https://bugzilla.redhat.com/show_bug.cgi?id=1602975
Bug ID: 1602975
Summary: jetty-9.4.12.RC0 is available
Product: Fedora
Version: rawhide
Component: jetty
Keywords: FutureFeature, Triaged
Assignee: mizdebsk(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
jjohnstn(a)redhat.com, krzysztof.daniel(a)gmail.com,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
sochotni(a)redhat.com
Latest upstream release: 9.4.12.RC0
Current version/release in rawhide: 9.4.11-3.v20180605.fc29
URL: http://www.eclipse.org/jetty
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/1447/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1600931
Bug ID: 1600931
Summary: ant-1.10.5 is available
Product: Fedora
Version: rawhide
Component: ant
Keywords: FutureFeature, Triaged
Assignee: msimacek(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com, jaromir.capik(a)email.cz,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
msrb(a)redhat.com
Latest upstream release: 1.10.5
Current version/release in rawhide: 1.10.4-1.fc29
URL: https://ant.apache.org/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/50/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1609613
Bug ID: 1609613
Summary: CVE-2018-1999002 jenkins: Flaw in the Stapler web
framework allows remote unauthenticated users to read
arbitrary files
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: sfowler(a)redhat.com
CC: ahardin(a)redhat.com, aos-bugs(a)redhat.com,
bleanhar(a)redhat.com, bparees(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jokerman(a)redhat.com,
mchappel(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
Blocks: 1609611
An arbitrary file read vulnerability in the Stapler web framework used by
Jenkins allowed unauthenticated users to send crafted HTTP requests returning
the contents of any file on the Jenkins master file system that the Jenkins
master process has access to.
External Reference:
https://jenkins.io/security/advisory/2018-07-18/#SECURITY-914
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1609609
Bug ID: 1609609
Summary: CVE-2018-1999001 jenkins: Remote unauthenticated users
can move config.xml allowing administrator access to
anonymous users
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: sfowler(a)redhat.com
CC: ahardin(a)redhat.com, aos-bugs(a)redhat.com,
bleanhar(a)redhat.com, bparees(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jokerman(a)redhat.com,
mchappel(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
Unauthenticated users could provide maliciously crafted login credentials that
cause Jenkins to move the config.xml file from the Jenkins home directory. This
configuration file contains basic configuration of Jenkins, including the
selected security realm and authorization strategy. If Jenkins is started
without this file present, it will revert to the legacy defaults of granting
administrator access to anonymous users.
This issue was caused by the fix for SECURITY-499 in the 2017-11-08 security
advisory
External Reference:
https://jenkins.io/security/advisory/2018-07-18/#SECURITY-897
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1609622
Bug ID: 1609622
Summary: CVE-2018-1999006 jenkins: Users with Overall/Read
permission can view install date of plugins
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: sfowler(a)redhat.com
CC: ahardin(a)redhat.com, aos-bugs(a)redhat.com,
bleanhar(a)redhat.com, bparees(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jokerman(a)redhat.com,
mchappel(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
Blocks: 1609611
In Jenkins, files indicating when a plugin JPI file was last extracted into a
subdirectory of plugins/ in the Jenkins home directory was accessible via HTTP
by users with Overall/Read permission. This allowed unauthorized users to
determine the likely install date of a given plugin.
External Reference:
https://jenkins.io/security/advisory/2018-07-18/#SECURITY-925
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1609620
Bug ID: 1609620
Summary: CVE-2018-1999005 jenkins: Cross-site scripting in
build timeline widget exploitable by users able to
control item display names
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: sfowler(a)redhat.com
CC: ahardin(a)redhat.com, aos-bugs(a)redhat.com,
bleanhar(a)redhat.com, bparees(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jokerman(a)redhat.com,
mchappel(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
Blocks: 1609611
In Jenkins, the build timeline widget shown on URLs like /view/…/builds did not
properly escape display names of items. This resulted in a cross-site scripting
vulnerability exploitable by users able to control item display names.
External Reference:
https://jenkins.io/security/advisory/2018-07-18/#SECURITY-944
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1609617
Bug ID: 1609617
Summary: CVE-2018-1999004 jenkins: Missing permission check
allows users with Overall/Read permission to initiate
agent launches
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: sfowler(a)redhat.com
CC: ahardin(a)redhat.com, aos-bugs(a)redhat.com,
bleanhar(a)redhat.com, bparees(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jokerman(a)redhat.com,
mchappel(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
Blocks: 1609611
In Jenkins, the URL that initiates agent launches on the Jenkins master did not
perform a permission check, allowing users with Overall/Read permission to
initiate agent launches.
External Reference:
https://jenkins.io/security/advisory/2018-07-18/#SECURITY-892
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1609615
Bug ID: 1609615
Summary: CVE-2018-1999003 jenkins: Missing permission check
allows users with Overall/Read permission to cancel
queued builds
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: sfowler(a)redhat.com
CC: ahardin(a)redhat.com, aos-bugs(a)redhat.com,
bleanhar(a)redhat.com, bparees(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jokerman(a)redhat.com,
mchappel(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
Blocks: 1609611
In Jenkins, the URLs handling cancellation of queued builds did not perform a
permission check, allowing users with Overall/Read permission to cancel queued
builds.
External Reference:
https://jenkins.io/security/advisory/2018-07-18/#SECURITY-891
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1609624
Bug ID: 1609624
Summary: CVE-2018-1999007 jenkins: HTTP 404 error pages do not
escape URLs when Stapler framework used in debug mode,
allowing for XSS
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: sfowler(a)redhat.com
CC: ahardin(a)redhat.com, aos-bugs(a)redhat.com,
bleanhar(a)redhat.com, bparees(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jokerman(a)redhat.com,
mchappel(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
Blocks: 1609611
Stapler is the web framework used by Jenkins to route HTTP requests. When its
debug mode is enabled, HTTP 404 error pages display diagnostic information.
Those error pages did not escape parts of URLs they displayed, in rare cases
resulting in a cross-site scripting vulnerability.
External Reference:
https://jenkins.io/security/advisory/2018-07-18/#SECURITY-390
--
You are receiving this mail because:
You are on the CC list for the bug.