java-sig-commits March 2019

java-sig-commits@lists.fedoraproject.org

1 participants
183 discussions

[Bug 1663016] New: OpenNLP 1.9.1 available
by bugzilla＠redhat.com 24 Nov '20

24 Nov '20

https://bugzilla.redhat.com/show_bug.cgi?id=1663016 Bug ID: 1663016 Summary: OpenNLP 1.9.1 available Product: Fedora Version: 29 Hardware: x86_64 OS: Linux Status: NEW Component: opennlp Severity: low Assignee: puntogil(a)libero.it Reporter: edgar.hoch(a)ims.uni-stuttgart.de QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, puntogil(a)libero.it Target Milestone: --- Classification: Fedora Created attachment 1518001 --> https://bugzilla.redhat.com/attachment.cgi?id=1518001&action=edit opennlp.spec for 1.9.1 Description of problem: OpenNLP package distributed by Fedora 29 is more that four years old. Current OpenNLP version is 1.9.1. I have used the spec file of opennlp-1.5.3-7.fc29 and modified it until mock creates packages for version 1.9.1. It may be that it can be more optimized. It would be nice if someone could check it and creates updated packages for the public. Version-Release number of selected component (if applicable): opennlp-1.5.3-7.fc29.noarch -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1664731] New: CVE-2018-20433 c3p0: XML external entity processing in extractXmlConfigFromInputStream [epel-7]
by bugzilla＠redhat.com 05 Jul '20

05 Jul '20

https://bugzilla.redhat.com/show_bug.cgi?id=1664731 Bug ID: 1664731 Summary: CVE-2018-20433 c3p0: XML external entity processing in extractXmlConfigFromInputStream [epel-7] Product: Fedora EPEL Version: epel7 Status: NEW Component: c3p0 Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: dingyichen(a)gmail.com Reporter: anemec(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: dingyichen(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, lef(a)fedoraproject.org, mat.booth(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of epel-7. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1678877] New: slf4j-1.7.26 is available
by bugzilla＠redhat.com 08 Jun '20

08 Jun '20

https://bugzilla.redhat.com/show_bug.cgi?id=1678877 Bug ID: 1678877 Summary: slf4j-1.7.26 is available Product: Fedora Version: rawhide Status: NEW Component: slf4j Keywords: FutureFeature, Triaged Assignee: extras-orphan(a)fedoraproject.org Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: extras-orphan(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora Latest upstream release: 1.7.26 Current version/release in rawhide: 1.7.25-6.fc30 URL: http://www.slf4j.org/download.html Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/4831/ -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1670199] New: plexus-containers-2.0.0 is available
by bugzilla＠redhat.com 08 Jun '20

08 Jun '20

https://bugzilla.redhat.com/show_bug.cgi?id=1670199 Bug ID: 1670199 Summary: plexus-containers-2.0.0 is available Product: Fedora Version: rawhide Status: NEW Component: plexus-containers Keywords: FutureFeature, Triaged Assignee: mizdebsk(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: dbhole(a)redhat.com, fnasser(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, yyang(a)redhat.com Target Milestone: --- Classification: Fedora Latest upstream release: 2.0.0 Current version/release in rawhide: 1.7.1-8.fc29 URL: https://github.com/codehaus-plexus/plexus-containers Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/3668/ -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1674068] New: maven-wagon-3.3.2 is available
by bugzilla＠redhat.com 08 Jun '20

08 Jun '20

https://bugzilla.redhat.com/show_bug.cgi?id=1674068 Bug ID: 1674068 Summary: maven-wagon-3.3.2 is available Product: Fedora Version: rawhide Status: NEW Component: maven-wagon Keywords: FutureFeature, Triaged Assignee: extras-orphan(a)fedoraproject.org Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: akurtako(a)redhat.com, dbhole(a)redhat.com, extras-orphan(a)fedoraproject.org, fnasser(a)redhat.com, jaromir.capik(a)email.cz, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, yyang(a)redhat.com Target Milestone: --- Classification: Fedora Latest upstream release: 3.3.2 Current version/release in rawhide: 3.2.0-2.fc30 URL: http://maven.apache.org/wagon Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/1947/ -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1680430] New: maven-archiver-3.4.0 is available
by bugzilla＠redhat.com 08 Jun '20

08 Jun '20

https://bugzilla.redhat.com/show_bug.cgi?id=1680430 Bug ID: 1680430 Summary: maven-archiver-3.4.0 is available Product: Fedora Version: rawhide Status: NEW Component: maven-archiver Keywords: FutureFeature, Triaged Assignee: extras-orphan(a)fedoraproject.org Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: akurtako(a)redhat.com, extras-orphan(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora Latest upstream release: 3.4.0 Current version/release in rawhide: 3.2.0-4.fc30 URL: http://repo2.maven.org/maven2/org/apache/maven/maven-archiver/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/1895/ -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1692150] New: bcel-6.3.1 is available
by bugzilla＠redhat.com 08 Jun '20

08 Jun '20

https://bugzilla.redhat.com/show_bug.cgi?id=1692150 Bug ID: 1692150 Summary: bcel-6.3.1 is available Product: Fedora Version: rawhide Status: NEW Component: bcel Keywords: FutureFeature, Triaged Assignee: extras-orphan(a)fedoraproject.org Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: agrimm(a)gmail.com, extras-orphan(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, richardfearn(a)gmail.com Target Milestone: --- Classification: Fedora Latest upstream release: 6.3.1 Current version/release in rawhide: 6.2-4.fc30 URL: http://www.apache.org/dist/commons/bcel/source/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/171/ -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1687242] New: modello-1.10.0 is available
by bugzilla＠redhat.com 24 May '20

24 May '20

https://bugzilla.redhat.com/show_bug.cgi?id=1687242 Bug ID: 1687242 Summary: modello-1.10.0 is available Product: Fedora Version: rawhide Status: NEW Component: modello Keywords: FutureFeature, Triaged Assignee: extras-orphan(a)fedoraproject.org Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: extras-orphan(a)fedoraproject.org, fnasser(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, yyang(a)redhat.com Target Milestone: --- Classification: Fedora Latest upstream release: 1.10.0 Current version/release in rawhide: 1.9.1-8.fc30 URL: http://codehaus-plexus.github.io/modello Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/2002/ -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1689873] New: CVE-2019-1003029 jenkins-plugin-script-security: sandbox bypass in script security plugin
by bugzilla＠redhat.com 28 Apr '20

28 Apr '20

https://bugzilla.redhat.com/show_bug.cgi?id=1689873 Bug ID: 1689873 Summary: CVE-2019-1003029 jenkins-plugin-script-security: sandbox bypass in script security plugin Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=important,public=20190306,reported=20190309,sou rce=cve,cvss3=8.8/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H /I:H/A:H,fedora-all/jenkins-script-security-plugin=aff ected,openshift-enterprise-3.11/jenkins-2-plugins=affe cted,openshift-enterprise-4.0/jenkins-2-plugins=affect ed,openshift-enterprise-3.4/jenkins-plugin-script-secu rity=affected,openshift-enterprise-3.5/jenkins-plugin- script-security=affected,openshift-enterprise-3.6/jenk ins-plugin-script-security=affected,openshift-enterpri se-3.7/jenkins-plugin-script-security=affected,openshi ft-enterprise-3.9/jenkins-plugin-script-security=affec ted,openshift-enterprise-3.10/jenkins-plugin-script-se curity=affected Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: darunesh(a)redhat.com CC: ahardin(a)redhat.com, bleanhar(a)redhat.com, ccoleman(a)redhat.com, dedgar(a)redhat.com, eparis(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jgoulding(a)redhat.com, jokerman(a)redhat.com, mchappel(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com Target Milestone: --- Classification: Other A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM. Reference: https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20 -- You are receiving this mail because: You are on the CC list for the bug.

1 12

[Bug 1684556] New: CVE-2019-1003024 CVE-2019-1003024 jenkins-plugin-script-security: Sandbox Bypass in Script Security Plugin (SECURITY-1320)
by bugzilla＠redhat.com 27 Apr '20

27 Apr '20

https://bugzilla.redhat.com/show_bug.cgi?id=1684556 Bug ID: 1684556 Summary: CVE-2019-1003024 CVE-2019-1003024 jenkins-plugin-script-security: Sandbox Bypass in Script Security Plugin (SECURITY-1320) Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=important,public=20190219,reported=20190219,sou rce=internet,cvss3=8.8/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S: U/C:H/I:H/A:H,cwe=CWE-96,openshift-enterprise-3.2/jenk ins-plugin-script-security=wontfix,openshift-enterpris e-3.3/jenkins-plugin-script-security=wontfix,openshift -enterprise-3.4/jenkins-plugin-script-security=wontfix ,openshift-enterprise-3.5/jenkins-plugin-script-securi ty=wontfix,openshift-enterprise-3.7/jenkins-plugin-scr ipt-security=wontfix,openshift-enterprise-3.6/jenkins- plugin-script-security=wontfix,openshift-enterprise-3. 9/jenkins-plugin-script-security=wontfix,openshift-ent erprise-3.10/jenkins-plugin-script-security=wontfix,op enshift-enterprise-3.11/jenkins-2-plugins=affected,fed ora-all/jenkins-script-security-plugin=affected,opensh ift-enterprise-4.0/jenkins-2-plugins=affected Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: anemec(a)redhat.com CC: ahardin(a)redhat.com, bleanhar(a)redhat.com, ccoleman(a)redhat.com, dedgar(a)redhat.com, eparis(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jgoulding(a)redhat.com, jokerman(a)redhat.com, mchappel(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com Target Milestone: --- Classification: Other The previously implemented script security sandbox protections prohibiting the use of unsafe AST transforming annotations such as @Grab (2019-01-08 fix for SECURITY-1266) could be circumvented through use of various Groovy language features: * Use of AnnotationCollector * Import aliasing * Referencing annotation types using their full class name This allowed users with Overall/Read permission, or the ability to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins master. Using AnnotationCollector is now newly prohibited in sandboxed scripts such as Pipelines. Importing any of the annotations considered unsafe will now result in an error. During the compilation phase, both simple and full class names of prohibited annotations are rejected for element annotations. -- You are receiving this mail because: You are on the CC list for the bug.

1 15

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits March 2019