https://bugzilla.redhat.com/show_bug.cgi?id=1884441
Bug ID: 1884441
Summary: jackson-databind-2.11.3 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: jackson-databind
Keywords: FutureFeature, Triaged
Assignee: java-maint-sig(a)lists.fedoraproject.org
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: decathorpe(a)gmail.com,
java-maint-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
lef(a)fedoraproject.org, puntogil(a)libero.it
Target Milestone: ---
Classification: Fedora
Latest upstream release: 2.11.3
Current version/release in rawhide: 2.11.2-2.fc33
URL: https://github.com/FasterXML/jackson-databind/
Please consult the package updates policy before you issue an update to a
stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/10963/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1884425
Bug ID: 1884425
Summary: jackson-core-2.11.3 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: jackson-core
Keywords: FutureFeature, Triaged
Assignee: java-maint-sig(a)lists.fedoraproject.org
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: decathorpe(a)gmail.com,
java-maint-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
puntogil(a)libero.it, roman(a)fenkhuber.at
Target Milestone: ---
Classification: Fedora
Latest upstream release: 2.11.3
Current version/release in rawhide: 2.11.2-1.fc33
URL: https://github.com/FasterXML/jackson-core
Please consult the package updates policy before you issue an update to a
stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/10962/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1884424
Bug ID: 1884424
Summary: jackson-annotations-2.11.3 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: jackson-annotations
Keywords: FutureFeature, Triaged
Assignee: java-maint-sig(a)lists.fedoraproject.org
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: decathorpe(a)gmail.com,
java-maint-sig(a)lists.fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
lef(a)fedoraproject.org, puntogil(a)libero.it
Target Milestone: ---
Classification: Fedora
Latest upstream release: 2.11.3
Current version/release in rawhide: 2.11.2-1.fc33
URL: https://github.com/FasterXML/jackson-annotations
Please consult the package updates policy before you issue an update to a
stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/89327/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1857010
Bug ID: 1857010
Summary: maven-plugin-bundle-5.1.1 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: maven-plugin-bundle
Keywords: FutureFeature, Triaged
Assignee: stewardship-sig(a)lists.fedoraproject.org
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com, decathorpe(a)gmail.com,
jaromir.capik(a)email.cz,
java-sig-commits(a)lists.fedoraproject.org,
mhroncok(a)redhat.com, mizdebsk(a)redhat.com,
stewardship-sig(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
Latest upstream release: 5.1.1
Current version/release in rawhide: 4.2.1-1.fc33
URL:
https://felix.apache.org/documentation/subprojects/apache-felix-maven-bundl…
Please consult the package updates policy before you issue an update to a
stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/1922/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1748421
Bug ID: 1748421
Summary: httpcomponents-core-4.4.12 is available
Product: Fedora
Version: rawhide
Status: NEW
Component: httpcomponents-core
Keywords: FutureFeature, Triaged
Assignee: stuart(a)gathman.org
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
jerboaa(a)gmail.com, krzysztof.daniel(a)gmail.com,
mizdebsk(a)redhat.com, sochotni(a)redhat.com,
stuart(a)gathman.org
Target Milestone: ---
Classification: Fedora
Latest upstream release: 4.4.12
Current version/release in rawhide: 4.4.10-6.fc31
URL: http://www.apache.org/dist/httpcomponents/httpcore/source/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/1333/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1934032
Bug ID: 1934032
Summary: CVE-2021-25122 tomcat: Request mix-up with h2c
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: jwon(a)redhat.com
CC: aboyko(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
alee(a)redhat.com, almorale(a)redhat.com,
anstephe(a)redhat.com, asoldano(a)redhat.com,
atangrin(a)redhat.com, avibelli(a)redhat.com,
bbaranow(a)redhat.com, bgeorges(a)redhat.com,
bmaxwell(a)redhat.com, brian.stansberry(a)redhat.com,
cdewolf(a)redhat.com, chazlett(a)redhat.com,
cmoulliard(a)redhat.com, coolsvap(a)gmail.com,
csutherl(a)redhat.com, darran.lofthouse(a)redhat.com,
dbecker(a)redhat.com, dkreling(a)redhat.com,
dosoudil(a)redhat.com, drieden(a)redhat.com,
eleandro(a)redhat.com, etirelli(a)redhat.com,
fjuma(a)redhat.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, gzaronik(a)redhat.com,
huwang(a)redhat.com, ibek(a)redhat.com,
ikanello(a)redhat.com, ivan.afonichev(a)gmail.com,
iweiss(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jclere(a)redhat.com, jjoyce(a)redhat.com,
jochrist(a)redhat.com, jolee(a)redhat.com,
jpallich(a)redhat.com, jperkins(a)redhat.com,
jschatte(a)redhat.com, jschluet(a)redhat.com,
jstastny(a)redhat.com, jwon(a)redhat.com,
krathod(a)redhat.com, krzysztof.daniel(a)gmail.com,
kverlaen(a)redhat.com, kwills(a)redhat.com,
lgao(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com,
lthon(a)redhat.com, mburns(a)redhat.com,
mkolesni(a)redhat.com, mnovotny(a)redhat.com,
msochure(a)redhat.com, msvehla(a)redhat.com,
mszynkie(a)redhat.com, nwallace(a)redhat.com,
pgallagh(a)redhat.com, pjindal(a)redhat.com,
pmackay(a)redhat.com, rguimara(a)redhat.com,
rhcs-maint(a)redhat.com, rrajasek(a)redhat.com,
rruss(a)redhat.com, rstancel(a)redhat.com,
rsvoboda(a)redhat.com, rsynek(a)redhat.com,
sclewis(a)redhat.com, scohen(a)redhat.com,
sdaley(a)redhat.com, slinaber(a)redhat.com,
smaestri(a)redhat.com, szappis(a)redhat.com,
tom.jenkinson(a)redhat.com, yborgess(a)redhat.com
Blocks: 1934001
Target Milestone: ---
Classification: Other
When responding to new h2c connection requests, Apache Tomcat could duplicate
request headers and a limited amount of request body from one request to
another meaning user A and user B could both see the results of user A's
request.
Upstream commits:
Tomcat 10.0:
https://github.com/apache/tomcat/commit/dd757c0a893e2e35f8bc1385d6967221ae8…
Tomcat 9.0:
https://github.com/apache/tomcat/commit/d47c20a776e8919eaca8da9390a32bc8bf8…
Tomcat 8.5:
https://github.com/apache/tomcat/commit/bb0e7c1e0d737a0de7d794572517bce0e91…
Reference:
http://mail-archives.apache.org/mod_mbox/tomcat-announce/202103.mbox/%3Cb76…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1934061
Bug ID: 1934061
Summary: CVE-2021-25329 tomcat: Incomplete fix for
CVE-2020-9484 (RCE via session persistence)
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: jwon(a)redhat.com
CC: aboyko(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
alee(a)redhat.com, almorale(a)redhat.com,
anstephe(a)redhat.com, asoldano(a)redhat.com,
atangrin(a)redhat.com, avibelli(a)redhat.com,
bbaranow(a)redhat.com, bgeorges(a)redhat.com,
bmaxwell(a)redhat.com, brian.stansberry(a)redhat.com,
cdewolf(a)redhat.com, chazlett(a)redhat.com,
cmoulliard(a)redhat.com, coolsvap(a)gmail.com,
csutherl(a)redhat.com, darran.lofthouse(a)redhat.com,
dbecker(a)redhat.com, dkreling(a)redhat.com,
dosoudil(a)redhat.com, drieden(a)redhat.com,
eleandro(a)redhat.com, etirelli(a)redhat.com,
fjuma(a)redhat.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, gzaronik(a)redhat.com,
huwang(a)redhat.com, ibek(a)redhat.com,
ikanello(a)redhat.com, ivan.afonichev(a)gmail.com,
iweiss(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jclere(a)redhat.com, jjoyce(a)redhat.com,
jochrist(a)redhat.com, jolee(a)redhat.com,
jpallich(a)redhat.com, jperkins(a)redhat.com,
jschatte(a)redhat.com, jschluet(a)redhat.com,
jstastny(a)redhat.com, jwon(a)redhat.com,
krathod(a)redhat.com, krzysztof.daniel(a)gmail.com,
kverlaen(a)redhat.com, kwills(a)redhat.com,
lgao(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com,
lthon(a)redhat.com, mburns(a)redhat.com,
mkolesni(a)redhat.com, mnovotny(a)redhat.com,
msochure(a)redhat.com, msvehla(a)redhat.com,
mszynkie(a)redhat.com, nwallace(a)redhat.com,
pgallagh(a)redhat.com, pjindal(a)redhat.com,
pmackay(a)redhat.com, rguimara(a)redhat.com,
rhcs-maint(a)redhat.com, rrajasek(a)redhat.com,
rruss(a)redhat.com, rstancel(a)redhat.com,
rsvoboda(a)redhat.com, rsynek(a)redhat.com,
sclewis(a)redhat.com, scohen(a)redhat.com,
sdaley(a)redhat.com, slinaber(a)redhat.com,
smaestri(a)redhat.com, szappis(a)redhat.com,
tom.jenkinson(a)redhat.com, yborgess(a)redhat.com
Blocks: 1934010
Target Milestone: ---
Classification: Other
The fix for CVE-2020-9484 was incomplete. When using a highly unlikely
configuration edge case, the Tomcat instance was still vulnerable to
CVE-2020-9484. Note that both the previously published prerequisites for
CVE-2020-9484 and the previously published non-upgrade mitigations for
CVE-2020-9484 also apply to this issue.
Upstream commits:
Tomcat 10.0:
https://github.com/apache/tomcat/commit/6d66e99ef85da93e4d2c2a536ca51aa3418…
Tomcat 9.0:
https://github.com/apache/tomcat/commit/4785433a226a20df6acbea49296e1ce7e23…
Tomcat 8.5:
https://github.com/apache/tomcat/commit/93f0cc403a9210d469afc2bd9cf03ab3251…
Tomcat 7.0:
https://github.com/apache/tomcat/commit/74b105657ffbd1d1de80455f03446c3bbf3…
Reference:
http://mail-archives.apache.org/mod_mbox/tomcat-announce/202103.mbox/%3C811…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1917209
Bug ID: 1917209
Summary: CVE-2021-24122 tomcat: Information disclosure
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: jwon(a)redhat.com
CC: aboyko(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
alee(a)redhat.com, almorale(a)redhat.com,
anstephe(a)redhat.com, asoldano(a)redhat.com,
atangrin(a)redhat.com, avibelli(a)redhat.com,
bbaranow(a)redhat.com, bgeorges(a)redhat.com,
bmaxwell(a)redhat.com, brian.stansberry(a)redhat.com,
cdewolf(a)redhat.com, chazlett(a)redhat.com,
cmoulliard(a)redhat.com, coolsvap(a)gmail.com,
csutherl(a)redhat.com, darran.lofthouse(a)redhat.com,
dbecker(a)redhat.com, dkreling(a)redhat.com,
dosoudil(a)redhat.com, drieden(a)redhat.com,
eleandro(a)redhat.com, etirelli(a)redhat.com,
ggaughan(a)redhat.com, gmalinko(a)redhat.com,
gzaronik(a)redhat.com, huwang(a)redhat.com,
ibek(a)redhat.com, ikanello(a)redhat.com,
ivan.afonichev(a)gmail.com, iweiss(a)redhat.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jclere(a)redhat.com, jjoyce(a)redhat.com,
jochrist(a)redhat.com, jolee(a)redhat.com,
jpallich(a)redhat.com, jperkins(a)redhat.com,
jschatte(a)redhat.com, jschluet(a)redhat.com,
jstastny(a)redhat.com, jwon(a)redhat.com,
krathod(a)redhat.com, krzysztof.daniel(a)gmail.com,
kverlaen(a)redhat.com, kwills(a)redhat.com,
lgao(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com,
lthon(a)redhat.com, mburns(a)redhat.com,
mkolesni(a)redhat.com, mnovotny(a)redhat.com,
msochure(a)redhat.com, msvehla(a)redhat.com,
mszynkie(a)redhat.com, nwallace(a)redhat.com,
pgallagh(a)redhat.com, pjindal(a)redhat.com,
pmackay(a)redhat.com, rguimara(a)redhat.com,
rhcs-maint(a)redhat.com, rhel8-maint(a)redhat.com,
rrajasek(a)redhat.com, rruss(a)redhat.com,
rstancel(a)redhat.com, rsvoboda(a)redhat.com,
rsynek(a)redhat.com, sclewis(a)redhat.com,
scohen(a)redhat.com, sdaley(a)redhat.com,
slinaber(a)redhat.com, smaestri(a)redhat.com,
szappis(a)redhat.com, tom.jenkinson(a)redhat.com
Blocks: 1917185
Target Milestone: ---
Classification: Other
When serving resources from a network location using the NTFS file system it
was possible to bypass security constraints and/or view the source code for
JSPs in some configurations. The root cause was the unexpected behaviour of the
JRE API File.getCanonicalPath() which in turn was caused by the inconsistent
behaviour of the Windows API (FindFirstFileW) in some circumstances.
Upstream commits:
Tomcat 9.0:
https://github.com/apache/tomcat/commit/935fc5582dc25ae10bab6f9d5629ff8d996…
Tomcat 8.5:
https://github.com/apache/tomcat/commit/920dddbdb981f92e8d5872a4bb126a10af5…
Tomcat 7.0:
https://github.com/apache/tomcat/commit/800b03140e640f8892f27021e681645e8e3…
Reference:
http://mail-archives.apache.org/mod_mbox/tomcat-announce/202101.mbox/%3Cf37…http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.40http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.60http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.107
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
Bug ID: 1838332
Summary: CVE-2020-9484 tomcat: Apache Tomcat Remote Code
Execution via session persistence
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: jwon(a)redhat.com
CC: aboyko(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
alee(a)redhat.com, almorale(a)redhat.com,
anstephe(a)redhat.com, asoldano(a)redhat.com,
atangrin(a)redhat.com, avibelli(a)redhat.com,
bbaranow(a)redhat.com, bgeorges(a)redhat.com,
bmaxwell(a)redhat.com, brian.stansberry(a)redhat.com,
cdewolf(a)redhat.com, chazlett(a)redhat.com,
cmoulliard(a)redhat.com, coolsvap(a)gmail.com,
csutherl(a)redhat.com, darran.lofthouse(a)redhat.com,
dbecker(a)redhat.com, dkreling(a)redhat.com,
dosoudil(a)redhat.com, drieden(a)redhat.com,
etirelli(a)redhat.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, gzaronik(a)redhat.com,
hhorak(a)redhat.com, ibek(a)redhat.com,
ikanello(a)redhat.com, ivan.afonichev(a)gmail.com,
iweiss(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jbalunas(a)redhat.com,
jclere(a)redhat.com, jjoyce(a)redhat.com,
jochrist(a)redhat.com, jolee(a)redhat.com,
jorton(a)redhat.com, jpallich(a)redhat.com,
jperkins(a)redhat.com, jschatte(a)redhat.com,
jschluet(a)redhat.com, jstastny(a)redhat.com,
jwon(a)redhat.com, kbasil(a)redhat.com,
krathod(a)redhat.com, krzysztof.daniel(a)gmail.com,
kverlaen(a)redhat.com, kwills(a)redhat.com,
lgao(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com,
lthon(a)redhat.com, mbabacek(a)redhat.com,
mburns(a)redhat.com, mizdebsk(a)redhat.com,
mkolesni(a)redhat.com, mnovotny(a)redhat.com,
msochure(a)redhat.com, msvehla(a)redhat.com,
mszynkie(a)redhat.com, myarboro(a)redhat.com,
nwallace(a)redhat.com, paradhya(a)redhat.com,
pgallagh(a)redhat.com, pjindal(a)redhat.com,
pmackay(a)redhat.com, psotirop(a)redhat.com,
rguimara(a)redhat.com, rhcs-maint(a)redhat.com,
rrajasek(a)redhat.com, rruss(a)redhat.com,
rstancel(a)redhat.com, rsvoboda(a)redhat.com,
rsynek(a)redhat.com, sclewis(a)redhat.com,
scohen(a)redhat.com, sdaley(a)redhat.com,
slinaber(a)redhat.com, smaestri(a)redhat.com,
tom.jenkinson(a)redhat.com, vhalbert(a)redhat.com,
weli(a)redhat.com
Target Milestone: ---
Classification: Other
A flaw was found in the Apache Tomcat, where session persistence in using
PersistenceManager with a FileStore.
If:
a) an attacker is able to control the contents and name of a file on the
server; and
b) the server is configured to use the PersistenceManager with a
FileStore; and
c) the PersistenceManager is configured with
sessionAttributeValueClassNameFilter="null" (the default unless a
SecurityManager is used) or a sufficiently lax filter to allow the
attacker provided object to be deserialized; and
d) the attacker knows the relative file path from the storage location
used by FileStore to the file the attacker has control over;
then, using a specifically crafted request, the attacker will be able to
trigger remote code execution via deserialization of the file under
their control. Note that all of conditions a) to d) must be true for the
attack to succeed.
It affects the version of Apache Tomcat 10 before 10.0.0-M4, Apache Tomcat 9
before 9.0.34, Tomcat 8 before 8.5.54, and Tomcat 7 before 7.0.103.
Upstream commits:
Tomcat 10.0:
https://github.com/apache/tomcat/commit/bb33048e3f9b4f2b70e4da2e6c4e34ca890…
Tomcat 9.0:
https://github.com/apache/tomcat/commit/3aa8f28db7efb311cdd1b6fe15a9cd3b167…
Tomcat 8.5:
https://github.com/apache/tomcat/commit/ec08af18d0f9ddca3f2d800ef66fe7fd20a…
Tomcat 7.0:
https://github.com/apache/tomcat/commit/53e30390943c18fca0c9e57dbcc14f1c623…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1927028
Bug ID: 1927028
Summary: CVE-2021-21290 netty: Information disclosure via the
local system temporary directory
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: aboyko(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
aos-bugs(a)redhat.com, asoldano(a)redhat.com,
atangrin(a)redhat.com, ataylor(a)redhat.com,
avibelli(a)redhat.com, bbaranow(a)redhat.com,
bbuckingham(a)redhat.com, bcourt(a)redhat.com,
bgeorges(a)redhat.com, bkearney(a)redhat.com,
bmaxwell(a)redhat.com, bmontgom(a)redhat.com,
brian.stansberry(a)redhat.com, btotty(a)redhat.com,
cdewolf(a)redhat.com, chazlett(a)redhat.com,
clement.escoffier(a)redhat.com, dandread(a)redhat.com,
darran.lofthouse(a)redhat.com, decathorpe(a)gmail.com,
dkreling(a)redhat.com, dosoudil(a)redhat.com,
drieden(a)redhat.com, eleandro(a)redhat.com,
eparis(a)redhat.com, etirelli(a)redhat.com,
extras-orphan(a)fedoraproject.org, ganandan(a)redhat.com,
ggaughan(a)redhat.com, gmalinko(a)redhat.com,
gsmet(a)redhat.com, hamadhan(a)redhat.com,
hhudgeon(a)redhat.com, ibek(a)redhat.com,
iweiss(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jburrell(a)redhat.com, jcantril(a)redhat.com,
jerboaa(a)gmail.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jpallich(a)redhat.com,
jperkins(a)redhat.com, jross(a)redhat.com,
jstastny(a)redhat.com, jwon(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
kwills(a)redhat.com, lgao(a)redhat.com,
loleary(a)redhat.com, lthon(a)redhat.com, lzap(a)redhat.com,
mmccune(a)redhat.com, mnovotny(a)redhat.com,
msochure(a)redhat.com, msvehla(a)redhat.com,
mszynkie(a)redhat.com, nmoumoul(a)redhat.com,
nstielau(a)redhat.com, nwallace(a)redhat.com,
pdrozd(a)redhat.com, pgallagh(a)redhat.com,
pjindal(a)redhat.com, pmackay(a)redhat.com,
probinso(a)redhat.com, rchan(a)redhat.com,
rgodfrey(a)redhat.com, rguimara(a)redhat.com,
rjerrido(a)redhat.com, rrajasek(a)redhat.com,
rruss(a)redhat.com, rstancel(a)redhat.com,
rsvoboda(a)redhat.com, rsynek(a)redhat.com,
sbiarozk(a)redhat.com, sdaley(a)redhat.com,
sdouglas(a)redhat.com, smaestri(a)redhat.com,
sochotni(a)redhat.com, sokeeffe(a)redhat.com,
spinder(a)redhat.com, sponnaga(a)redhat.com,
sthorger(a)redhat.com, swoodman(a)redhat.com,
tbrisker(a)redhat.com, theute(a)redhat.com,
tom.jenkinson(a)redhat.com
Target Milestone: ---
Classification: Other
In Netty before version 4.1.59.Final there is a vulnerability on Unix-like
systems involving an insecure temp file. When netty's multipart decoders are
used local information disclosure can occur via the local system temporary
directory if temporary storing uploads on the disk is enabled. On unix-like
systems, the temporary directory is shared between all user. As such, writing
to this directory using APIs that do not explicitly set the file/directory
permissions can lead to information disclosure. Of note, this does not impact
modern MacOS Operating Systems. The method "File.createTempFile" on unix-like
systems creates a random file, but, by default will create this file with the
permissions "-rw-r--r--". Thus, if sensitive information is written to this
file, other local users can read this information. This is the case in netty's
"AbstractDiskHttpData" is vulnerable. This has been fixed in version
4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when
you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the
directory to something that is only readable by the current user.
References:
https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e000…https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2
--
You are receiving this mail because:
You are on the CC list for the bug.