat.com, sdouglas(a)redhat.com, sguilhen(a)redhat.com, smaestri(a)redhat.com, sponnaga(a)redhat.com, tflannag(a)redhat.com, tom.jenkinson(a)redhat.com, tzimanyi(a)redhat.com, vkumar(a)redhat.com, yborgess(a)redhat.com Blocks: 2030930 Target Milestone: --- Classification: Other Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack. This issue is being tracked as LOG4J2-3230 Mitigation: Implement one of the following mitigation techniques: * Java 8 (or later) users should upgrade to release 2.17.0. Alternatively, this can be mitigated in configuration: * In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC). * Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability. Reference: https://logging.apache.org/log4j/2.x/security.html https://www.openwall.com/lists/oss-security/2021/12/19/1 https://issues.apache.org/jira/browse/LOG4J2-3230 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2034067

1 year, 5 months

1
67
0 / 0

[Bug 2034082] New: CVE-2021-45105 log4j: log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2034082 Bug ID: 2034082 Summary: CVE-2021-45105 log4j: log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern [fedora-all] Product: Fedora Version: 35 Status: NEW Component: log4j Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: paul.wouters(a)aiven.io Reporter: huzaifas(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: dbhole(a)redhat.com, devrim(a)gunduz.org, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, paul.wouters(a)aiven.io Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2034082

1 year, 5 months

1
4
0 / 0

[Bug 2031958] New: CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2031958 Bug ID: 2031958 Summary: CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: aboyko(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, asoldano(a)redhat.com, atangrin(a)redhat.com, ataylor(a)redhat.com, avibelli(a)redhat.com, bbaranow(a)redhat.com, bbuckingham(a)redhat.com, bcourt(a)redhat.com, bgeorges(a)redhat.com, bkearney(a)redhat.com, bmaxwell(a)redhat.com, bmontgom(a)redhat.com, boliveir(a)redhat.com, brian.stansberry(a)redhat.com, btotty(a)redhat.com, caswilli(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, clement.escoffier(a)redhat.com, dandread(a)redhat.com, darran.lofthouse(a)redhat.com, dbecker(a)redhat.com, dkreling(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, ehelms(a)redhat.com, eleandro(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, ewolinet(a)redhat.com, extras-orphan(a)fedoraproject.org, fjuma(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gsmet(a)redhat.com, hamadhan(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcantril(a)redhat.com, jerboaa(a)gmail.com, jjoyce(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jpallich(a)redhat.com, jperkins(a)redhat.com, jrokos(a)redhat.com, jross(a)redhat.com, jschluet(a)redhat.com, jsherril(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kaycoth(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, kwills(a)redhat.com, lgao(a)redhat.com, lhh(a)redhat.com, loleary(a)redhat.com, lpeer(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com, mburns(a)redhat.com, mhulan(a)redhat.com, mkolesni(a)redhat.com, mmccune(a)redhat.com, mnovotny(a)redhat.com, msochure(a)redhat.com, msvehla(a)redhat.com, mszynkie(a)redhat.com, myarboro(a)redhat.com, nmoumoul(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, orabin(a)redhat.com, pcreech(a)redhat.com, pdelbell(a)redhat.com, pdrozd(a)redhat.com, peholase(a)redhat.com, pgallagh(a)redhat.com, pjindal(a)redhat.com, pmackay(a)redhat.com, probinso(a)redhat.com, rchan(a)redhat.com, rgodfrey(a)redhat.com, rguimara(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rstancel(a)redhat.com, rsvoboda(a)redhat.com, sbiarozk(a)redhat.com, sclewis(a)redhat.com, scohen(a)redhat.com, sd-operator-metering(a)redhat.com, sdouglas(a)redhat.com, slinaber(a)redhat.com, smaestri(a)redhat.com, spinder(a)redhat.com, sponnaga(a)redhat.com, sthorger(a)redhat.com, swoodman(a)redhat.com, tbrisker(a)redhat.com, tflannag(a)redhat.com, theute(a)redhat.com, tom.jenkinson(a)redhat.com, tzimanyi(a)redhat.com, vkumar(a)redhat.com, yborgess(a)redhat.com Target Milestone: --- Classification: Other Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.7.1.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.7.1.Final to receive a patch. Reference: https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq Upstream patch: https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e26438... -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2031958

1 year, 5 months

1
51
0 / 0

[Bug 2031959] New: CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2031959 Bug ID: 2031959 Summary: CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling [fedora-all] Product: Fedora Version: 35 Status: NEW Component: netty Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: extras-orphan(a)fedoraproject.org Reporter: gsuckevi(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: extras-orphan(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jerboaa(a)gmail.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2031959

1 year, 5 months

1
4
0 / 0

[Bug 1987856] New: portals-pom: FTBFS in Fedora rawhide/f35

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1987856 Bug ID: 1987856 Summary: portals-pom: FTBFS in Fedora rawhide/f35 Product: Fedora Version: rawhide Status: NEW Component: portals-pom Assignee: jjelen(a)redhat.com Reporter: releng(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, jjelen(a)redhat.com, puntogil(a)libero.it Blocks: 1927309 (F35FTBFS,RAWHIDEFTBFS) Target Milestone: --- Classification: Fedora portals-pom failed to build from source in Fedora rawhide/f35 https://koji.fedoraproject.org/koji/taskinfo?taskID=72463376 For details on the mass rebuild see: https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild Please fix portals-pom at your earliest convenience and set the bug's status to ASSIGNED when you start fixing it. If the bug remains in NEW state for 8 weeks, portals-pom will be orphaned. Before branching of Fedora 36, portals-pom will be retired, if it still fails to build. For more details on the FTBFS policy, please visit: https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fai... Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1927309 [Bug 1927309] Fedora 35 FTBFS Tracker -- You are receiving this mail because: You are on the CC list for the bug.

1 year, 5 months

1
9
0 / 0

[Bug 1987630] New: lancer: FTBFS in Fedora rawhide/f35

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1987630 Bug ID: 1987630 Summary: lancer: FTBFS in Fedora rawhide/f35 Product: Fedora Version: rawhide Status: NEW Component: lancer Assignee: willb(a)redhat.com Reporter: releng(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, willb(a)redhat.com Blocks: 1927309 (F35FTBFS,RAWHIDEFTBFS) Target Milestone: --- Classification: Fedora lancer failed to build from source in Fedora rawhide/f35 https://koji.fedoraproject.org/koji/taskinfo?taskID=72389355 For details on the mass rebuild see: https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild Please fix lancer at your earliest convenience and set the bug's status to ASSIGNED when you start fixing it. If the bug remains in NEW state for 8 weeks, lancer will be orphaned. Before branching of Fedora 36, lancer will be retired, if it still fails to build. For more details on the FTBFS policy, please visit: https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fai... Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1927309 [Bug 1927309] Fedora 35 FTBFS Tracker -- You are receiving this mail because: You are on the CC list for the bug.

1 year, 5 months

1
19
0 / 0

[Bug 1987364] New: ant-contrib: FTBFS in Fedora rawhide/f35

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1987364 Bug ID: 1987364 Summary: ant-contrib: FTBFS in Fedora rawhide/f35 Product: Fedora Version: rawhide Status: NEW Component: ant-contrib Assignee: java-maint-sig(a)lists.fedoraproject.org Reporter: releng(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: akurtako(a)redhat.com, extras-orphan(a)fedoraproject.org, java-maint-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com Blocks: 1927309 (F35FTBFS,RAWHIDEFTBFS) Target Milestone: --- Classification: Fedora ant-contrib failed to build from source in Fedora rawhide/f35 https://koji.fedoraproject.org/koji/taskinfo?taskID=72323523 For details on the mass rebuild see: https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild Please fix ant-contrib at your earliest convenience and set the bug's status to ASSIGNED when you start fixing it. If the bug remains in NEW state for 8 weeks, ant-contrib will be orphaned. Before branching of Fedora 36, ant-contrib will be retired, if it still fails to build. For more details on the FTBFS policy, please visit: https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fai... Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1927309 [Bug 1927309] Fedora 35 FTBFS Tracker -- You are receiving this mail because: You are on the CC list for the bug.

1 year, 5 months

1
30
0 / 0

[Bug 2142727] New: CVE-2022-42920 bcel: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing [fedora-35]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2142727 Bug ID: 2142727 Summary: CVE-2022-42920 bcel: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing [fedora-35] Product: Fedora Version: 35 Status: NEW Component: bcel Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: mizdebsk(a)redhat.com Reporter: trathi(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: agrimm(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, richardfearn(a)gmail.com Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2142707 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2142727

1 year, 5 months

1
9
0 / 0

[Bug 2142728] New: CVE-2022-42920 bcel: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing [fedora-36]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2142728 Bug ID: 2142728 Summary: CVE-2022-42920 bcel: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing [fedora-36] Product: Fedora Version: 36 Status: NEW Component: bcel Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: mizdebsk(a)redhat.com Reporter: trathi(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: agrimm(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, richardfearn(a)gmail.com Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2142707 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2142728

1 year, 5 months

1
8
0 / 0

[Bug 2143514] New: CVE-2022-42920 bcel: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing [fedora-37]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2143514 Bug ID: 2143514 Summary: CVE-2022-42920 bcel: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing [fedora-37] Product: Fedora Version: 37 Status: NEW Component: bcel Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: mizdebsk(a)redhat.com Reporter: trathi(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: agrimm(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, richardfearn(a)gmail.com Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2142707 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2143514

1 year, 5 months

1
8
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits November 2022