[Bug 1931829] New: maven-wagon-3.4.3 is available
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1931829
Bug ID: 1931829
Summary: maven-wagon-3.4.3 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: maven-wagon
Keywords: FutureFeature, Triaged
Assignee: java-maint-sig(a)lists.fedoraproject.org
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: dbhole(a)redhat.com, decathorpe(a)gmail.com,
fnasser(a)redhat.com, jaromir.capik(a)email.cz,
java-maint-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, yyang(a)redhat.com
Target Milestone: ---
Classification: Fedora
Latest upstream release: 3.4.3
Current version/release in rawhide: 3.4.2-1.fc34
URL: http://maven.apache.org/wagon
Please consult the package updates policy before you issue an update to a
stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/1947/
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years, 1 month
[Bug 2032580] New: CVE-2021-45046 log4j-core: thread context message pattern and context lookup pattern vulnerable to DoS
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2032580
Bug ID: 2032580
Summary: CVE-2021-45046 log4j-core: thread context message
pattern and context lookup pattern vulnerable to DoS
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: aboyko(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
aos-bugs(a)redhat.com, asoldano(a)redhat.com,
atangrin(a)redhat.com, ataylor(a)redhat.com,
avibelli(a)redhat.com, bbaranow(a)redhat.com,
bbuckingham(a)redhat.com, bcourt(a)redhat.com,
bdettelb(a)redhat.com, bgeorges(a)redhat.com,
bibryam(a)redhat.com, bkearney(a)redhat.com,
bmaxwell(a)redhat.com, bmontgom(a)redhat.com,
boliveir(a)redhat.com, brian.stansberry(a)redhat.com,
btotty(a)redhat.com, caswilli(a)redhat.com,
cdewolf(a)redhat.com, chazlett(a)redhat.com,
clement.escoffier(a)redhat.com, dandread(a)redhat.com,
darran.lofthouse(a)redhat.com, dbecker(a)redhat.com,
dbhole(a)redhat.com, devrim(a)gunduz.org,
dkreling(a)redhat.com, dosoudil(a)redhat.com,
drieden(a)redhat.com, ehelms(a)redhat.com,
eleandro(a)redhat.com, eparis(a)redhat.com,
etirelli(a)redhat.com, ewolinet(a)redhat.com,
fjuma(a)redhat.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, gsmet(a)redhat.com,
hamadhan(a)redhat.com, hbraun(a)redhat.com,
hhorak(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcantril(a)redhat.com,
jjoyce(a)redhat.com, jnethert(a)redhat.com,
jochrist(a)redhat.com, jokerman(a)redhat.com,
jorton(a)redhat.com, jpallich(a)redhat.com,
jperkins(a)redhat.com, jrokos(a)redhat.com,
jross(a)redhat.com, jschluet(a)redhat.com,
jsherril(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kaycoth(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
kwills(a)redhat.com, lgao(a)redhat.com, lhh(a)redhat.com,
lpeer(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com,
mburns(a)redhat.com, mhulan(a)redhat.com,
mizdebsk(a)redhat.com, mkolesni(a)redhat.com,
mmccune(a)redhat.com, mnovotny(a)redhat.com,
msochure(a)redhat.com, msvehla(a)redhat.com,
mszynkie(a)redhat.com, myarboro(a)redhat.com,
nmoumoul(a)redhat.com, nstielau(a)redhat.com,
nwallace(a)redhat.com, orabin(a)redhat.com,
pantinor(a)redhat.com, paul.wouters(a)aiven.io,
pcreech(a)redhat.com, pdelbell(a)redhat.com,
pdrozd(a)redhat.com, peholase(a)redhat.com,
pgallagh(a)redhat.com, pjindal(a)redhat.com,
pmackay(a)redhat.com, probinso(a)redhat.com,
rchan(a)redhat.com, rguimara(a)redhat.com,
rrajasek(a)redhat.com, rruss(a)redhat.com,
rstancel(a)redhat.com, rsvoboda(a)redhat.com,
sbiarozk(a)redhat.com, sclewis(a)redhat.com,
scohen(a)redhat.com, sd-operator-metering(a)redhat.com,
sdouglas(a)redhat.com, slinaber(a)redhat.com,
smaestri(a)redhat.com, sponnaga(a)redhat.com,
sthorger(a)redhat.com, swoodman(a)redhat.com,
tbrisker(a)redhat.com, tflannag(a)redhat.com,
tom.jenkinson(a)redhat.com, tzimanyi(a)redhat.com,
vkumar(a)redhat.com, yborgess(a)redhat.com
Target Milestone: ---
Classification: Other
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was
incomplete in certain non-default configurations. This could allows attackers
with control over Thread Context Map (MDC) input data when the logging
configuration uses a non-default Pattern Layout with either a Context Lookup
(for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or
%MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a
denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to
localhost by default. Note that previous mitigations involving configuration
such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT
mitigate this specific vulnerability.
Log4j 2.16.0 fixes this issue by removing support for message lookup patterns
and disabling JNDI functionality by default.
This issue can be mitigated in prior releases (<2.16.0) by removing the
JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class).
Reference:
https://www.openwall.com/lists/oss-security/2021/12/14/4
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2032580
2 years, 1 month
[Bug 1818161] New: javaparser-3.15.17 is available
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1818161
Bug ID: 1818161
Summary: javaparser-3.15.17 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: javaparser
Keywords: FutureFeature, Triaged
Assignee: decathorpe(a)gmail.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: decathorpe(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
lef(a)fedoraproject.org, puntogil(a)libero.it,
stewardship-sig(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
Latest upstream release: 3.15.17
Current version/release in rawhide: 3.3.5-3.fc32
URL: https://javaparser.org/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/89330/
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years, 1 month
[Bug 2006950] New: CVE-2020-21913 icu: Use after free in pkg_createWithAssemblyCode function in tools/pkgdata/pkgdata.cpp
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2006950
Bug ID: 2006950
Summary: CVE-2020-21913 icu: Use after free in
pkg_createWithAssemblyCode function in
tools/pkgdata/pkgdata.cpp
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: ahughes(a)redhat.com, aileenc(a)redhat.com,
bdettelb(a)redhat.com, bmontgom(a)redhat.com,
caillon+fedoraproject(a)gmail.com, chazlett(a)redhat.com,
dbhole(a)redhat.com, denis.arnaud_fedora(a)m4x.org,
drieden(a)redhat.com, eng-i18n-bugs(a)redhat.com,
eparis(a)redhat.com, erack(a)redhat.com,
erik-fedora(a)vanpienbroek.nl, fnasser(a)redhat.com,
ggaughan(a)redhat.com, gmalinko(a)redhat.com,
hhorak(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jdowland(a)redhat.com,
jkang(a)redhat.com, jnakfour(a)redhat.com,
jochrist(a)redhat.com, jokerman(a)redhat.com,
jorton(a)redhat.com, jvanek(a)redhat.com, jwon(a)redhat.com,
kaycoth(a)redhat.com, krzysztof.daniel(a)gmail.com,
lef(a)fedoraproject.org, loganjerry(a)gmail.com,
manisandro(a)gmail.com, mcatanza(a)redhat.com,
mfabian(a)redhat.com, mizdebsk(a)redhat.com,
mrunge(a)redhat.com, neugens(a)redhat.com,
nodejs-maint(a)redhat.com,
nodejs-sig(a)lists.fedoraproject.org,
nsantos(a)redhat.com, nstielau(a)redhat.com,
patrickm(a)redhat.com, pjindal(a)redhat.com,
psegedy(a)redhat.com, rh-spice-bugs(a)redhat.com,
rhughes(a)redhat.com, rstrode(a)redhat.com,
sandmann(a)redhat.com, sgallagh(a)redhat.com,
sponnaga(a)redhat.com, tchollingsworth(a)gmail.com,
thrcka(a)redhat.com, tpopela(a)redhat.com, tuxator(a)o2.pl,
vkumar(a)redhat.com, walter.pete(a)yandex.com,
zsvetlik(a)redhat.com
Target Milestone: ---
Classification: Other
International Components for Unicode (ICU-20850) v66.1 was discovered to
contain a use after free bug in the pkg_createWithAssemblyCode function in the
file tools/pkgdata/pkgdata.cpp.
References:
https://github.com/unicode-org/icu/pull/886
https://unicode-org.atlassian.net/browse/ICU-20850
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2006950
2 years, 1 month
[Bug 1948752] New: CVE-2021-29425 apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1948752
Bug ID: 1948752
Summary: CVE-2021-29425 apache-commons-io: Limited path
traversal in Apache Commons IO 2.2 to 2.6
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: decathorpe(a)gmail.com, hhorak(a)redhat.com,
java-maint(a)redhat.com,
java-maint-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jorton(a)redhat.com, kaycoth(a)redhat.com,
mizdebsk(a)redhat.com, qe-baseos-apps(a)redhat.com,
rhcs-maint(a)redhat.com, sgehwolf(a)redhat.com,
SpikeFedora(a)gmail.com, stuart(a)gathman.org
Target Milestone: ---
Classification: Other
In Apache Commons IO before 2.7, When invoking the method
FileNameUtils.normalize with an improper input string, like
"//../foo", or "\\..\foo", the result would be the same value, thus
possibly providing access to files in the parent directory, but not
further above (thus "limited" path traversal), if the calling code
would use the result to construct a path value.
References:
https://www.openwall.com/lists/oss-security/2021/04/12/1
https://issues.apache.org/jira/browse/IO-556
--
You are receiving this mail because:
You are on the CC list for the bug.
2 years, 2 months