January 2023 - java-sig-commits - Fedora Mailing-Lists

[Bug 2158759] New: CVE-2022-45143 tomcat: JsonErrorReportValve injection [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2158759 Bug ID: 2158759 Summary: CVE-2022-45143 tomcat: JsonErrorReportValve injection [fedora-all] Product: Fedora Version: 37 Status: NEW Component: tomcat Keywords: Security, SecurityTracking Severity: low Priority: low Assignee: csutherl(a)redhat.com Reporter: trathi(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: alee(a)redhat.com, csutherl(a)redhat.com, gzaronikas(a)gmail.com, huwang(a)redhat.com, ivan.afonichev(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2158695 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2158759

6 months

1
5
0 / 0

[Bug 1870860] New: auto-1.7.4 is available

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1870860 Bug ID: 1870860 Summary: auto-1.7.4 is available Product: Fedora Version: rawhide Status: NEW Component: auto Keywords: FutureFeature, Triaged Assignee: mat.booth(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, lef(a)fedoraproject.org, mat.booth(a)redhat.com, puntogil(a)libero.it Target Milestone: --- Classification: Fedora Latest upstream release: 1.7.4 Current version/release in rawhide: 1.5.4-4.fc33 URL: https://github.com/google/auto Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/6371/ -- You are receiving this mail because: You are on the CC list for the bug.

6 months, 1 week

1
30
0 / 0

[Bug 2077137] New: maven-reporting-api-4.0.0-M1 is available

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2077137 Bug ID: 2077137 Summary: maven-reporting-api-4.0.0-M1 is available Product: Fedora Version: rawhide Status: NEW Component: maven-reporting-api Keywords: FutureFeature, Triaged Assignee: loganjerry(a)gmail.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, loganjerry(a)gmail.com, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora Latest upstream release: 4.0.0-M1 Current version/release in rawhide: 3.1.0-1.fc36 URL: https://maven.apache.org/shared/maven-reporting-api/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/1931/ -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2077137

6 months, 2 weeks

1
8
0 / 0

[Bug 2130350] New: tomcat-10.1.0 is available

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2130350 Bug ID: 2130350 Summary: tomcat-10.1.0 is available Product: Fedora Version: rawhide Status: NEW Component: tomcat Keywords: FutureFeature, Triaged Assignee: csutherl(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: alee(a)redhat.com, coolsvap(a)gmail.com, csutherl(a)redhat.com, gzaronikas(a)gmail.com, huwang(a)redhat.com, ivan.afonichev(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, krzysztof.daniel(a)gmail.com Target Milestone: --- Classification: Fedora Releases retrieved: 10.0.26 Upstream release that is considered latest: 10.1.0 Current version/release in rawhide: 9.0.65-1.fc37 URL: https://tomcat.apache.org/whichversion.html Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release... Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/148939/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/tomcat -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2130350

6 months, 3 weeks

1
44
0 / 0

[Bug 2144648] New: beust-jcommander license files are unreadable

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2144648 Bug ID: 2144648 Summary: beust-jcommander license files are unreadable Product: Fedora Version: rawhide Hardware: All OS: Linux Status: NEW Component: beust-jcommander Severity: low Assignee: mizdebsk(a)redhat.com Reporter: loganjerry(a)gmail.com QA Contact: extras-qa(a)fedoraproject.org CC: jaromir.capik(a)email.cz, java-sig-commits(a)lists.fedoraproject.org, jvanek(a)redhat.com, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora Description of problem: On a Rawhide box: $ ls -l /usr/share/licenses/beust-jcommander/ ls: cannot access '/usr/share/licenses/beust-jcommander/license.txt': Permission denied ls: cannot access '/usr/share/licenses/beust-jcommander/notice.md': Permission denied total 0 -????????? ? ? ? ? ? license.txt -????????? ? ? ? ? ? notice.md $ cat /usr/share/licenses/beust-jcommander/license.txt cat: /usr/share/licenses/beust-jcommander/license.txt: Permission denied As root, the problem is visible: # ls -al /usr/share/licenses/beust-jcommander total 32 drw-r--r--. 2 root root 4096 Nov 21 15:22 . drwxr-xr-x. 254 root root 12288 Nov 21 15:23 .. -rw-r--r--. 1 root root 11345 Jun 29 05:27 license.txt -rw-r--r--. 1 root root 108 Jun 29 05:27 notice.md The directory lacks execute permission. Line 57 of the spec file is to blame: %attr(0644,root,root) %license license.txt notice.md The 0644 permissions are applied to the directory as well as the files. Version-Release number of selected component (if applicable): beust-jcommander-1.82-1.fc38.noarch How reproducible: N/A Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2144648

7 months

1
5
0 / 0

[Bug 2149756] New: aqute-bnd-6.4.0 is available

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2149756 Bug ID: 2149756 Summary: aqute-bnd-6.4.0 is available Product: Fedora Version: rawhide Status: NEW Component: aqute-bnd Keywords: FutureFeature, Triaged Assignee: mizdebsk(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora Releases retrieved: 6.4.0 Upstream release that is considered latest: 6.4.0 Current version/release in rawhide: 6.3.1-2.fc38 URL: http://bnd.bndtools.org/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release... Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/98/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/aqute-bnd -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2149756

7 months, 4 weeks

1
3
0 / 0

[Bug 1978932] New: plexus-velocity-1.3 is available

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1978932 Bug ID: 1978932 Summary: plexus-velocity-1.3 is available Product: Fedora Version: rawhide Status: NEW Component: plexus-velocity Keywords: FutureFeature, Triaged Assignee: java-maint-sig(a)lists.fedoraproject.org Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: jaromir.capik(a)email.cz, java-maint-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, markku.korkeala(a)kapsi.fi, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora Latest upstream release: 1.3 Current version/release in rawhide: 1.2-12.fc34 URL: https://codehaus-plexus.github.io/plexus-velocity/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/3664/ -- You are receiving this mail because: You are on the CC list for the bug.

8 months

1
4
0 / 0

[Bug 2157648] New: CVE-2022-4132 tomcat: Memory leak [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2157648 Bug ID: 2157648 Summary: CVE-2022-4132 tomcat: Memory leak [fedora-all] Product: Fedora Version: 37 Status: NEW Component: tomcat Keywords: Security, SecurityTracking Severity: low Priority: low Assignee: csutherl(a)redhat.com Reporter: pdelbell(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: alee(a)redhat.com, csutherl(a)redhat.com, gzaronikas(a)gmail.com, huwang(a)redhat.com, ivan.afonichev(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2147372 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2157648

8 months, 2 weeks

1
4
0 / 0

[Bug 2087186] New: CVE-2022-24823 netty: world readable temporary file containing sensitive data

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2087186 Bug ID: 2087186 Summary: CVE-2022-24823 netty: world readable temporary file containing sensitive data Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: pdelbell(a)redhat.com CC: aboyko(a)redhat.com, aileenc(a)redhat.com, alazarot(a)redhat.com, anstephe(a)redhat.com, asoldano(a)redhat.com, ataylor(a)redhat.com, avibelli(a)redhat.com, bbaranow(a)redhat.com, bbuckingham(a)redhat.com, bcourt(a)redhat.com, bgeorges(a)redhat.com, bmaxwell(a)redhat.com, bmontgom(a)redhat.com, boliveir(a)redhat.com, brian.stansberry(a)redhat.com, btotty(a)redhat.com, caswilli(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, clement.escoffier(a)redhat.com, dandread(a)redhat.com, darran.lofthouse(a)redhat.com, dkreling(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, ehelms(a)redhat.com, emingora(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org, fjuma(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gsmet(a)redhat.com, hamadhan(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcantril(a)redhat.com, jerboaa(a)gmail.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jrokos(a)redhat.com, jross(a)redhat.com, jsherril(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kaycoth(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, lgao(a)redhat.com, loleary(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com, mhulan(a)redhat.com, mmccune(a)redhat.com, mnovotny(a)redhat.com, mosmerov(a)redhat.com, msochure(a)redhat.com, msvehla(a)redhat.com, mszynkie(a)redhat.com, myarboro(a)redhat.com, nmoumoul(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, orabin(a)redhat.com, pcreech(a)redhat.com, pdelbell(a)redhat.com, pdrozd(a)redhat.com, peholase(a)redhat.com, pgallagh(a)redhat.com, pjindal(a)redhat.com, pmackay(a)redhat.com, probinso(a)redhat.com, pskopek(a)redhat.com, rchan(a)redhat.com, rgodfrey(a)redhat.com, rguimara(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rstancel(a)redhat.com, rsvoboda(a)redhat.com, sbiarozk(a)redhat.com, sd-operator-metering(a)redhat.com, sdouglas(a)redhat.com, smaestri(a)redhat.com, spinder(a)redhat.com, sponnaga(a)redhat.com, sthorger(a)redhat.com, swoodman(a)redhat.com, tflannag(a)redhat.com, theute(a)redhat.com, tom.jenkinson(a)redhat.com, tzimanyi(a)redhat.com, vkumar(a)redhat.com Blocks: 2087184 Target Milestone: --- Classification: Other Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user. https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981... https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2 https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2087186

8 months, 2 weeks

1
30
0 / 0

[Bug 2134291] New: CVE-2022-40152 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2134291 Bug ID: 2134291 Summary: CVE-2022-40152 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: pdelbell(a)redhat.com CC: didiksupriadi41(a)gmail.com, fedoraproject.org(a)bluhm-de.com, java-sig-commits(a)lists.fedoraproject.org, lkundrak(a)v3.sk, mizdebsk(a)redhat.com Blocks: 2128414 Target Milestone: --- Classification: Other Those using Xstream to serialize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47434 https://github.com/x-stream/xstream/issues/304 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2134291

8 months, 3 weeks

1
29
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits January 2023