java-sig-commits June 2020

java-sig-commits@lists.fedoraproject.org

1 participants
386 discussions

[Bug 1851019] New: CVE-2020-2875mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete
by bugzilla＠redhat.com 14 Dec '21

14 Dec '21

https://bugzilla.redhat.com/show_bug.cgi?id=1851019 Bug ID: 1851019 Summary: CVE-2020-2875mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: mkaplan(a)redhat.com CC: aboyko(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, asoldano(a)redhat.com, atangrin(a)redhat.com, avibelli(a)redhat.com, bbaranow(a)redhat.com, bgeorges(a)redhat.com, bibryam(a)redhat.com, bmaxwell(a)redhat.com, bmontgom(a)redhat.com, brian.stansberry(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, clement.escoffier(a)redhat.com, dandread(a)redhat.com, darran.lofthouse(a)redhat.com, databases-maint(a)redhat.com, dkreling(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, ganandan(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gmorling(a)redhat.com, gsmet(a)redhat.com, gvarsami(a)redhat.com, hhorak(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jawilson(a)redhat.com, jbalunas(a)redhat.com, jburrell(a)redhat.com, jcoleman(a)redhat.com, jjanco(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jolee(a)redhat.com, jpallich(a)redhat.com, jperkins(a)redhat.com, jschatte(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, kwills(a)redhat.com, ldimaggi(a)redhat.com, lgao(a)redhat.com, lthon(a)redhat.com, mmuzila(a)redhat.com, mnovotny(a)redhat.com, mschorm(a)redhat.com, msochure(a)redhat.com, msvehla(a)redhat.com, mszynkie(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, odubaj(a)redhat.com, pantinor(a)redhat.com, paradhya(a)redhat.com, pgallagh(a)redhat.com, pjindal(a)redhat.com, pmackay(a)redhat.com, psotirop(a)redhat.com, puntogil(a)libero.it, rguimara(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rstancel(a)redhat.com, rsvoboda(a)redhat.com, rsynek(a)redhat.com, rwagner(a)redhat.com, sbiarozk(a)redhat.com, sdaley(a)redhat.com, sdouglas(a)redhat.com, smaestri(a)redhat.com, sponnaga(a)redhat.com, steve.traylen(a)cern.ch, tcunning(a)redhat.com, tkirby(a)redhat.com, tom.jenkinson(a)redhat.com, vhalbert(a)redhat.com, xjakub(a)fi.muni.cz Target Milestone: --- Classification: Other Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. References: https://www.oracle.com/security-alerts/cpuapr2020.html https://lists.debian.org/debian-lts-announce/2020/06/msg00015.html https://www.debian.org/security/2020/dsa-4703 -- You are receiving this mail because: You are on the CC list for the bug.

1 14

[Bug 1851014] New: CVE-2020-2934 mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete
by bugzilla＠redhat.com 14 Dec '21

14 Dec '21

https://bugzilla.redhat.com/show_bug.cgi?id=1851014 Bug ID: 1851014 Summary: CVE-2020-2934 mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: mkaplan(a)redhat.com CC: aboyko(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, asoldano(a)redhat.com, atangrin(a)redhat.com, avibelli(a)redhat.com, bbaranow(a)redhat.com, bgeorges(a)redhat.com, bibryam(a)redhat.com, bmaxwell(a)redhat.com, bmontgom(a)redhat.com, brian.stansberry(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, clement.escoffier(a)redhat.com, dandread(a)redhat.com, darran.lofthouse(a)redhat.com, databases-maint(a)redhat.com, dkreling(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, eparis(a)redhat.com, etirelli(a)redhat.com, ganandan(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gmorling(a)redhat.com, gsmet(a)redhat.com, gvarsami(a)redhat.com, hhorak(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jawilson(a)redhat.com, jbalunas(a)redhat.com, jburrell(a)redhat.com, jcoleman(a)redhat.com, jjanco(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jolee(a)redhat.com, jpallich(a)redhat.com, jperkins(a)redhat.com, jschatte(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, kwills(a)redhat.com, ldimaggi(a)redhat.com, lgao(a)redhat.com, lthon(a)redhat.com, mmuzila(a)redhat.com, mnovotny(a)redhat.com, mschorm(a)redhat.com, msochure(a)redhat.com, msvehla(a)redhat.com, mszynkie(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, odubaj(a)redhat.com, pantinor(a)redhat.com, paradhya(a)redhat.com, pgallagh(a)redhat.com, pjindal(a)redhat.com, pmackay(a)redhat.com, psotirop(a)redhat.com, puntogil(a)libero.it, rguimara(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rstancel(a)redhat.com, rsvoboda(a)redhat.com, rsynek(a)redhat.com, rwagner(a)redhat.com, sbiarozk(a)redhat.com, sdaley(a)redhat.com, sdouglas(a)redhat.com, smaestri(a)redhat.com, sponnaga(a)redhat.com, steve.traylen(a)cern.ch, tcunning(a)redhat.com, tkirby(a)redhat.com, tom.jenkinson(a)redhat.com, vhalbert(a)redhat.com, xjakub(a)fi.muni.cz Target Milestone: --- Classification: Other Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data -- You are receiving this mail because: You are on the CC list for the bug.

1 16

[Bug 1785711] New: CVE-2019-17563 tomcat: session fixation
by bugzilla＠redhat.com 30 Nov '21

30 Nov '21

https://bugzilla.redhat.com/show_bug.cgi?id=1785711 Bug ID: 1785711 Summary: CVE-2019-17563 tomcat: session fixation Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, alee(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, chazlett(a)redhat.com, coolsvap(a)gmail.com, csutherl(a)redhat.com, drieden(a)redhat.com, etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org, ggaughan(a)redhat.com, gzaronik(a)redhat.com, ibek(a)redhat.com, ivan.afonichev(a)gmail.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jclere(a)redhat.com, jochrist(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, krathod(a)redhat.com, krzysztof.daniel(a)gmail.com, kverlaen(a)redhat.com, lgao(a)redhat.com, mbabacek(a)redhat.com, mnovotny(a)redhat.com, myarboro(a)redhat.com, paradhya(a)redhat.com, pjindal(a)redhat.com, rhcs-maint(a)redhat.com, rrajasek(a)redhat.com, rsynek(a)redhat.com, sdaley(a)redhat.com, weli(a)redhat.com Target Milestone: --- Classification: Other When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. Reference: https://tomcat.apache.org/security-7.html https://tomcat.apache.org/security-8.html http://tomcat.apache.org/security-9.html Upstream commits: https://github.com/apache/tomcat/commit/ab72a10 https://github.com/apache/tomcat/commit/e19a202 https://github.com/apache/tomcat/commit/1ecba14 -- You are receiving this mail because: You are on the CC list for the bug.

1 41

[Bug 1835508] New: powermock tests incompatible with assertj-core 3.11.0+
by bugzilla＠redhat.com 30 Nov '21

30 Nov '21

https://bugzilla.redhat.com/show_bug.cgi?id=1835508 Bug ID: 1835508 Summary: powermock tests incompatible with assertj-core 3.11.0+ Product: Fedora Version: rawhide Status: NEW Component: powermock Assignee: rkennke(a)redhat.com Reporter: decathorpe(a)gmail.com QA Contact: extras-qa(a)fedoraproject.org CC: dingyichen(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, jerboaa(a)gmail.com, neugens(a)redhat.com, rkennke(a)redhat.com Target Milestone: --- Classification: Fedora I've tried to update assertj-core to the latest version, but there have been minor API changes that powermock does not seem to be compatible with: https://copr.fedorainfracloud.org/coprs/decathorpe/assertj-core-fixes-pr/bu… The first issues seems to be caused by this upstream commit: https://github.com/joel-costigliola/assertj-core/commit/de6e751563640c7d157… In this file: powermock-core/src/test/java/org/powermock/core/classloader/MockClassLoaderFactoryTest.java Replacing .are(contains(foo)) with .isEqualsTo(foo) fixes these two issues. However, they are not the only problems, and I've not been able to fix the rest, and error messages for closures seem to be especially unhelpful in Java. -- You are receiving this mail because: You are on the CC list for the bug.

1 8

[Bug 1832624] New: unable to install package
by bugzilla＠redhat.com 30 Nov '21

30 Nov '21

https://bugzilla.redhat.com/show_bug.cgi?id=1832624 Bug ID: 1832624 Summary: unable to install package Product: Fedora Version: rawhide Hardware: x86_64 OS: Linux Status: NEW Component: flatpack Severity: medium Assignee: extras-orphan(a)fedoraproject.org Reporter: rmayconsult1337(a)gmail.com QA Contact: extras-qa(a)fedoraproject.org CC: extras-orphan(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, puntogil(a)libero.it Target Milestone: --- Classification: Fedora Description of problem: I downloaded the Fedora 33 Rawhide for testing and was able to start the install and halfway it says the flatpack was unable to install and terminates the entire OS install Version-Release number of selected component (if applicable): Fedora 33 Rawhide How reproducible: Steps to Reproduce: 1. Download the Fedora 33 Rawhide .iso and install 2. Format the hard drive wanting to install the OS 3. Run the Fedora 33 .iso disc to install and have the same results I was seeing Actual results: Format my hard drive and reverted to Fedora 32 x64 Expected results: Remove the flatpack file from the .iso image available for download and see if that fixes the error I'm seeing when I attempt the install. Additional info: I've been running the Fedora OS on my machine since Fedora 10 and have never encountered an install error of the OS that has made me revert to the prior release with, I was wanting to run Fedora 33 for Testing and see how it was. -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1833976] New: FTI: hibernate: hibernate-c3p0, hibernate-core, hibernate-ehcache, hibernate-entitymanager, hibernate-hikaricp, hibernate-infinispan, hibernate-proxool, hibernate-testing
by bugzilla＠redhat.com 30 Nov '21

30 Nov '21

https://bugzilla.redhat.com/show_bug.cgi?id=1833976 Bug ID: 1833976 Summary: FTI: hibernate: hibernate-c3p0, hibernate-core, hibernate-ehcache, hibernate-entitymanager, hibernate-hikaricp, hibernate-infinispan, hibernate-proxool, hibernate-testing Product: Fedora Version: rawhide Status: NEW Component: hibernate Assignee: extras-orphan(a)fedoraproject.org Reporter: i.gnatenko.brain(a)gmail.com QA Contact: extras-qa(a)fedoraproject.org CC: extras-orphan(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, lef(a)fedoraproject.org, odubaj(a)redhat.com, puntogil(a)libero.it Blocks: 1750909 (F32FailsToInstall) Target Milestone: --- Classification: Fedora Hello, Please note that this comment was generated automatically. If you feel that this output has mistakes, please contact me via email (ignatenkobrain(a)fedoraproject.org). Your package (hibernate) Fails To Install in Fedora 32: can't install hibernate-c3p0: - nothing provides mvn(com.mchange:c3p0) needed by hibernate-c3p0-5.0.10-6.fc30.noarch can't install hibernate-core: - nothing provides mvn(org.hibernate.common:hibernate-commons-annotations) needed by hibernate-core-5.0.10-6.fc30.noarch - nothing provides mvn(com.fasterxml:classmate) needed by hibernate-core-5.0.10-6.fc30.noarch - nothing provides mvn(org.jboss.spec.javax.security.jacc:jboss-jacc-api_1.4_spec) needed by hibernate-core-5.0.10-6.fc30.noarch - nothing provides mvn(org.jboss:jandex) needed by hibernate-core-5.0.10-6.fc30.noarch can't install hibernate-ehcache: - nothing provides mvn(net.sf.ehcache:ehcache-core) needed by hibernate-ehcache-5.0.10-6.fc30.noarch can't install hibernate-entitymanager: - nothing provides mvn(org.hibernate.common:hibernate-commons-annotations) needed by hibernate-entitymanager-5.0.10-6.fc30.noarch can't install hibernate-hikaricp: - nothing provides mvn(com.zaxxer:HikariCP) needed by hibernate-hikaricp-5.0.10-6.fc30.noarch can't install hibernate-infinispan: - nothing provides mvn(org.infinispan:infinispan-core) needed by hibernate-infinispan-5.0.10-6.fc30.noarch can't install hibernate-proxool: - nothing provides mvn(proxool:proxool) needed by hibernate-proxool-5.0.10-6.fc30.noarch can't install hibernate-testing: - nothing provides mvn(com.experlog:xapool) needed by hibernate-testing-5.0.10-6.fc30.noarch - nothing provides mvn(org.jboss.narayana.jta:jta) needed by hibernate-testing-5.0.10-6.fc30.noarch If you don't react accordingly to the policy for FTBFS/FTI bugs (https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails…), your package may be orphaned in 8+ weeks. P.S. The data was generated solely from koji buildroot, so it might be newer than the latest compose or the content on mirrors. P.P.S. If this bug has been reported in the middle of upgrading multiple dependent packages, please consider using side tags: https://docs.fedoraproject.org/en-US/rawhide-gating/multi-builds/ Thanks! Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1750909 [Bug 1750909] Fedora 32 Fails To install Tracker -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1851651] New: nasm-2.15 is available
by bugzilla＠redhat.com 11 Nov '21

11 Nov '21

https://bugzilla.redhat.com/show_bug.cgi?id=1851651 Bug ID: 1851651 Summary: nasm-2.15 is available Product: Fedora Version: rawhide Status: NEW Component: nasm Keywords: FutureFeature, Triaged Assignee: igor.raits(a)gmail.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: dominik(a)greysector.net, igor.raits(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, pbonzini(a)redhat.com Target Milestone: --- Classification: Fedora Latest upstream release: 2.15 Current version/release in rawhide: 2.14.02-3.fc32 URL: http://www.nasm.us/pub/nasm/releasebuilds/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/2048/ -- You are receiving this mail because: You are on the CC list for the bug.

1 13

[Bug 1785554] New: testng-7.1.1 is available
by bugzilla＠redhat.com 09 Nov '21

09 Nov '21

https://bugzilla.redhat.com/show_bug.cgi?id=1785554 Bug ID: 1785554 Summary: testng-7.1.1 is available Product: Fedora Version: rawhide Status: NEW Component: testng Keywords: FutureFeature, Triaged Assignee: decathorpe(a)gmail.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: decathorpe(a)gmail.com, jaromir.capik(a)email.cz, java-sig-commits(a)lists.fedoraproject.org, lkundrak(a)v3.sk, mizdebsk(a)redhat.com, stewardship-sig(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Latest upstream release: 7.1.1 Current version/release in rawhide: 6.14.3-9.fc31 URL: https://github.com/cbeust/testng Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/4956/ -- You are receiving this mail because: You are on the CC list for the bug.

1 9

[Bug 1848617] New: CVE-2019-17566 batik: SSRF via "xlink:href"
by bugzilla＠redhat.com 03 Nov '21

03 Nov '21

https://bugzilla.redhat.com/show_bug.cgi?id=1848617 Bug ID: 1848617 Summary: CVE-2019-17566 batik: SSRF via "xlink:href" Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: darunesh(a)redhat.com CC: akurtako(a)redhat.com, c.david86(a)gmail.com, decathorpe(a)gmail.com, java-maint(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jvanek(a)redhat.com, mat.booth(a)redhat.com, mizdebsk(a)redhat.com, sergio(a)serjux.com Target Milestone: --- Classification: Other The Apache Batik library is vulnerable to SSRF via "xlink:href" attributes that allow an attacker to cause the underlying server to make arbitrary GET requests. References: https://www.openwall.com/lists/oss-security/2020/06/15/2 -- You are receiving this mail because: You are on the CC list for the bug.

1 18

[Bug 1797065] New: CVE-2020-2104 jenkins: Memory usage graphs accessible to anyone with Overall/Read
by bugzilla＠redhat.com 27 Oct '21

27 Oct '21

https://bugzilla.redhat.com/show_bug.cgi?id=1797065 Bug ID: 1797065 Summary: CVE-2020-2104 jenkins: Memory usage graphs accessible to anyone with Overall/Read Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: abenaiss(a)redhat.com, adam.kaplan(a)redhat.com, aos-bugs(a)redhat.com, bmontgom(a)redhat.com, eparis(a)redhat.com, extras-orphan(a)fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jokerman(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com, nstielau(a)redhat.com, pbhattac(a)redhat.com, sponnaga(a)redhat.com, vbobade(a)redhat.com, wzheng(a)redhat.com Target Milestone: --- Classification: Other Jenkins 2.218 and earlier, LTS 2.204.1 and earlier allowed users with Overall/Read access to view a JVM memory usage chart. References: https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1650 http://www.openwall.com/lists/oss-security/2020/01/29/1 -- You are receiving this mail because: You are on the CC list for the bug.

1 12

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits June 2020