Product: Fedora
https://bugzilla.redhat.com/show_bug.cgi?id=958047
Bug ID: 958047
Summary: woodstox-core:
javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING not
supported
Product: Fedora
Version: rawhide
Component: woodstox-core
Severity: unspecified
Priority: unspecified
Assignee: jcapik(a)redhat.com
Reporter: fweimer(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
jcapik(a)redhat.com, mizdebsk(a)redhat.com
Blocks: 958046
Category: ---
This doesn't work:
SAXParserFactory factory = new WstxSAXParserFactory();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
SAXParser parser = factory.newSAXParser();
InputSource is = new InputSource(new FileInputStream(args[0]));
parser.parse(is, new DefaultHandler());
It results in:
Exception in thread "main" org.xml.sax.SAXNotRecognizedException: Feature
'http://javax.xml.XMLConstants/feature/secure-processing' not recognized
As a result, it appears impossible to defend against "billion laughs"-style
denial of service attacks, along the lines of:
https://git.fedorahosted.org/cgit/secure-coding.git/tree/defensive-coding/s…https://git.fedorahosted.org/cgit/secure-coding.git/tree/defensive-coding/s…
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=bPCdHpPVN2&a=cc_unsubscribe
Product: Fedora
https://bugzilla.redhat.com/show_bug.cgi?id=958727
Bug ID: 958727
Summary: plexus-utils: XMLWriterUtil should guard against
problematic comments
Product: Fedora
Version: rawhide
Component: plexus-utils
Severity: unspecified
Priority: unspecified
Assignee: fnasser(a)redhat.com
Reporter: fweimer(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: fnasser(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com
Blocks: 958220
Category: ---
org.codehaus.plexus.util.xml#writeComment(XMLWriter, String, int, int, int)
does not check if the comment includes a "-->" sequence. This means that text
contained in the command string could be interpreted as XML, possibly leading
to XML injection issues, depending on how this method is being called.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=N5myzkUcYQ&a=cc_unsubscribe
Product: Fedora
https://bugzilla.redhat.com/show_bug.cgi?id=958221
Bug ID: 958221
Summary: plexus-utils: directory traversal in
org.codehaus.plexus.util.Expand
Product: Fedora
Version: rawhide
Component: plexus-utils
Severity: unspecified
Priority: unspecified
Assignee: fnasser(a)redhat.com
Reporter: fweimer(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: fnasser(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com
Blocks: 958220
Category: ---
org.codehaus.plexus.util.Expand does not guard against directory traversal, but
such protection is generally expected from unarchiving tools.
I think the class should just be deprecated and removed because there do not
appear to be any users left (not even a test case).
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=hp1lhU9LQd&a=cc_unsubscribe
https://bugzilla.redhat.com/show_bug.cgi?id=1193307
Bug ID: 1193307
Summary: tomcat: do not provide javax.el:el-api
Product: Fedora
Version: 22
Component: tomcat
Assignee: ivan.afonichev(a)gmail.com
Reporter: msrb(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: ivan.afonichev(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
krzysztof.daniel(a)gmail.com
Description of problem:
tomcat currently provides, among others, mvn(javax.el:el-api). The problem is
that the glassfish-el-api provides it as well. This causes other packages fail
to build, if both tomcat and glassfish-el-api happen to be in the buildroot. I
think that glassfish-el-api should be the one providing javax.el:el-api, as it
is a reference implementation of EL.
Java packaging guidelines should be updated as well.
Version-Release number of selected component (if applicable):
tomcat-8.0.18-1.fc23
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=kgtemPVawE&a=cc_unsubscribe
https://bugzilla.redhat.com/show_bug.cgi?id=1185148
Bug ID: 1185148
Summary: CVE-2014-9634 Jenkins on Tomcat: failure to set secure
flag on cookies
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: kseifried(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jdetiber(a)redhat.com, jialiu(a)redhat.com,
jkeck(a)redhat.com, joelsmith(a)redhat.com,
jokerman(a)redhat.com, kseifried(a)redhat.com,
lmeyer(a)redhat.com, mmccomas(a)redhat.com,
msrb(a)redhat.com
Yann Rouillard reports:
Jenkins on Tomcat fails to set the secure flag on cookies.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=gU5XTmvmU1&a=cc_unsubscribe
https://bugzilla.redhat.com/show_bug.cgi?id=1185151
Bug ID: 1185151
Summary: CVE-2014-9635 Jenkins on Tomcat: failure to set
httponly flag on cookies
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: kseifried(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jdetiber(a)redhat.com, jialiu(a)redhat.com,
jkeck(a)redhat.com, joelsmith(a)redhat.com,
jokerman(a)redhat.com, kseifried(a)redhat.com,
lmeyer(a)redhat.com, mmccomas(a)redhat.com,
msrb(a)redhat.com
Yann Rouillard reports:
Jenkins on Tomcat fails to set the httponly flag on cookies.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=6JvfkFVyd4&a=cc_unsubscribe