java-sig-commits February 2020

java-sig-commits@lists.fedoraproject.org

1 participants
371 discussions

[Bug 1720601] New: javapackages-tools-5.3.1 is available
by bugzilla＠redhat.com 07 Feb '22

07 Feb '22

https://bugzilla.redhat.com/show_bug.cgi?id=1720601 Bug ID: 1720601 Summary: javapackages-tools-5.3.1 is available Product: Fedora Version: rawhide Status: NEW Component: javapackages-tools Keywords: FutureFeature, Triaged Assignee: mizdebsk(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, mat.booth(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com, sochotni(a)redhat.com Target Milestone: --- Classification: Fedora Latest upstream release: 5.3.1 Current version/release in rawhide: 5.3.0-4.fc30 URL: https://github.com/fedora-java/javapackages Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/15556/ -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1807472] New: jflex-1.8.0 is available
by bugzilla＠redhat.com 07 Feb '22

07 Feb '22

https://bugzilla.redhat.com/show_bug.cgi?id=1807472 Bug ID: 1807472 Summary: jflex-1.8.0 is available Product: Fedora Version: rawhide Status: NEW Component: jflex Keywords: FutureFeature, Triaged Assignee: stewardship-sig(a)lists.fedoraproject.org Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: akurtako(a)redhat.com, decathorpe(a)gmail.com, jaromir.capik(a)email.cz, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, stewardship-sig(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Latest upstream release: 1.8.0 Current version/release in rawhide: 1.7.0-2.fc32 URL: http://jflex.de/download.html Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/1449/ -- You are receiving this mail because: You are on the CC list for the bug.

1 10

[Bug 1694308] New: httpcomponents-client-4.5.8 is available
by bugzilla＠redhat.com 31 Jan '22

31 Jan '22

https://bugzilla.redhat.com/show_bug.cgi?id=1694308 Bug ID: 1694308 Summary: httpcomponents-client-4.5.8 is available Product: Fedora Version: rawhide Status: NEW Component: httpcomponents-client Keywords: FutureFeature, Triaged Assignee: stuart(a)gathman.org Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, jerboaa(a)gmail.com, krzysztof.daniel(a)gmail.com, mizdebsk(a)redhat.com, sochotni(a)redhat.com, stuart(a)gathman.org Target Milestone: --- Classification: Fedora Latest upstream release: 4.5.8 Current version/release in rawhide: 4.5.6-3.fc30 URL: http://www.apache.org/dist/httpcomponents/httpclient/source/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/1334/ -- You are receiving this mail because: You are on the CC list for the bug.

1 11

[Bug 1785711] New: CVE-2019-17563 tomcat: session fixation
by bugzilla＠redhat.com 30 Nov '21

30 Nov '21

https://bugzilla.redhat.com/show_bug.cgi?id=1785711 Bug ID: 1785711 Summary: CVE-2019-17563 tomcat: session fixation Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, alee(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, chazlett(a)redhat.com, coolsvap(a)gmail.com, csutherl(a)redhat.com, drieden(a)redhat.com, etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org, ggaughan(a)redhat.com, gzaronik(a)redhat.com, ibek(a)redhat.com, ivan.afonichev(a)gmail.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jclere(a)redhat.com, jochrist(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, krathod(a)redhat.com, krzysztof.daniel(a)gmail.com, kverlaen(a)redhat.com, lgao(a)redhat.com, mbabacek(a)redhat.com, mnovotny(a)redhat.com, myarboro(a)redhat.com, paradhya(a)redhat.com, pjindal(a)redhat.com, rhcs-maint(a)redhat.com, rrajasek(a)redhat.com, rsynek(a)redhat.com, sdaley(a)redhat.com, weli(a)redhat.com Target Milestone: --- Classification: Other When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. Reference: https://tomcat.apache.org/security-7.html https://tomcat.apache.org/security-8.html http://tomcat.apache.org/security-9.html Upstream commits: https://github.com/apache/tomcat/commit/ab72a10 https://github.com/apache/tomcat/commit/e19a202 https://github.com/apache/tomcat/commit/1ecba14 -- You are receiving this mail because: You are on the CC list for the bug.

1 41

[Bug 1785554] New: testng-7.1.1 is available
by bugzilla＠redhat.com 09 Nov '21

09 Nov '21

https://bugzilla.redhat.com/show_bug.cgi?id=1785554 Bug ID: 1785554 Summary: testng-7.1.1 is available Product: Fedora Version: rawhide Status: NEW Component: testng Keywords: FutureFeature, Triaged Assignee: decathorpe(a)gmail.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: decathorpe(a)gmail.com, jaromir.capik(a)email.cz, java-sig-commits(a)lists.fedoraproject.org, lkundrak(a)v3.sk, mizdebsk(a)redhat.com, stewardship-sig(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Latest upstream release: 7.1.1 Current version/release in rawhide: 6.14.3-9.fc31 URL: https://github.com/cbeust/testng Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/4956/ -- You are receiving this mail because: You are on the CC list for the bug.

1 9

[Bug 1797065] New: CVE-2020-2104 jenkins: Memory usage graphs accessible to anyone with Overall/Read
by bugzilla＠redhat.com 27 Oct '21

27 Oct '21

https://bugzilla.redhat.com/show_bug.cgi?id=1797065 Bug ID: 1797065 Summary: CVE-2020-2104 jenkins: Memory usage graphs accessible to anyone with Overall/Read Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: abenaiss(a)redhat.com, adam.kaplan(a)redhat.com, aos-bugs(a)redhat.com, bmontgom(a)redhat.com, eparis(a)redhat.com, extras-orphan(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jokerman(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com, nstielau(a)redhat.com, pbhattac(a)redhat.com, sponnaga(a)redhat.com, vbobade(a)redhat.com, wzheng(a)redhat.com Target Milestone: --- Classification: Other Jenkins 2.218 and earlier, LTS 2.204.1 and earlier allowed users with Overall/Read access to view a JVM memory usage chart. References: https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1650 http://www.openwall.com/lists/oss-security/2020/01/29/1 -- You are receiving this mail because: You are on the CC list for the bug.

1 12

[Bug 1797062] New: CVE-2020-2103 jenkins: Exposed session identifiers on user detail object in the whoAmI diagnostic page
by bugzilla＠redhat.com 27 Oct '21

27 Oct '21

https://bugzilla.redhat.com/show_bug.cgi?id=1797062 Bug ID: 1797062 Summary: CVE-2020-2103 jenkins: Exposed session identifiers on user detail object in the whoAmI diagnostic page Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: abenaiss(a)redhat.com, adam.kaplan(a)redhat.com, aos-bugs(a)redhat.com, bmontgom(a)redhat.com, eparis(a)redhat.com, extras-orphan(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jokerman(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com, nstielau(a)redhat.com, pbhattac(a)redhat.com, sponnaga(a)redhat.com, vbobade(a)redhat.com, wzheng(a)redhat.com Target Milestone: --- Classification: Other Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page. References: https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1695 https://www.openwall.com/lists/oss-security/2020/01/29/1 -- You are receiving this mail because: You are on the CC list for the bug.

1 12

[Bug 1767483] New: CVE-2019-10086 apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default
by bugzilla＠redhat.com 14 Oct '21

14 Oct '21

https://bugzilla.redhat.com/show_bug.cgi?id=1767483 Bug ID: 1767483 Summary: CVE-2019-10086 apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: bkearney(a)redhat.com, dblechte(a)redhat.com, decathorpe(a)gmail.com, dfediuck(a)redhat.com, eedri(a)redhat.com, fnasser(a)redhat.com, hhorak(a)redhat.com, java-maint(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jorton(a)redhat.com, mgoldboi(a)redhat.com, mhroncok(a)redhat.com, michal.skrivanek(a)redhat.com, mizdebsk(a)redhat.com, omajid(a)redhat.com, qe-baseos-apps(a)redhat.com, sbonazzo(a)redhat.com, sgehwolf(a)redhat.com, sherold(a)redhat.com, SpikeFedora(a)gmail.com, stewardship-sig(a)lists.fedoraproject.org, tlestach(a)redhat.com, yturgema(a)redhat.com Target Milestone: --- Classification: Other In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. Reference: http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC62879… -- You are receiving this mail because: You are on the CC list for the bug.

1 70

[Bug 1799475] New: CVE-2020-5398 springframework: RFD attack via Content-Disposition Header sourced from request input by Spring MVC or Spring WebFlux Application
by bugzilla＠redhat.com 04 Oct '21

04 Oct '21

https://bugzilla.redhat.com/show_bug.cgi?id=1799475 Bug ID: 1799475 Summary: CVE-2020-5398 springframework: RFD attack via Content-Disposition Header sourced from request input by Spring MVC or Spring WebFlux Application Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, chazlett(a)redhat.com, dblechte(a)redhat.com, dfediuck(a)redhat.com, dingyichen(a)gmail.com, drieden(a)redhat.com, eedri(a)redhat.com, esammons(a)redhat.com, etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org, ggaughan(a)redhat.com, gvarsami(a)redhat.com, hvyas(a)redhat.com, ibek(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jcoleman(a)redhat.com, jochrist(a)redhat.com, jolee(a)redhat.com, jross(a)redhat.com, jschatte(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lef(a)fedoraproject.org, mcressma(a)redhat.com, mgoldboi(a)redhat.com, michal.skrivanek(a)redhat.com, mnovotny(a)redhat.com, nwallace(a)redhat.com, paradhya(a)redhat.com, pjindal(a)redhat.com, puebele(a)redhat.com, puntogil(a)libero.it, rrajasek(a)redhat.com, rsynek(a)redhat.com, rwagner(a)redhat.com, sbonazzo(a)redhat.com, sdaley(a)redhat.com, sherold(a)redhat.com, sisharma(a)redhat.com, tcunning(a)redhat.com, tkirby(a)redhat.com, vbellur(a)redhat.com, vhalbert(a)redhat.com, yturgema(a)redhat.com Target Milestone: --- Classification: Other In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input. Reference: https://pivotal.io/security/cve-2020-5398 -- You are receiving this mail because: You are on the CC list for the bug.

1 17

[Bug 1785699] New: CVE-2019-12418 tomcat: local privilege escalation
by bugzilla＠redhat.com 04 Oct '21

04 Oct '21

https://bugzilla.redhat.com/show_bug.cgi?id=1785699 Bug ID: 1785699 Summary: CVE-2019-12418 tomcat: local privilege escalation Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, alee(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, chazlett(a)redhat.com, coolsvap(a)gmail.com, csutherl(a)redhat.com, drieden(a)redhat.com, etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org, ggaughan(a)redhat.com, gzaronik(a)redhat.com, ibek(a)redhat.com, ivan.afonichev(a)gmail.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jclere(a)redhat.com, jochrist(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, krathod(a)redhat.com, krzysztof.daniel(a)gmail.com, kverlaen(a)redhat.com, lgao(a)redhat.com, mbabacek(a)redhat.com, mnovotny(a)redhat.com, myarboro(a)redhat.com, paradhya(a)redhat.com, pjindal(a)redhat.com, rhcs-maint(a)redhat.com, rrajasek(a)redhat.com, rsynek(a)redhat.com, sdaley(a)redhat.com, weli(a)redhat.com Target Milestone: --- Classification: Other When Tomcat is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance. Reference: https://tomcat.apache.org/security-7.html https://tomcat.apache.org/security-8.html http://tomcat.apache.org/security-9.html Upstream commits: https://github.com/apache/tomcat/commit/bef3f40 https://github.com/apache/tomcat/commit/a91d7db https://github.com/apache/tomcat/commit/1fc9f58 -- You are receiving this mail because: You are on the CC list for the bug.

1 32

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits February 2020