https://bugzilla.redhat.com/show_bug.cgi?id=1508123
Bug ID: 1508123
Summary: CVE-2016-5003 xmlrpc: Deserialization of untrusted
Java object through <ex:serializable> tag
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: abhgupta(a)redhat.com, bmcclain(a)redhat.com,
dbhole(a)redhat.com, dblechte(a)redhat.com,
dwalluck(a)redhat.com, eedri(a)redhat.com,
hhorak(a)redhat.com, java-maint(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jorton(a)redhat.com, krzysztof.daniel(a)gmail.com,
kseifried(a)redhat.com, mgoldboi(a)redhat.com,
michal.skrivanek(a)redhat.com, mizdebsk(a)redhat.com,
msimacek(a)redhat.com, puntogil(a)libero.it,
sbonazzo(a)redhat.com, sherold(a)redhat.com,
sochotni(a)redhat.com, tiwillia(a)redhat.com,
ykaul(a)redhat.com, ylavi(a)redhat.com
The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva,
allows remote attackers to execute arbitrary code via a crafted serialized Java
object in an <ex:serializable> element.
References:
http://www.openwall.com/lists/oss-security/2016/07/12/5https://0ang3el.blogspot.in/2016/07/beware-of-ws-xmlrpc-library-in-your.html
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Bug ID: 1372120
Summary: CVE-2016-6346 RESTEasy: Abuse of GZIPInterceptor in
RESTEasy can lead to denial of service attack
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: jshepherd(a)redhat.com
CC: aileenc(a)redhat.com, alazarot(a)redhat.com,
alee(a)redhat.com, aszczucz(a)redhat.com,
bazulay(a)redhat.com, bbaranow(a)redhat.com,
bdawidow(a)redhat.com, bkearney(a)redhat.com,
bmaxwell(a)redhat.com, bmcclain(a)redhat.com,
cbillett(a)redhat.com, cdewolf(a)redhat.com,
chazlett(a)redhat.com, csutherl(a)redhat.com,
dandread(a)redhat.com, darran.lofthouse(a)redhat.com,
dblechte(a)redhat.com, dosoudil(a)redhat.com,
eedri(a)redhat.com, epp-bugs(a)redhat.com,
etirelli(a)redhat.com, felias(a)redhat.com,
fnasser(a)redhat.com, gklein(a)redhat.com,
gvarsami(a)redhat.com, hchiorea(a)redhat.com,
hfnukal(a)redhat.com, huwang(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jboss-set(a)redhat.com,
jbpapp-maint(a)redhat.com, jcoleman(a)redhat.com,
jdg-bugs(a)redhat.com, jmatthew(a)redhat.com,
jolee(a)redhat.com, jpallich(a)redhat.com,
jshepherd(a)redhat.com, katello-bugs(a)redhat.com,
kconner(a)redhat.com, kseifried(a)redhat.com,
kverlaen(a)redhat.com, ldimaggi(a)redhat.com,
lgao(a)redhat.com, lpetrovi(a)redhat.com,
lsurette(a)redhat.com, mbaluch(a)redhat.com,
mgoldboi(a)redhat.com, mgoldman(a)redhat.com,
miburman(a)redhat.com, michal.skrivanek(a)redhat.com,
mmccune(a)redhat.com, mweiler(a)redhat.com,
mwinkler(a)redhat.com, myarboro(a)redhat.com,
nwallace(a)redhat.com, ohadlevy(a)redhat.com,
oourfali(a)redhat.com, pavelp(a)redhat.com,
pgier(a)redhat.com, pkliczew(a)redhat.com,
psakar(a)redhat.com, pslavice(a)redhat.com,
puntogil(a)libero.it, rcernich(a)redhat.com,
Rhev-m-bugs(a)redhat.com, rnetuka(a)redhat.com,
rrajasek(a)redhat.com, rsvoboda(a)redhat.com,
rwagner(a)redhat.com, rzhang(a)redhat.com,
satellite6-bugs(a)redhat.com, sherold(a)redhat.com,
soa-p-jira(a)post-office.corp.redhat.com,
spinder(a)redhat.com, tcunning(a)redhat.com,
theute(a)redhat.com, tjay(a)redhat.com, tkirby(a)redhat.com,
tlestach(a)redhat.com, tomckay(a)redhat.com,
tsanders(a)redhat.com, ttarrant(a)redhat.com,
twalsh(a)redhat.com, vhalbert(a)redhat.com,
vtunka(a)redhat.com, weli(a)redhat.com, ydary(a)redhat.com,
ykaul(a)redhat.com
It was found that GZIPInterceptor is enabled when not necessarily required in
RESTEasy. An attacker could use this flaw to launch a Denial of Service attack.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1448498
Bug ID: 1448498
Summary: apache-sshd-1.4.0 is available
Product: Fedora
Version: rawhide
Component: apache-sshd
Keywords: Rebase
Assignee: msrb(a)redhat.com
Reporter: sbonazzo(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
msrb(a)redhat.com, puntogil(a)libero.it
Latest upstream release: 1.4.0
Current version/release in rawhide: 0.14.0-5.fc26
URL: www.eu.apache.org/dist/mina/sshd
Based on the information from anitya:
https://release-monitoring.org/project/15120/
Opened manually since integration with anitya and upstream release monitoring
is turned off in
https://admin.fedoraproject.org/pkgdb/package/rpms/apache-sshd/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1413657
Bug ID: 1413657
Summary: Doesnt start
Product: Fedora
Version: 25
Component: elasticsearch
Assignee: zbyszek(a)in.waw.pl
Reporter: sergiypavlichenko(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: bobjensen(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
jvanek(a)redhat.com, pahan(a)hubbitus.info,
zbyszek(a)in.waw.pl
Description of problem:
Version-Release number of selected component (if applicable):
elasticsearch-1.7.1-3.fc24.noarch
java version "1.8.0_111"
Java(TM) SE Runtime Environment (build 1.8.0_111-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.111-b14, mixed mode)
How reproducible:
Steps to Reproduce:
1. dnf install elasticsearch
2. systemctl start elasticsearch
Actual results:
elasticsearch.service - ElasticSearch search engine
Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; disabled;
vendor preset: disabled)
Active: failed (Result: exit-code) since Mon 2017-01-16 17:54:09 EET; 38s
ago
Docs:
https://www.elasticsearch.org/guide/en/elasticsearch/guide/current/index.ht…
Process: 9679 ExecStart=/usr/libexec/elasticsearch (code=exited,
status=1/FAILURE)
Main PID: 9679 (code=exited, status=1/FAILURE)
Jan 16 17:54:09 localhost.localdomain elasticsearch[9679]: at
org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:32)
Jan 16 17:54:09 localhost.localdomain elasticsearch[9679]: Caused by:
java.lang.ClassNotFoundException:
com.fasterxml.jackson.databind.JsonMappingException
Jan 16 17:54:09 localhost.localdomain elasticsearch[9679]: at
java.net.URLClassLoader.findClass(URLClassLoader.java:381)
Jan 16 17:54:09 localhost.localdomain elasticsearch[9679]: at
java.lang.ClassLoader.loadClass(ClassLoader.java:424)
Jan 16 17:54:09 localhost.localdomain elasticsearch[9679]: at
sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
Jan 16 17:54:09 localhost.localdomain elasticsearch[9679]: at
java.lang.ClassLoader.loadClass(ClassLoader.java:357)
Jan 16 17:54:09 localhost.localdomain elasticsearch[9679]: ... 11 more
Jan 16 17:54:09 localhost.localdomain systemd[1]: elasticsearch.service: Main
process exited, code=exited, status=1/FAILURE
Jan 16 17:54:09 localhost.localdomain systemd[1]: elasticsearch.service: Unit
entered failed state.
Jan 16 17:54:09 localhost.localdomain systemd[1]: elasticsearch.service: Failed
with result 'exit-code'.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1500288
Bug ID: 1500288
Summary: jpackage utils requires java-1.8.0-openjdk
Product: Fedora
Version: 27
Component: jpackage-utils
Assignee: extras-orphan(a)fedoraproject.org
Reporter: jvanek(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com, extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jerboaa(a)gmail.com, msrb(a)redhat.com,
sochotni(a)redhat.com
Description of problem:
jpackage utils requires java-1.8.0-openjdk
Version-Release number of selected component (if applicable):
f27+
How reproducible:
Consider system java settings for f27:
https://fedoraproject.org/wiki/Releases/27/ChangeSet#Decouple_system_java_s…
Which brought java-1.8.0-openjdk as dependence to jpackage-tools.
As side effect
- java-1.8.0-openjdk and jpackage-tools are now circular dependences.
- java-1.8.0-openjdk-aarch32 now pulls in java-1.8.0-openjdk
- that successfully kills usage of java-1.8.0-openjdk-aarch32 in buildroot,
as you can not change alternatives
Now consider jdk9 in f27:
https://fedoraproject.org/wiki/Releases/27/ChangeSet#Java_9
the side kick is same as for jdk8-aarch32. Installation of java-9-openjdk
(which rewuires jpackage tools) will pull in java8. It kills jdk9 in buildroot,
and making the life of possible jdk9 user very uncomfortable.
Actual results:
Installation of jdk8-aarch32 or jdk9 is bringing jdk8 as transitional
dependence.
Expected results:
Installation of jdk8-aarch32 or jdk9 will not bring jdk8 as transitional
dependence.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1523102
Bug ID: 1523102
Summary: google-guice 4.1-8 breaks Xtext
Product: Fedora
Version: 27
Component: google-guice
Assignee: mizdebsk(a)redhat.com
Reporter: ugilio(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
sochotni(a)redhat.com
Created attachment 1364112
--> https://bugzilla.redhat.com/attachment.cgi?id=1364112&action=edit
The stack trace in the Eclipse console
Description of problem:
After the update from 4.1-7 to 4.1-8, recent Xtext versions (tried with 2.12.0
and 2.13.0) don't work anymore (java.lang.NoClassDefFoundError:
net/sf/cglib/core/CodeGenerationException).
Tested on both fedora 26 and 27.
(Sorry for not having reported it earlier, I thought the problem was on my
side, I was in a hurry and I simply downgraded guice to 4.1-7...)
Version-Release number of selected component (if applicable):
4.1-8
How reproducible:
Always
Steps to Reproduce:
1. Start eclipse
2. Install Xtext complete SDK from update site:
http://download.eclipse.org/modeling/tmf/xtext/updates/composite/releases/
3. After restarting Eclipse, create a New Xtext Project and accept all defaults
4. In the newly-generated MyDsl.xtext right click and select "Generate Xtext
Artifacts"
Actual results:
No artifact is generated. In the console:
[main] ERROR mf.mwe2.launch.runtime.Mwe2Launcher -
com.google.common.util.concurrent.ExecutionError:
java.lang.NoClassDefFoundError: net/sf/cglib/core/CodeGenerationException
...
Expected results:
No error occurs, the artifacts are generated.
Additional info:
- I'm using default java-1.8.0-openjdk-1.8.0.151-1.b12.fc27.x86_64
- google-guice 4.1-7 works fine
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1542899
Bug ID: 1542899
Summary: Task failure with ant and JAXB's xjc
Product: Fedora
Version: 27
Component: ant
Assignee: msimacek(a)redhat.com
Reporter: peterhull90(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com, jaromir.capik(a)email.cz,
java-sig-commits(a)lists.fedoraproject.org,
krzysztof.daniel(a)gmail.com, mizdebsk(a)redhat.com,
msimacek(a)redhat.com, msrb(a)redhat.com
Created attachment 1392587
--> https://bugzilla.redhat.com/attachment.cgi?id=1392587&action=edit
Ant build script
Description of problem:
Running the JAXB xjc task in ant appears to make ant fail at a later stage with
classpath problems. The xjc task itself seems to finish correctly.
The background to this is trying to build Netbeans on Fedora 27 fails and I
have done some work to narrow down Netbeans build script (which is very
large/complicated) to this aspect.
See https://issues.apache.org/jira/browse/NETBEANS-239 and
http://mail-archives.apache.org/mod_mbox/incubator-netbeans-dev/201801.mbox…
However setting the ANT_HOME explicitly makes this bug disappear.
I believe I have set up the xjc task correctly to run with Fedora's
glassfish-jaxb packages.
Version-Release number of selected component (if applicable):
ant.noarch 1.10.1-7.fc27 @fedora
ant-lib.noarch 1.10.1-7.fc27 @fedora
glassfish-jaxb.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-api.noarch 2.2.12-7.fc27 @fedora
glassfish-jaxb-bom.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-bom-ext.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-codemodel.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-codemodel-annotation-compiler.noarch
glassfish-jaxb-codemodel-parent.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-core.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-external-parent.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-jxc.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-parent.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-rngom.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-runtime.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-runtime-parent.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-txw-parent.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-txw2.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-txwc2.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-xjc.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb1-impl.noarch 2.2.11-6.fc27 @fedora
java-1.8.0-openjdk.x86_64 1:1.8.0.161-0.b14.fc27
@updates
java-1.8.0-openjdk-devel.x86_64 1:1.8.0.161-0.b14.fc27
@updates
java-1.8.0-openjdk-headless.x86_64 1:1.8.0.161-0.b14.fc27
@updates
How reproducible:
Always
Steps to Reproduce:
1. Use attached build.xml and test.xsd
2. Run ant
3. See error message
Note this is a minimal build.xml and test.xsd to cause the problem to appear.
Actual results:
build succeeds
Expected results:
Build fails,
$ ant
Buildfile: .../build.xml
fail:
[xjc] Consider using <depends>/<produces> so that XJC won't do
unnecessary compilation
[xjc] Compiling file:.../test.xsd
[xjc] Writing output to .
Caught an exception while logging the end of the build. Exception was:
java.lang.NoClassDefFoundError: org/apache/tools/ant/util/DateUtils
at
org.apache.tools.ant.DefaultLogger.formatTime(DefaultLogger.java:328)
at
org.apache.tools.ant.DefaultLogger.buildFinished(DefaultLogger.java:177)
at org.apache.tools.ant.Project.fireBuildFinished(Project.java:2110)
at org.apache.tools.ant.Main.runBuild(Main.java:878)
at org.apache.tools.ant.Main.startAnt(Main.java:236)
at org.apache.tools.ant.launch.Launcher.run(Launcher.java:287)
at org.apache.tools.ant.launch.Launcher.main(Launcher.java:113)
Caused by: java.lang.ClassNotFoundException:
org.apache.tools.ant.util.DateUtils
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:338)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
Additional info:
This succeeds:
$ ANT_HOME=/usr/share/ant/ ant
Buildfile: .../build.xml
fail:
[xjc] Consider using <depends>/<produces> so that XJC won't do
unnecessary compilation
[xjc] Compiling file:.../test.xsd
[xjc] Writing output to .
BUILD SUCCESSFUL
Total time: 1 second
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1439284
Bug ID: 1439284
Summary: Jenkins is build with dom4j 1.6.1-27 but 2.0.0-1 is
installed
Product: Fedora
Version: rawhide
Component: jenkins
Severity: urgent
Assignee: msrb(a)redhat.com
Reporter: dhill(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Description of problem:
Jenkins is build with dom4j 1.6.1-27 but 2.0.0-1 is installed
Version-Release number of selected component (if applicable):
How reproducible:
Always
Steps to Reproduce:
1. Update to latest dom4j
2.
3.
Actual results:
Breaks jenkins
Expected results:
Doesn't break jenkins.
Additional info:
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1451202
Bug ID: 1451202
Summary: Please add logrotate file to Jenkins
Product: Fedora
Version: rawhide
Component: jenkins
Severity: low
Assignee: msrb(a)redhat.com
Reporter: metonymy(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Please add the logrotate from ansible to the jenkins package.
For details see: https://pagure.io/fedora-infrastructure/issue/6010
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1468722
Bug ID: 1468722
Summary: Latest jenkins update breaks jenkins startup
Product: Fedora
Version: rawhide
Component: jenkins
Severity: low
Assignee: msrb(a)redhat.com
Reporter: dhill(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Description of problem:
Latest jenkins update breaks jenkins startup and deleting the broken symlink
/usr/share/jenkins/webroot/WEB-INF/lib/jnr-posix.jar solves the issue:
java.io.FileNotFoundException:
/usr/share/jenkins/webroot/WEB-INF/lib/jnr-posix.jar (No such file or
directory)
at java.io.FileInputStream.open0(Native Method)
at java.io.FileInputStream.open(FileInputStream.java:195)
at java.io.FileInputStream.<init>(FileInputStream.java:138)
at
org.eclipse.jetty.util.resource.FileResource.getInputStream(FileResource.java:286)
at org.eclipse.jetty.webapp.JarScanner.matched(JarScanner.java:151)
at
org.eclipse.jetty.util.PatternMatcher.matchPatterns(PatternMatcher.java:100)
at org.eclipse.jetty.util.PatternMatcher.match(PatternMatcher.java:82)
at org.eclipse.jetty.webapp.JarScanner.scan(JarScanner.java:84)
at
org.eclipse.jetty.webapp.MetaInfConfiguration.preConfigure(MetaInfConfiguration.java:84)
at
org.eclipse.jetty.webapp.WebAppContext.preConfigure(WebAppContext.java:457)
at
winstone.HostConfiguration$1.preConfigure(HostConfiguration.java:166)
at
org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:493)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
at
org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:95)
at org.eclipse.jetty.server.Server.doStart(Server.java:282)
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
at winstone.Launcher.<init>(Launcher.java:152)
at winstone.Launcher.main(Launcher.java:352)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at Main._main(Main.java:290)
at Main.main(Main.java:104)
Version-Release number of selected component (if applicable):
How reproducible:
Don't know
Steps to Reproduce:
1. Update
2.
3.
Actual results:
Jenkins didn't restart
Expected results:
Jenkins should restart
Additional info:
--
You are receiving this mail because:
You are on the CC list for the bug.