Product: Fedora
https://bugzilla.redhat.com/show_bug.cgi?id=958727
Bug ID: 958727
Summary: plexus-utils: XMLWriterUtil should guard against
problematic comments
Product: Fedora
Version: rawhide
Component: plexus-utils
Severity: unspecified
Priority: unspecified
Assignee: fnasser(a)redhat.com
Reporter: fweimer(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: fnasser(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com
Blocks: 958220
Category: ---
org.codehaus.plexus.util.xml#writeComment(XMLWriter, String, int, int, int)
does not check if the comment includes a "-->" sequence. This means that text
contained in the command string could be interpreted as XML, possibly leading
to XML injection issues, depending on how this method is being called.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=N5myzkUcYQ&a=cc_unsubscribe
Product: Fedora
https://bugzilla.redhat.com/show_bug.cgi?id=958221
Bug ID: 958221
Summary: plexus-utils: directory traversal in
org.codehaus.plexus.util.Expand
Product: Fedora
Version: rawhide
Component: plexus-utils
Severity: unspecified
Priority: unspecified
Assignee: fnasser(a)redhat.com
Reporter: fweimer(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: fnasser(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com
Blocks: 958220
Category: ---
org.codehaus.plexus.util.Expand does not guard against directory traversal, but
such protection is generally expected from unarchiving tools.
I think the class should just be deprecated and removed because there do not
appear to be any users left (not even a test case).
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=hp1lhU9LQd&a=cc_unsubscribe
https://bugzilla.redhat.com/show_bug.cgi?id=1098412
Bug ID: 1098412
Summary: pax-logging: Bundles code from other logging libraries
Product: Fedora
Version: rawhide
Component: pax-logging
Assignee: puntogil(a)libero.it
Reporter: fweimer(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
puntogil(a)libero.it
Blocks: 1098237
pax-logging-1.6.9-8.fc21.noarch bundles class files from other Fedora packages
in its JAR files, e.g. org/slf4j/ILoggerFactory (from
slf4j-0:1.7.7-1.fc21.noarch), org/apache/log4j/helpers/ThreadLocalMap (from
log4j-0:1.2.17-16.fc21.noarch), and some OSGI-related classes like
org/osgi/service/log/LogEntry whose main package is a bit unclear.
This is against the Fedora packaging guidelines, specifically
<http://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries>.
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1098237
[Bug 1098237] Java "static linking"/class bundling in Fedora
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=DUsKDiC5iv&a=cc_unsubscribe
https://bugzilla.redhat.com/show_bug.cgi?id=1004916
Bug ID: 1004916
Summary: Package doesn't provide a sysvinit script or systemd
service unit
Product: Fedora
Version: 19
Component: activemq
Severity: high
Assignee: mspaulding06(a)gmail.com
Reporter: skottler(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: agrimm(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
mspaulding06(a)gmail.com, tdawson(a)redhat.com
Description of problem:
activemq doesn't provide the necessary scripts/config files to start.
Version-Release number of selected component (if applicable):
0:5.6.0-5.fc19
How reproducible:
Always.
Steps to Reproduce:
1. yum install -y activemq activemq-core
2. try starting the service
3. note there is not a service unit
This seems like a fairly major thing to be missing in the packages. Is there
another package or metapackage that needs to be installed for it to work?
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=IC3tNZ0uDP&a=cc_unsubscribe
https://bugzilla.redhat.com/show_bug.cgi?id=1127276
Bug ID: 1127276
Summary: CVE-2014-5075 smack: MitM vulnerability
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: vkaigoro(a)redhat.com
CC: brms-jira(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
pavelp(a)redhat.com, puntogil(a)libero.it,
tkirby(a)redhat.com, weli(a)redhat.com
It was reported [1] that Smack (XMPP client library) is vulnerable to MitM
attacks with a crafted SSL certificates.
Quote from [1]:
...
Details
-------
Smack is using Java's `SSLSocket`, which checks the peer certificate
using an `X509TrustManager`, but does not perform hostname verification.
Therefore, it is possible to redirect the traffic between a Smack-using
application and a legitimate XMPP server through the attacker's server,
merely by providing a valid certificate for a domain under the
attacker's control.
In Smack versions 2.2.0 to 3.4.1, a custom `ServerTrustManager`
implementation was used, which was supplied with the connection's server
name, and performed hostname verification. However, it failed to verify
the basicConstraints and nameConstraints of the certificate chain
(CVE-2014-0363, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0363)
and has been removed in Smack 4.0.0.
Applications using Smack 2.2.0 to 3.4.1 with a custom `TrustManager` did
not benefit from `ServerTrustManager` and are vulnerable as well, unless
their own `TrustManager` implementation explicitly performs hostname
verification.
...
[1]: http://seclists.org/bugtraq/2014/Aug/29
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=vQuZmnHNAP&a=cc_unsubscribe
https://bugzilla.redhat.com/show_bug.cgi?id=1079233
Bug ID: 1079233
Summary: mockito: update to 1.9.5
Product: Fedora
Version: rawhide
Component: mockito
Assignee: rkennke(a)redhat.com
Reporter: msrb(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jerboaa(a)gmail.com, omajid(a)redhat.com,
rkennke(a)redhat.com
Created attachment 877167
--> https://bugzilla.redhat.com/attachment.cgi?id=877167&action=edit
update to 1.9.5
Description of problem:
Upstream version 1.9.5 is available. Rawhide currently contains version 1.9.0.
Attached patch was created by Michael Simacek (see #1040350).
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=dvsIbd2J0V&a=cc_unsubscribe
https://bugzilla.redhat.com/show_bug.cgi?id=1018485
Bug ID: 1018485
Summary: EclipseLink 2.5.1 is available
Product: Fedora
Version: rawhide
Component: eclipselink
Assignee: puntogil(a)libero.it
Reporter: gerard(a)ryan.lt
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
puntogil(a)libero.it
Description of problem:
Latest release of eclipselink in rawhide & f20 is 2.4.2, and in f19 is 2.3.2.
Eclipselink 2.5.1 was released in late September [0].
Since eclipselink 2.5.x is part of Kepler simultaneous release[1], and 2.5.1
came out with Kepler SR1, I wonder if we should have 2.5.1 everywhere we have
eclipse 4.3.1 and other eclipse projects that came with SR1 release?
I think we should have it for rawhide/f20, and maybe f19 too.
[0] http://www.eclipse.org/eclipselink/releases/2.5.php
[1] http://projects.eclipse.org/releases/kepler
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=GacQneKW2m&a=cc_unsubscribe