java-sig-commits March 2020

java-sig-commits@lists.fedoraproject.org

1 participants
410 discussions

[Bug 1800617] New: CVE-2020-5397 springframework: CSRF attack via CORS Preflight Requests with Spring MVC or Spring WebFlux
by bugzilla＠redhat.com 24 Jun '21

24 Jun '21

https://bugzilla.redhat.com/show_bug.cgi?id=1800617 Bug ID: 1800617 Summary: CVE-2020-5397 springframework: CSRF attack via CORS Preflight Requests with Spring MVC or Spring WebFlux Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, chazlett(a)redhat.com, dblechte(a)redhat.com, dfediuck(a)redhat.com, dingyichen(a)gmail.com, drieden(a)redhat.com, eedri(a)redhat.com, esammons(a)redhat.com, etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org, ggaughan(a)redhat.com, gvarsami(a)redhat.com, hvyas(a)redhat.com, ibek(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jcoleman(a)redhat.com, jochrist(a)redhat.com, jolee(a)redhat.com, jross(a)redhat.com, jschatte(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lef(a)fedoraproject.org, mcressma(a)redhat.com, mgoldboi(a)redhat.com, michal.skrivanek(a)redhat.com, mnovotny(a)redhat.com, nwallace(a)redhat.com, paradhya(a)redhat.com, pjindal(a)redhat.com, puebele(a)redhat.com, puntogil(a)libero.it, rrajasek(a)redhat.com, rsynek(a)redhat.com, rwagner(a)redhat.com, sbonazzo(a)redhat.com, sdaley(a)redhat.com, sherold(a)redhat.com, sisharma(a)redhat.com, tcunning(a)redhat.com, tkirby(a)redhat.com, vbellur(a)redhat.com, vhalbert(a)redhat.com, yturgema(a)redhat.com Target Milestone: --- Classification: Other Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack. Reference: https://pivotal.io/security/cve-2020-5397 -- You are receiving this mail because: You are on the CC list for the bug.

1 10

[Bug 1816216] New: netty: compression/decompression codecs don't enforce limits on buffer allocation sizes
by bugzilla＠redhat.com 23 Jun '21

23 Jun '21

https://bugzilla.redhat.com/show_bug.cgi?id=1816216 Bug ID: 1816216 Summary: netty: compression/decompression codecs don't enforce limits on buffer allocation sizes Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: aboyko(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, asoldano(a)redhat.com, atangrin(a)redhat.com, ataylor(a)redhat.com, avibelli(a)redhat.com, bbaranow(a)redhat.com, bbuckingham(a)redhat.com, bcourt(a)redhat.com, bgeorges(a)redhat.com, bkearney(a)redhat.com, bmaxwell(a)redhat.com, bmontgom(a)redhat.com, brian.stansberry(a)redhat.com, btotty(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, darran.lofthouse(a)redhat.com, decathorpe(a)gmail.com, dkreling(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org, ganandan(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, hhudgeon(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jawilson(a)redhat.com, jbalunas(a)redhat.com, jburrell(a)redhat.com, jcantril(a)redhat.com, jerboaa(a)gmail.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jpallich(a)redhat.com, jperkins(a)redhat.com, jross(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, kwills(a)redhat.com, lgao(a)redhat.com, loleary(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com, mmccune(a)redhat.com, mnovotny(a)redhat.com, msochure(a)redhat.com, msvehla(a)redhat.com, mszynkie(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, paradhya(a)redhat.com, pdrozd(a)redhat.com, pgallagh(a)redhat.com, pjindal(a)redhat.com, pmackay(a)redhat.com, psotirop(a)redhat.com, rchan(a)redhat.com, rgodfrey(a)redhat.com, rguimara(a)redhat.com, rjerrido(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rsvoboda(a)redhat.com, rsynek(a)redhat.com, sdaley(a)redhat.com, smaestri(a)redhat.com, sochotni(a)redhat.com, sokeeffe(a)redhat.com, spinder(a)redhat.com, sponnaga(a)redhat.com, sthorger(a)redhat.com, swoodman(a)redhat.com, tbrisker(a)redhat.com, theute(a)redhat.com, tom.jenkinson(a)redhat.com Target Milestone: --- Classification: Other A vulnerability was found in Netty in the way it handles the amount of data they compress and decompress. Compression/Decompression Codecs should enforce memory allocation size limits to avoid OOME or exhaust the memory pool. Reference: https://github.com/netty/netty/pull/9924 -- You are receiving this mail because: You are on the CC list for the bug.

1 53

[Bug 1709379] New: CVE-2018-20200 okhttp: certificate pinning bypass
by bugzilla＠redhat.com 16 Jun '21

16 Jun '21

https://bugzilla.redhat.com/show_bug.cgi?id=1709379 Bug ID: 1709379 Summary: CVE-2018-20200 okhttp: certificate pinning bypass Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=moderate,public=20190419,reported=20190419,sour ce=cve,cvss3=6.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/ I:L/A:N,cwe=CWE-300,fedora-all/okhttp=affected,openshi ft-enterprise-3/okhttp=new,fuse-7/okhttp=new,rhpam-7/o khttp=new,rhdm-7/okhttp=new,springboot-1/okhttp=new Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: msiddiqu(a)redhat.com CC: ahardin(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, avibelli(a)redhat.com, bgeorges(a)redhat.com, bleanhar(a)redhat.com, ccoleman(a)redhat.com, chazlett(a)redhat.com, cmoulliard(a)redhat.com, dedgar(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, gerard(a)ryan.lt, ibek(a)redhat.com, ikanello(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jbalunas(a)redhat.com, jgoulding(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jpallich(a)redhat.com, jshepherd(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, lpetrovi(a)redhat.com, lthon(a)redhat.com, mchappel(a)redhat.com, mizdebsk(a)redhat.com, mnovotny(a)redhat.com, mszynkie(a)redhat.com, paradhya(a)redhat.com, pgallagh(a)redhat.com, puntogil(a)libero.it, rrajasek(a)redhat.com, rruss(a)redhat.com, rsynek(a)redhat.com, sdaley(a)redhat.com, trogers(a)redhat.com Target Milestone: --- Classification: Other CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. Upstream issue: https://github.com/square/okhttp/issues/4967 References: https://cxsecurity.com/issue/WLB-2018120252 https://github.com/square/okhttp/commits/master https://github.com/square/okhttp/releases https://square.github.io/okhttp/3.x/okhttp/ -- You are receiving this mail because: You are on the CC list for the bug.

1 7

[Bug 1818159] New: janino-3.1.2 is available
by bugzilla＠redhat.com 08 Jun '21

08 Jun '21

https://bugzilla.redhat.com/show_bug.cgi?id=1818159 Bug ID: 1818159 Summary: janino-3.1.2 is available Product: Fedora Version: rawhide Status: NEW Component: janino Keywords: FutureFeature, Triaged Assignee: decathorpe(a)gmail.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: decathorpe(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, mefoster(a)gmail.com, puntogil(a)libero.it, stewardship-sig(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Latest upstream release: 3.1.2 Current version/release in rawhide: 2.7.8-13.fc32 URL: https://janino-compiler.github.io/janino/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/89329/ -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1798524] New: CVE-2019-20444 netty: HTTP request smuggling
by bugzilla＠redhat.com 01 Jun '21

01 Jun '21

https://bugzilla.redhat.com/show_bug.cgi?id=1798524 Bug ID: 1798524 Summary: CVE-2019-20444 netty: HTTP request smuggling Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: darunesh(a)redhat.com CC: aboyko(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, asoldano(a)redhat.com, atangrin(a)redhat.com, ataylor(a)redhat.com, avibelli(a)redhat.com, bbaranow(a)redhat.com, bbuckingham(a)redhat.com, bcourt(a)redhat.com, bgeorges(a)redhat.com, bkearney(a)redhat.com, bmaxwell(a)redhat.com, bmontgom(a)redhat.com, brian.stansberry(a)redhat.com, btotty(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, darran.lofthouse(a)redhat.com, decathorpe(a)gmail.com, dkreling(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, ganandan(a)redhat.com, ggaughan(a)redhat.com, hhudgeon(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jawilson(a)redhat.com, jbalunas(a)redhat.com, jburrell(a)redhat.com, jcantril(a)redhat.com, jerboaa(a)gmail.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jpallich(a)redhat.com, jperkins(a)redhat.com, jross(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, kwills(a)redhat.com, lgao(a)redhat.com, loleary(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com, mmccune(a)redhat.com, mnovotny(a)redhat.com, msochure(a)redhat.com, msvehla(a)redhat.com, mszynkie(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, paradhya(a)redhat.com, pdrozd(a)redhat.com, pgallagh(a)redhat.com, pjindal(a)redhat.com, pmackay(a)redhat.com, psotirop(a)redhat.com, rchan(a)redhat.com, rguimara(a)redhat.com, rjerrido(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rsvoboda(a)redhat.com, rsynek(a)redhat.com, sdaley(a)redhat.com, smaestri(a)redhat.com, sochotni(a)redhat.com, sokeeffe(a)redhat.com, spinder(a)redhat.com, sponnaga(a)redhat.com, stewardship-sig(a)lists.fedoraproject.org, sthorger(a)redhat.com, tbrisker(a)redhat.com, theute(a)redhat.com, tom.jenkinson(a)redhat.com Target Milestone: --- Classification: Other A vulnerability was found in HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold." Reference: https://github.com/netty/netty/issues/9866 https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Fi… -- You are receiving this mail because: You are on the CC list for the bug.

1 55

[Bug 1790845] New: CVE-2019-20352 nasm: heap-based buffer over-read in set_text_free when called from expand_one_smacro in asm/preproc.c
by bugzilla＠redhat.com 25 May '21

25 May '21

https://bugzilla.redhat.com/show_bug.cgi?id=1790845 Bug ID: 1790845 Summary: CVE-2019-20352 nasm: heap-based buffer over-read in set_text_free when called from expand_one_smacro in asm/preproc.c Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: mrehak(a)redhat.com CC: dominik(a)greysector.net, fdc(a)fcami.net, i.gnatenko.brain(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, nickc(a)redhat.com, pbonzini(a)redhat.com Target Milestone: --- Classification: Other In Netwide Assembler (NASM) 2.15rc0, a heap-based buffer over-read occurs (via a crafted .asm file) in set_text_free when called from expand_one_smacro in asm/preproc.c. Upstream Issue: https://bugzilla.nasm.us/show_bug.cgi?id=3392636 -- You are receiving this mail because: You are on the CC list for the bug.

1 6

[Bug 1790847] New: CVE-2019-20352 nasm: heap-based buffer over-read in set_text_free when called from expand_one_smacro in asm/preproc.c [fedora-all]
by bugzilla＠redhat.com 25 May '21

25 May '21

https://bugzilla.redhat.com/show_bug.cgi?id=1790847 Bug ID: 1790847 Summary: CVE-2019-20352 nasm: heap-based buffer over-read in set_text_free when called from expand_one_smacro in asm/preproc.c [fedora-all] Product: Fedora Version: 31 Status: NEW Component: nasm Keywords: Security, SecurityTracking Severity: high Priority: high Assignee: i.gnatenko.brain(a)gmail.com Reporter: mrehak(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: dominik(a)greysector.net, fdc(a)fcami.net, i.gnatenko.brain(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, pbonzini(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

1 7

[Bug 1778420] New: maven-artifact-transfer-0.12.0 is available
by bugzilla＠redhat.com 25 May '21

25 May '21

https://bugzilla.redhat.com/show_bug.cgi?id=1778420 Bug ID: 1778420 Summary: maven-artifact-transfer-0.12.0 is available Product: Fedora Version: rawhide Status: NEW Component: maven-artifact-transfer Keywords: FutureFeature, Triaged Assignee: stewardship-sig(a)lists.fedoraproject.org Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: decathorpe(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, mhroncok(a)redhat.com, mizdebsk(a)redhat.com, stewardship-sig(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Latest upstream release: 0.12.0 Current version/release in rawhide: 0.11.0-1.fc32 URL: https://maven.apache.org/shared/maven-artifact-transfer/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/20377/ -- You are receiving this mail because: You are on the CC list for the bug.

1 9

[Bug 1800116] New: stream-lib: FTBFS in Fedora rawhide/f32
by bugzilla＠redhat.com 25 May '21

25 May '21

https://bugzilla.redhat.com/show_bug.cgi?id=1800116 Bug ID: 1800116 Summary: stream-lib: FTBFS in Fedora rawhide/f32 Product: Fedora Version: rawhide Status: NEW Component: stream-lib Assignee: willb(a)redhat.com Reporter: releng(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, lef(a)fedoraproject.org, willb(a)redhat.com Blocks: 1750908 (F32FTBFS) Target Milestone: --- Classification: Fedora stream-lib failed to build from source in Fedora rawhide/f32 https://koji.fedoraproject.org/koji/taskinfo?taskID=41322243 For details on the mass rebuild see: https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild Please fix stream-lib at your earliest convenience and set the bug's status to ASSIGNED when you start fixing it. If the bug remains in NEW state for 8 weeks, stream-lib will be orphaned. Before branching of Fedora 33, stream-lib will be retired, if it still fails to build. For more details on the FTBFS policy, please visit: https://fedoraproject.org/wiki/Fails_to_build_from_source Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1750908 [Bug 1750908] Fedora 32 FTBFS Tracker -- You are receiving this mail because: You are on the CC list for the bug.

1 14

[Bug 1799833] New: openjpa: FTBFS in Fedora rawhide/f32
by bugzilla＠redhat.com 25 May '21

25 May '21

https://bugzilla.redhat.com/show_bug.cgi?id=1799833 Bug ID: 1799833 Summary: openjpa: FTBFS in Fedora rawhide/f32 Product: Fedora Version: rawhide Status: NEW Component: openjpa Assignee: jjelen(a)redhat.com Reporter: releng(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, jjelen(a)redhat.com, lef(a)fedoraproject.org, puntogil(a)libero.it Blocks: 1750908 (F32FTBFS) Target Milestone: --- Classification: Fedora openjpa failed to build from source in Fedora rawhide/f32 https://koji.fedoraproject.org/koji/taskinfo?taskID=41320100 For details on the mass rebuild see: https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild Please fix openjpa at your earliest convenience and set the bug's status to ASSIGNED when you start fixing it. If the bug remains in NEW state for 8 weeks, openjpa will be orphaned. Before branching of Fedora 33, openjpa will be retired, if it still fails to build. For more details on the FTBFS policy, please visit: https://fedoraproject.org/wiki/Fails_to_build_from_source Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1750908 [Bug 1750908] Fedora 32 FTBFS Tracker -- You are receiving this mail because: You are on the CC list for the bug.

1 12

← Newer
1
2
3
4
5
6
7
...
41
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits March 2020