java-sig-commits April 2019

java-sig-commits@lists.stg.fedoraproject.org

1 participants
321 discussions

[Bug 1701056] New: CVE-2019-0232 tomcat: Remote Code Execution on Windows
by bugzilla＠redhat.com 23 Mar '20

23 Mar '20

https://bugzilla.redhat.com/show_bug.cgi?id=1701056 Bug ID: 1701056 Summary: CVE-2019-0232 tomcat: Remote Code Execution on Windows Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=important,public=20190410,reported=20190416,sou rce=cve,cvss3=5.9/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N /I:N/A:H,cwe=CWE-20,fedora-all/tomcat=notaffected,rhsc l-3/rh-java-common-tomcat=notaffected,bpms-6/tomcat=no taffected,brms-6/tomcat=notaffected,epel-all/tomcat=no taffected,brms-5/jbossweb=notaffected,eap-6/jbossweb=n otaffected,eap-5/jbossweb=notaffected,jdg-6/jbossweb=n otaffected,jdg-7/tomcat=notaffected,jdv-6/jbossweb=not affected,fuse-6/tomcat=notaffected,fuse-7/tomcat=notaf fected,fsw-6/jbossweb=notaffected,soap-5/jbossweb=nota ffected,springboot-1/tomcat=notaffected,jbews-2/tomcat 6=new,jws-3/tomcat7=new,rhel-7/tomcat=notaffected,jbew s-2/tomcat7=new,jws-3/tomcat8=new,rhel-6/tomcat6=notaf fected,jon-3/jbossweb=notaffected,jws-5/tomcat=new,rhe l-8/pki-deps:10.6/pki-servlet-container=notaffected Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: lpardo(a)redhat.com CC: aileenc(a)redhat.com, alazarot(a)redhat.com, alee(a)redhat.com, anstephe(a)redhat.com, avibelli(a)redhat.com, bgeorges(a)redhat.com, bmaxwell(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, cmoulliard(a)redhat.com, coolsvap(a)gmail.com, csutherl(a)redhat.com, darran.lofthouse(a)redhat.com, dimitris(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, etirelli(a)redhat.com, fgavrilo(a)redhat.com, gvarsami(a)redhat.com, gzaronik(a)redhat.com, hhorak(a)redhat.com, ibek(a)redhat.com, ikanello(a)redhat.com, ivan.afonichev(a)gmail.com, java-sig-commits(a)lists.fedoraproject.org, jawilson(a)redhat.com, jbalunas(a)redhat.com, jclere(a)redhat.com, jcoleman(a)redhat.com, jdoyle(a)redhat.com, jochrist(a)redhat.com, jolee(a)redhat.com, jondruse(a)redhat.com, jorton(a)redhat.com, jpallich(a)redhat.com, jschatte(a)redhat.com, jshepherd(a)redhat.com, jstastny(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, krzysztof.daniel(a)gmail.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lgao(a)redhat.com, loleary(a)redhat.com, lpetrovi(a)redhat.com, lthon(a)redhat.com, mbabacek(a)redhat.com, mizdebsk(a)redhat.com, mszynkie(a)redhat.com, myarboro(a)redhat.com, nwallace(a)redhat.com, paradhya(a)redhat.com, pgallagh(a)redhat.com, pgier(a)redhat.com, pjurak(a)redhat.com, ppalaga(a)redhat.com, psakar(a)redhat.com, pslavice(a)redhat.com, rhcs-maint(a)redhat.com, rnetuka(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rstancel(a)redhat.com, rsvoboda(a)redhat.com, rsynek(a)redhat.com, rwagner(a)redhat.com, rzhang(a)redhat.com, sdaley(a)redhat.com, spinder(a)redhat.com, tcunning(a)redhat.com, theute(a)redhat.com, tkirby(a)redhat.com, trogers(a)redhat.com, twalsh(a)redhat.com, vhalbert(a)redhat.com, vtunka(a)redhat.com, weli(a)redhat.com Blocks: 1700240 Target Milestone: --- Classification: Other Blocks: 1700240 A vulnerability was found in in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93. When running on Windows with enableCmdLineArguments enabled, the CGI Servlet is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). References: http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-8.html http://tomcat.apache.org/security-9.html Upstream Patch: https://github.com/apache/tomcat/commit/7f0221b -- You are receiving this mail because: You are on the CC list for the bug.

1 8

[Bug 1698508] New: CVE-2019-11065 gradle: Insecure HTTP URL used to download dependencies leading to possibly maliciously compromised artifacts.
by bugzilla＠redhat.com 23 Mar '20

23 Mar '20

https://bugzilla.redhat.com/show_bug.cgi?id=1698508 Bug ID: 1698508 Summary: CVE-2019-11065 gradle: Insecure HTTP URL used to download dependencies leading to possibly maliciously compromised artifacts. Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=important,public=20190409,reported=20190410,sou rce=internet,cvss3=8.1/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S: U/C:H/I:H/A:N,cwe=CWE-345,fedora-28/gradle=affected,fe dora-29/gradle=affected,epel-6/gradle=affected,jbews-3 /gradle=new Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: mrehak(a)redhat.com CC: csutherl(a)redhat.com, dan(a)danieljamesscott.org, gzaronik(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jclere(a)redhat.com, jjelen(a)redhat.com, lgao(a)redhat.com, lkundrak(a)v3.sk, mbabacek(a)redhat.com, mizdebsk(a)redhat.com, msimacek(a)redhat.com, myarboro(a)redhat.com, stewardship-sig(a)lists.fedoraproject.org, twalsh(a)redhat.com, weli(a)redhat.com Target Milestone: --- Classification: Other Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Dependency artifacts could have been maliciously compromised by a MITM attack against the ajax.googleapis.com web site. External Referencies: https://nvd.nist.gov/vuln/detail/CVE-2019-11065 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11065 Upstream Repository: https://github.com/gradle/gradle/pull/8927 -- You are receiving this mail because: You are on the CC list for the bug.

1 10

[Bug 1696034] New: CVE-2019-7611 elasticsearch: Improper permission issue when attaching a new name to an index
by bugzilla＠redhat.com 18 Mar '20

18 Mar '20

https://bugzilla.redhat.com/show_bug.cgi?id=1696034 Bug ID: 1696034 Summary: CVE-2019-7611 elasticsearch: Improper permission issue when attaching a new name to an index Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=moderate,public=20190219,reported=20190219,sour ce=cve,cvss3=6.8/CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/ I:H/A:N,cwe=CWE-285,openshift-enterprise-3.11/elastics earch=new,openshift-enterprise-3.10/elasticsearch=new, openshift-enterprise-3.9/elasticsearch=new,openshift-e nterprise-3.7/elasticsearch=new,openshift-enterprise-3 .6/elasticsearch=new,openshift-enterprise-3.1/elastics earch=new,openshift-enterprise-3.0/elasticsearch=new,o penstack-8-optools/elasticsearch=new,openshift-enterpr ise-3.5/elasticsearch=new,openshift-enterprise-3.4/ela sticsearch=new,openshift-enterprise-3.3/elasticsearch= new,openshift-enterprise-3.2/elasticsearch=new,opensta ck-9-optools/elasticsearch=new,fedora-all/elasticsearc h=affected,sam-1/elasticsearch=new,fuse-7/elasticsearc h=new,rhdm-7/elasticsearch=new,fuse-6/elasticsearch=ne w,rhpam-7/elasticsearch=new Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: ahardin(a)redhat.com, alazarot(a)redhat.com, anstephe(a)redhat.com, bkearney(a)redhat.com, bleanhar(a)redhat.com, bobjensen(a)gmail.com, cbillett(a)redhat.com, ccoleman(a)redhat.com, chazlett(a)redhat.com, dbecker(a)redhat.com, dedgar(a)redhat.com, emmanuel(a)seyman.fr, eparis(a)redhat.com, etirelli(a)redhat.com, ibek(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jgoulding(a)redhat.com, jjoyce(a)redhat.com, jokerman(a)redhat.com, jschluet(a)redhat.com, jvanek(a)redhat.com, kbasil(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com, lpetrovi(a)redhat.com, mburns(a)redhat.com, mchappel(a)redhat.com, mmagr(a)redhat.com, pahan(a)hubbitus.info, paradhya(a)redhat.com, rrajasek(a)redhat.com, rsynek(a)redhat.com, rzhang(a)redhat.com, sclewis(a)redhat.com, sdaley(a)redhat.com, slinaber(a)redhat.com, tomckay(a)redhat.com, zbyszek(a)in.waw.pl Target Milestone: --- Classification: Other A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index. References: https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update… -- You are receiving this mail because: You are on the CC list for the bug.

1 20

[Bug 1694474] New: velocity-2.1 is available
by bugzilla＠redhat.com 17 Feb '20

17 Feb '20

https://bugzilla.redhat.com/show_bug.cgi?id=1694474 Bug ID: 1694474 Summary: velocity-2.1 is available Product: Fedora Version: rawhide Status: NEW Component: velocity Keywords: FutureFeature, Triaged Assignee: mhroncok(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: dbhole(a)redhat.com, devrim(a)gunduz.org, java-sig-commits(a)lists.fedoraproject.org, mhroncok(a)redhat.com, mizdebsk(a)redhat.com, sochotni(a)redhat.com, stewardship-sig(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Latest upstream release: 2.1 Current version/release in rawhide: 1.7-25.fc30 URL: http://www.apache.org/dist/velocity/engine/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/5083/ -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1696062] New: CVE-2018-12545 jetty: large settings frames causing denial of service
by bugzilla＠redhat.com 11 Dec '19

11 Dec '19

https://bugzilla.redhat.com/show_bug.cgi?id=1696062 Bug ID: 1696062 Summary: CVE-2018-12545 jetty: large settings frames causing denial of service Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=moderate,public=20190320,reported=20190328,sour ce=cve,cvss3=4.2/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/ I:L/A:L,cwe=CWE-400,fedora-all/jetty=affected,rhel-6/j etty-eclipse=notaffected,rhel-7/jetty=new,fuse-6/jetty =affected,fuse-7/jetty=affected,rhn_satellite_5/jetty= affected,rhscl-3/rh-java-common-jetty=affected Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: darunesh(a)redhat.com CC: bkearney(a)redhat.com, chazlett(a)redhat.com, decathorpe(a)gmail.com, eclipse-sig(a)lists.fedoraproject.org, ggainey(a)redhat.com, hhorak(a)redhat.com, java-maint(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jjohnstn(a)redhat.com, jorton(a)redhat.com, krzysztof.daniel(a)gmail.com, mizdebsk(a)redhat.com, sochotni(a)redhat.com, stewardship-sig(a)lists.fedoraproject.org, tlestach(a)redhat.com Target Milestone: --- Classification: Other In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings Reference: https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096 -- You are receiving this mail because: You are on the CC list for the bug.

1 14

[Bug 1662255] New: Suspend to disk (hibernate) broken after upgrade to Fedora 29
by bugzilla＠redhat.com 27 Nov '19

27 Nov '19

https://bugzilla.redhat.com/show_bug.cgi?id=1662255 Bug ID: 1662255 Summary: Suspend to disk (hibernate) broken after upgrade to Fedora 29 Product: Fedora Version: 29 Status: NEW Component: hibernate Assignee: puntogil(a)libero.it Reporter: drbasic6(a)gmail.com QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, lef(a)fedoraproject.org, puntogil(a)libero.it Target Milestone: --- Classification: Fedora Description of problem: After upgrading to Fedora 29, hibernate is broken. It used to work until Fedora 28. The hibernate option is missing from the KDE menu now. Suspend to RAM is still there, but when the battery dies after a couple of days, all unsaved work is lost. Version-Release number of selected component (if applicable): Fedora 29 How reproducible: Always Steps to Reproduce: 1. Use Fedora 28, hibernate... 2. Upgrade to F29 via gnome-software. 3. Hibernate feature unavailable. Actual results: Hibernate feature unavailable after upgrade. It's not possible anymore to keep a bunch of programs running. Now, everything has to be saved and closed and the system has to be shut down whenever the laptop is removed from the station and taken to another location. Expected results: A basic system feature that has worked for years shouldn't suddenly be gone. This is unacceptable. Additional info: As the KDE menu sometimes stops working after a few days (Bug 1634681), it's often necessary to hibernate via the command line. The following command worked until Fedora 28: $ qdbus org.kde.Solid.PowerManagement /org/freedesktop/PowerManagement CanHibernate && qdbus org.kde.Solid.PowerManagement /org/freedesktop/PowerManagement Hibernate false -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1668319] New: CVE-2019-6290 nasm: Infinite recursion in eval.c causing stack exhaustion problem resulting in a denial of service
by bugzilla＠redhat.com 27 Nov '19

27 Nov '19

https://bugzilla.redhat.com/show_bug.cgi?id=1668319 Bug ID: 1668319 Summary: CVE-2019-6290 nasm: Infinite recursion in eval.c causing stack exhaustion problem resulting in a denial of service Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=moderate,public=20190102,reported=20190115,sour ce=cve,cvss3=5.5/CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/ I:N/A:H,cwe=CWE-400,fedora-all/nasm=affected,rhel-5/na sm=new,rhel-6/nasm=new,rhel-7/nasm=new,rhel-8/nasm=new Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: darunesh(a)redhat.com CC: dominik(a)greysector.net, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, nickc(a)redhat.com Target Milestone: --- Classification: Other An infinite recursion issue was discovered in eval.c in Netwide Assembler (NASM) through 2.14.02. There is a stack exhaustion problem resulting from infinite recursion in the functions expr, rexp, bexpr and cexpr in certain scenarios involving lots of '{' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted asm file. Upstream Issue: https://bugzilla.nasm.us/show_bug.cgi?id=3392548 -- You are receiving this mail because: You are on the CC list for the bug.

1 8

[Bug 1668320] New: CVE-2019-6290 nasm: Infinite recursion in eval.c causing stack exhaustion problem resulting in a denial of service [fedora-all]
by bugzilla＠redhat.com 27 Nov '19

27 Nov '19

https://bugzilla.redhat.com/show_bug.cgi?id=1668320 Bug ID: 1668320 Summary: CVE-2019-6290 nasm: Infinite recursion in eval.c causing stack exhaustion problem resulting in a denial of service [fedora-all] Product: Fedora Version: 29 Status: NEW Component: nasm Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: mizdebsk(a)redhat.com Reporter: darunesh(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: dominik(a)greysector.net, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

1 7

[Bug 1668321] New: CVE-2019-6291 nasm: Recursive calls in the function expr resulting in a denial of service
by bugzilla＠redhat.com 27 Nov '19

27 Nov '19

https://bugzilla.redhat.com/show_bug.cgi?id=1668321 Bug ID: 1668321 Summary: CVE-2019-6291 nasm: Recursive calls in the function expr resulting in a denial of service Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=moderate,public=20190102,reported=20190115,sour ce=cve,cvss3=5.5/CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/ I:N/A:H,cwe=CWE-400,fedora-all/nasm=affected,rhel-5/na sm=new,rhel-6/nasm=new,rhel-7/nasm=new,rhel-8/nasm=new Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: darunesh(a)redhat.com CC: dominik(a)greysector.net, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com, nickc(a)redhat.com Target Milestone: --- Classification: Other An issue was discovered in the function expr6 in eval.c in Netwide Assembler (NASM) through 2.14.02. There is a stack exhaustion problem caused by the expr6 function making recursive calls to itself in certain scenarios involving lots of '!' or '+' or '-' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted asm file. Upstream Issue: https://bugzilla.nasm.us/show_bug.cgi?id=3392549 -- You are receiving this mail because: You are on the CC list for the bug.

1 8

[Bug 1668322] New: CVE-2019-6291 nasm: Recursive calls in the function expr resulting in a denial of service [fedora-all]
by bugzilla＠redhat.com 27 Nov '19

27 Nov '19

https://bugzilla.redhat.com/show_bug.cgi?id=1668322 Bug ID: 1668322 Summary: CVE-2019-6291 nasm: Recursive calls in the function expr resulting in a denial of service [fedora-all] Product: Fedora Version: 29 Status: NEW Component: nasm Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: mizdebsk(a)redhat.com Reporter: darunesh(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: dominik(a)greysector.net, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.

1 6

← Newer
1
2
3
4
5
6
7
...
33
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits April 2019