https://bugzilla.redhat.com/show_bug.cgi?id=1663909
Bug ID: 1663909
Summary: CVE-2018-1000886 CVE-2018-20535 CVE-2018-20538 nasm:
various flaws [fedora-all]
Product: Fedora
Version: 29
Status: NEW
Component: nasm
Keywords: Security, SecurityTracking
Severity: low
Priority: low
Assignee: mizdebsk(a)redhat.com
Reporter: anemec(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: dominik(a)greysector.net,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1670704
Bug ID: 1670704
Summary: CVE-2019-7147 nasm: Buffer over-read in function
crc64ib in crc64.c resulting in denial of service.
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=moderate,public=20190101,reported=20190129,sour
ce=cve,cvss3=6.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/
I:N/A:H,cwe=CWE-400,fedora-all/nasm=affected,rhel-5/na
sm=new,rhel-6/nasm=new,rhel-7/nasm=new,rhel-8/nasm=new
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: darunesh(a)redhat.com
CC: dominik(a)greysector.net,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, nickc(a)redhat.com
Target Milestone: ---
Classification: Other
A buffer over-read exists in the function crc64ib in crc64.c in nasmlib in
Netwide Assembler (NASM) 2.14rc16. A crafted asm input can cause segmentation
faults, leading to denial-of-service.
References:
https://bugzilla.nasm.us/show_bug.cgi?id=3392544
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1670705
Bug ID: 1670705
Summary: CVE-2019-7147 nasm: Buffer over-read in function
crc64ib in crc64.c resulting in denial of service.
[fedora-all]
Product: Fedora
Version: 29
Status: NEW
Component: nasm
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: mizdebsk(a)redhat.com
Reporter: darunesh(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: dominik(a)greysector.net,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1670291
Bug ID: 1670291
Summary: groovy-sandbox: jenkins-plugin-workflow-cps: Sandbox
Bypass in Groovy Plugin (SECURITY-1293) [fedora-all]
Product: Fedora
Version: 29
Status: NEW
Component: groovy-sandbox
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: msrb(a)redhat.com
Reporter: sfowler(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1670284
Bug ID: 1670284
Summary: jenkins-script-security-plugin:
jenkins-plugin-script-security: Sandbox Bypass in
Script Security Plugin (SECURITY-1292) [fedora-all]
Product: Fedora
Version: 29
Status: NEW
Component: jenkins-script-security-plugin
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: msrb(a)redhat.com
Reporter: sfowler(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1667570
Bug ID: 1667570
Summary: jenkins-script-security-plugin:
jenkins-plugin-script-security: Sandbox Bypass in
Script Security and Pipeline Plugins (SECURITY-1266)
[fedora-all]
Product: Fedora
Version: 29
Status: NEW
Component: jenkins-script-security-plugin
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: msrb(a)redhat.com
Reporter: lpardo(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1667571
Bug ID: 1667571
Summary: groovy-sandbox: jenkins-plugin-script-security:
Sandbox Bypass in Script Security and Pipeline Plugins
(SECURITY-1266) [fedora-all]
Product: Fedora
Version: 29
Status: NEW
Component: groovy-sandbox
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: msrb(a)redhat.com
Reporter: lpardo(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1668345
Bug ID: 1668345
Summary: CVE-2019-1003003 Jenkins: cookie crafted using Jenkins
script console allows unauthorised access to Jenkins
instance
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=moderate,public=20190116,reported=20190116,sour
ce=oss-security,cvss3=6.6/CVSS:3.0/AV:N/AC:H/PR:H/UI:N
/S:U/C:H/I:H/A:H,cwe=CWE-384->CWE-613,fedora-28/jenkin
s=affected
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: msiddiqu(a)redhat.com
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Target Milestone: ---
Classification: Other
Users with the Overall/RunScripts permission (typically administrators) were
able to use the Jenkins script console to craft a 'Remember me' cookie that
would never expire. This allowed attackers access to a Jenkins instance while
the corresponding user in the configured security realm exists, for example to
persist access after another successful attack.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1668446
Bug ID: 1668446
Summary: CVE-2019-1003003 jenkins: cookie crafted using Jenkins
script console allows unauthorised access to Jenkins
instance [fedora-all]
Product: Fedora
Version: 29
Status: NEW
Component: jenkins
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: msrb(a)redhat.com
Reporter: msiddiqu(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1663926
Bug ID: 1663926
Summary: CVE-2018-17197 tika: Infinite loop in SQLite3Parser
resulting in a denial of service [fedora-all]
Product: Fedora
Version: 29
Status: NEW
Component: tika
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: puntogil(a)libero.it
Reporter: anemec(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
lef(a)fedoraproject.org, puntogil(a)libero.it
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.