https://bugzilla.redhat.com/show_bug.cgi?id=1578578
Bug ID: 1578578
Summary: CVE-2018-1257 spring-framework: ReDoS Attack with
spring-messaging
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: lpardo(a)redhat.com
CC: aileenc(a)redhat.com, alazarot(a)redhat.com,
anstephe(a)redhat.com, apevec(a)redhat.com,
bkundal(a)redhat.com, bmaxwell(a)redhat.com,
cdewolf(a)redhat.com, chazlett(a)redhat.com,
chrisw(a)redhat.com, csutherl(a)redhat.com,
darran.lofthouse(a)redhat.com, dchen(a)redhat.com,
dffrench(a)redhat.com, dimitris(a)redhat.com,
dosoudil(a)redhat.com, drieden(a)redhat.com,
drusso(a)redhat.com, etirelli(a)redhat.com,
gvarsami(a)redhat.com, hghasemb(a)redhat.com,
ibek(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jcoleman(a)redhat.com,
jjoyce(a)redhat.com, jmadigan(a)redhat.com,
jolee(a)redhat.com, jschatte(a)redhat.com,
jschluet(a)redhat.com, jshepherd(a)redhat.com,
jstastny(a)redhat.com, kbasil(a)redhat.com,
kconner(a)redhat.com, kverlaen(a)redhat.com,
ldimaggi(a)redhat.com, lef(a)fedoraproject.org,
lgao(a)redhat.com, lgriffin(a)redhat.com, lhh(a)redhat.com,
lpeer(a)redhat.com, lpetrovi(a)redhat.com,
markmc(a)redhat.com, mburns(a)redhat.com,
mkolesni(a)redhat.com, myarboro(a)redhat.com,
ngough(a)redhat.com, nwallace(a)redhat.com,
nyechiel(a)redhat.com, paradhya(a)redhat.com,
pavelp(a)redhat.com, pgier(a)redhat.com,
psakar(a)redhat.com, pslavice(a)redhat.com,
pszubiak(a)redhat.com, puntogil(a)libero.it,
pwright(a)redhat.com, rbryant(a)redhat.com,
rhel8-maint(a)redhat.com, rnetuka(a)redhat.com,
rrajasek(a)redhat.com, rsvoboda(a)redhat.com,
rsynek(a)redhat.com, rwagner(a)redhat.com,
rzhang(a)redhat.com, sclewis(a)redhat.com,
sdaley(a)redhat.com, sisharma(a)redhat.com,
slinaber(a)redhat.com, smohan(a)redhat.com,
ssaha(a)redhat.com, tcunning(a)redhat.com,
tdecacqu(a)redhat.com, tjay(a)redhat.com,
tkirby(a)redhat.com, trepel(a)redhat.com,
twalsh(a)redhat.com, vbellur(a)redhat.com,
vhalbert(a)redhat.com, vtunka(a)redhat.com
A flaw was found in Spring Framework, versions 5.0.x prior to 5.0.6, versions
4.3.x prior to 4.3.17, and older unsupported versions allows applications to
expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker
through the spring-messaging module. A malicious user (or attacker) can craft a
message to the broker that can lead to a regular expression, denial of service
attack.
References:
https://pivotal.io/security/cve-2018-1257
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1578902
Bug ID: 1578902
Summary: CVE-2018-1259 spring-framework: XXE with Spring Data’s
XMLBeam integration
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: lpardo(a)redhat.com
CC: dchen(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
lef(a)fedoraproject.org, puntogil(a)libero.it
Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7,
used in combination with XMLBeam 1.4.14 or earlier versions, contains a
property binder vulnerability caused by improper restriction of XML external
entity references as underlying library XMLBeam does not restrict external
reference expansion. An unauthenticated remote malicious user can supply
specially crafted request parameters against Spring Data's projection-based
request payload binding to access arbitrary files on the system.
References:
https://pivotal.io/security/cve-2018-1259
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1508123
Bug ID: 1508123
Summary: CVE-2016-5003 xmlrpc: Deserialization of untrusted
Java object through <ex:serializable> tag
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: abhgupta(a)redhat.com, bmcclain(a)redhat.com,
dbhole(a)redhat.com, dblechte(a)redhat.com,
dwalluck(a)redhat.com, eedri(a)redhat.com,
hhorak(a)redhat.com, java-maint(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jorton(a)redhat.com, krzysztof.daniel(a)gmail.com,
kseifried(a)redhat.com, mgoldboi(a)redhat.com,
michal.skrivanek(a)redhat.com, mizdebsk(a)redhat.com,
msimacek(a)redhat.com, puntogil(a)libero.it,
sbonazzo(a)redhat.com, sherold(a)redhat.com,
sochotni(a)redhat.com, tiwillia(a)redhat.com,
ykaul(a)redhat.com, ylavi(a)redhat.com
The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva,
allows remote attackers to execute arbitrary code via a crafted serialized Java
object in an <ex:serializable> element.
References:
http://www.openwall.com/lists/oss-security/2016/07/12/5https://0ang3el.blogspot.in/2016/07/beware-of-ws-xmlrpc-library-in-your.html
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Bug ID: 1372120
Summary: CVE-2016-6346 RESTEasy: Abuse of GZIPInterceptor in
RESTEasy can lead to denial of service attack
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: jshepherd(a)redhat.com
CC: aileenc(a)redhat.com, alazarot(a)redhat.com,
alee(a)redhat.com, aszczucz(a)redhat.com,
bazulay(a)redhat.com, bbaranow(a)redhat.com,
bdawidow(a)redhat.com, bkearney(a)redhat.com,
bmaxwell(a)redhat.com, bmcclain(a)redhat.com,
cbillett(a)redhat.com, cdewolf(a)redhat.com,
chazlett(a)redhat.com, csutherl(a)redhat.com,
dandread(a)redhat.com, darran.lofthouse(a)redhat.com,
dblechte(a)redhat.com, dosoudil(a)redhat.com,
eedri(a)redhat.com, epp-bugs(a)redhat.com,
etirelli(a)redhat.com, felias(a)redhat.com,
fnasser(a)redhat.com, gklein(a)redhat.com,
gvarsami(a)redhat.com, hchiorea(a)redhat.com,
hfnukal(a)redhat.com, huwang(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jboss-set(a)redhat.com,
jbpapp-maint(a)redhat.com, jcoleman(a)redhat.com,
jdg-bugs(a)redhat.com, jmatthew(a)redhat.com,
jolee(a)redhat.com, jpallich(a)redhat.com,
jshepherd(a)redhat.com, katello-bugs(a)redhat.com,
kconner(a)redhat.com, kseifried(a)redhat.com,
kverlaen(a)redhat.com, ldimaggi(a)redhat.com,
lgao(a)redhat.com, lpetrovi(a)redhat.com,
lsurette(a)redhat.com, mbaluch(a)redhat.com,
mgoldboi(a)redhat.com, mgoldman(a)redhat.com,
miburman(a)redhat.com, michal.skrivanek(a)redhat.com,
mmccune(a)redhat.com, mweiler(a)redhat.com,
mwinkler(a)redhat.com, myarboro(a)redhat.com,
nwallace(a)redhat.com, ohadlevy(a)redhat.com,
oourfali(a)redhat.com, pavelp(a)redhat.com,
pgier(a)redhat.com, pkliczew(a)redhat.com,
psakar(a)redhat.com, pslavice(a)redhat.com,
puntogil(a)libero.it, rcernich(a)redhat.com,
Rhev-m-bugs(a)redhat.com, rnetuka(a)redhat.com,
rrajasek(a)redhat.com, rsvoboda(a)redhat.com,
rwagner(a)redhat.com, rzhang(a)redhat.com,
satellite6-bugs(a)redhat.com, sherold(a)redhat.com,
soa-p-jira(a)post-office.corp.redhat.com,
spinder(a)redhat.com, tcunning(a)redhat.com,
theute(a)redhat.com, tjay(a)redhat.com, tkirby(a)redhat.com,
tlestach(a)redhat.com, tomckay(a)redhat.com,
tsanders(a)redhat.com, ttarrant(a)redhat.com,
twalsh(a)redhat.com, vhalbert(a)redhat.com,
vtunka(a)redhat.com, weli(a)redhat.com, ydary(a)redhat.com,
ykaul(a)redhat.com
It was found that GZIPInterceptor is enabled when not necessarily required in
RESTEasy. An attacker could use this flaw to launch a Denial of Service attack.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1448498
Bug ID: 1448498
Summary: apache-sshd-1.4.0 is available
Product: Fedora
Version: rawhide
Component: apache-sshd
Keywords: Rebase
Assignee: msrb(a)redhat.com
Reporter: sbonazzo(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
msrb(a)redhat.com, puntogil(a)libero.it
Latest upstream release: 1.4.0
Current version/release in rawhide: 0.14.0-5.fc26
URL: www.eu.apache.org/dist/mina/sshd
Based on the information from anitya:
https://release-monitoring.org/project/15120/
Opened manually since integration with anitya and upstream release monitoring
is turned off in
https://admin.fedoraproject.org/pkgdb/package/rpms/apache-sshd/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1413657
Bug ID: 1413657
Summary: Doesnt start
Product: Fedora
Version: 25
Component: elasticsearch
Assignee: zbyszek(a)in.waw.pl
Reporter: sergiypavlichenko(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: bobjensen(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
jvanek(a)redhat.com, pahan(a)hubbitus.info,
zbyszek(a)in.waw.pl
Description of problem:
Version-Release number of selected component (if applicable):
elasticsearch-1.7.1-3.fc24.noarch
java version "1.8.0_111"
Java(TM) SE Runtime Environment (build 1.8.0_111-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.111-b14, mixed mode)
How reproducible:
Steps to Reproduce:
1. dnf install elasticsearch
2. systemctl start elasticsearch
Actual results:
elasticsearch.service - ElasticSearch search engine
Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; disabled;
vendor preset: disabled)
Active: failed (Result: exit-code) since Mon 2017-01-16 17:54:09 EET; 38s
ago
Docs:
https://www.elasticsearch.org/guide/en/elasticsearch/guide/current/index.ht…
Process: 9679 ExecStart=/usr/libexec/elasticsearch (code=exited,
status=1/FAILURE)
Main PID: 9679 (code=exited, status=1/FAILURE)
Jan 16 17:54:09 localhost.localdomain elasticsearch[9679]: at
org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:32)
Jan 16 17:54:09 localhost.localdomain elasticsearch[9679]: Caused by:
java.lang.ClassNotFoundException:
com.fasterxml.jackson.databind.JsonMappingException
Jan 16 17:54:09 localhost.localdomain elasticsearch[9679]: at
java.net.URLClassLoader.findClass(URLClassLoader.java:381)
Jan 16 17:54:09 localhost.localdomain elasticsearch[9679]: at
java.lang.ClassLoader.loadClass(ClassLoader.java:424)
Jan 16 17:54:09 localhost.localdomain elasticsearch[9679]: at
sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
Jan 16 17:54:09 localhost.localdomain elasticsearch[9679]: at
java.lang.ClassLoader.loadClass(ClassLoader.java:357)
Jan 16 17:54:09 localhost.localdomain elasticsearch[9679]: ... 11 more
Jan 16 17:54:09 localhost.localdomain systemd[1]: elasticsearch.service: Main
process exited, code=exited, status=1/FAILURE
Jan 16 17:54:09 localhost.localdomain systemd[1]: elasticsearch.service: Unit
entered failed state.
Jan 16 17:54:09 localhost.localdomain systemd[1]: elasticsearch.service: Failed
with result 'exit-code'.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1500288
Bug ID: 1500288
Summary: jpackage utils requires java-1.8.0-openjdk
Product: Fedora
Version: 27
Component: jpackage-utils
Assignee: extras-orphan(a)fedoraproject.org
Reporter: jvanek(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com, extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
jerboaa(a)gmail.com, msrb(a)redhat.com,
sochotni(a)redhat.com
Description of problem:
jpackage utils requires java-1.8.0-openjdk
Version-Release number of selected component (if applicable):
f27+
How reproducible:
Consider system java settings for f27:
https://fedoraproject.org/wiki/Releases/27/ChangeSet#Decouple_system_java_s…
Which brought java-1.8.0-openjdk as dependence to jpackage-tools.
As side effect
- java-1.8.0-openjdk and jpackage-tools are now circular dependences.
- java-1.8.0-openjdk-aarch32 now pulls in java-1.8.0-openjdk
- that successfully kills usage of java-1.8.0-openjdk-aarch32 in buildroot,
as you can not change alternatives
Now consider jdk9 in f27:
https://fedoraproject.org/wiki/Releases/27/ChangeSet#Java_9
the side kick is same as for jdk8-aarch32. Installation of java-9-openjdk
(which rewuires jpackage tools) will pull in java8. It kills jdk9 in buildroot,
and making the life of possible jdk9 user very uncomfortable.
Actual results:
Installation of jdk8-aarch32 or jdk9 is bringing jdk8 as transitional
dependence.
Expected results:
Installation of jdk8-aarch32 or jdk9 will not bring jdk8 as transitional
dependence.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1523102
Bug ID: 1523102
Summary: google-guice 4.1-8 breaks Xtext
Product: Fedora
Version: 27
Component: google-guice
Assignee: mizdebsk(a)redhat.com
Reporter: ugilio(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
sochotni(a)redhat.com
Created attachment 1364112
--> https://bugzilla.redhat.com/attachment.cgi?id=1364112&action=edit
The stack trace in the Eclipse console
Description of problem:
After the update from 4.1-7 to 4.1-8, recent Xtext versions (tried with 2.12.0
and 2.13.0) don't work anymore (java.lang.NoClassDefFoundError:
net/sf/cglib/core/CodeGenerationException).
Tested on both fedora 26 and 27.
(Sorry for not having reported it earlier, I thought the problem was on my
side, I was in a hurry and I simply downgraded guice to 4.1-7...)
Version-Release number of selected component (if applicable):
4.1-8
How reproducible:
Always
Steps to Reproduce:
1. Start eclipse
2. Install Xtext complete SDK from update site:
http://download.eclipse.org/modeling/tmf/xtext/updates/composite/releases/
3. After restarting Eclipse, create a New Xtext Project and accept all defaults
4. In the newly-generated MyDsl.xtext right click and select "Generate Xtext
Artifacts"
Actual results:
No artifact is generated. In the console:
[main] ERROR mf.mwe2.launch.runtime.Mwe2Launcher -
com.google.common.util.concurrent.ExecutionError:
java.lang.NoClassDefFoundError: net/sf/cglib/core/CodeGenerationException
...
Expected results:
No error occurs, the artifacts are generated.
Additional info:
- I'm using default java-1.8.0-openjdk-1.8.0.151-1.b12.fc27.x86_64
- google-guice 4.1-7 works fine
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1542899
Bug ID: 1542899
Summary: Task failure with ant and JAXB's xjc
Product: Fedora
Version: 27
Component: ant
Assignee: msimacek(a)redhat.com
Reporter: peterhull90(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com, jaromir.capik(a)email.cz,
java-sig-commits(a)lists.fedoraproject.org,
krzysztof.daniel(a)gmail.com, mizdebsk(a)redhat.com,
msimacek(a)redhat.com, msrb(a)redhat.com
Created attachment 1392587
--> https://bugzilla.redhat.com/attachment.cgi?id=1392587&action=edit
Ant build script
Description of problem:
Running the JAXB xjc task in ant appears to make ant fail at a later stage with
classpath problems. The xjc task itself seems to finish correctly.
The background to this is trying to build Netbeans on Fedora 27 fails and I
have done some work to narrow down Netbeans build script (which is very
large/complicated) to this aspect.
See https://issues.apache.org/jira/browse/NETBEANS-239 and
http://mail-archives.apache.org/mod_mbox/incubator-netbeans-dev/201801.mbox…
However setting the ANT_HOME explicitly makes this bug disappear.
I believe I have set up the xjc task correctly to run with Fedora's
glassfish-jaxb packages.
Version-Release number of selected component (if applicable):
ant.noarch 1.10.1-7.fc27 @fedora
ant-lib.noarch 1.10.1-7.fc27 @fedora
glassfish-jaxb.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-api.noarch 2.2.12-7.fc27 @fedora
glassfish-jaxb-bom.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-bom-ext.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-codemodel.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-codemodel-annotation-compiler.noarch
glassfish-jaxb-codemodel-parent.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-core.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-external-parent.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-jxc.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-parent.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-rngom.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-runtime.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-runtime-parent.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-txw-parent.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-txw2.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-txwc2.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb-xjc.noarch 2.2.11-6.fc27 @fedora
glassfish-jaxb1-impl.noarch 2.2.11-6.fc27 @fedora
java-1.8.0-openjdk.x86_64 1:1.8.0.161-0.b14.fc27
@updates
java-1.8.0-openjdk-devel.x86_64 1:1.8.0.161-0.b14.fc27
@updates
java-1.8.0-openjdk-headless.x86_64 1:1.8.0.161-0.b14.fc27
@updates
How reproducible:
Always
Steps to Reproduce:
1. Use attached build.xml and test.xsd
2. Run ant
3. See error message
Note this is a minimal build.xml and test.xsd to cause the problem to appear.
Actual results:
build succeeds
Expected results:
Build fails,
$ ant
Buildfile: .../build.xml
fail:
[xjc] Consider using <depends>/<produces> so that XJC won't do
unnecessary compilation
[xjc] Compiling file:.../test.xsd
[xjc] Writing output to .
Caught an exception while logging the end of the build. Exception was:
java.lang.NoClassDefFoundError: org/apache/tools/ant/util/DateUtils
at
org.apache.tools.ant.DefaultLogger.formatTime(DefaultLogger.java:328)
at
org.apache.tools.ant.DefaultLogger.buildFinished(DefaultLogger.java:177)
at org.apache.tools.ant.Project.fireBuildFinished(Project.java:2110)
at org.apache.tools.ant.Main.runBuild(Main.java:878)
at org.apache.tools.ant.Main.startAnt(Main.java:236)
at org.apache.tools.ant.launch.Launcher.run(Launcher.java:287)
at org.apache.tools.ant.launch.Launcher.main(Launcher.java:113)
Caused by: java.lang.ClassNotFoundException:
org.apache.tools.ant.util.DateUtils
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:338)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
Additional info:
This succeeds:
$ ANT_HOME=/usr/share/ant/ ant
Buildfile: .../build.xml
fail:
[xjc] Consider using <depends>/<produces> so that XJC won't do
unnecessary compilation
[xjc] Compiling file:.../test.xsd
[xjc] Writing output to .
BUILD SUCCESSFUL
Total time: 1 second
--
You are receiving this mail because:
You are on the CC list for the bug.