java-sig-commits February 2022

java-sig-commits@lists.stg.fedoraproject.org

1 participants
195 discussions

[Bug 2011190] New: CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure
by bugzilla＠redhat.com 09 Sep '22

09 Sep '22

https://bugzilla.redhat.com/show_bug.cgi?id=2011190 Bug ID: 2011190 Summary: CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: mrehak(a)redhat.com CC: aboyko(a)redhat.com, agrimm(a)gmail.com, aileenc(a)redhat.com, antti.andreimann(a)mail.ee, asoldano(a)redhat.com, atangrin(a)redhat.com, bbaranow(a)redhat.com, bcoca(a)redhat.com, bibryam(a)redhat.com, bmaxwell(a)redhat.com, bmontgom(a)redhat.com, brian.stansberry(a)redhat.com, caswilli(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, chousekn(a)redhat.com, cmeyers(a)redhat.com, darran.lofthouse(a)redhat.com, davidn(a)redhat.com, dkreling(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, eleandro(a)redhat.com, eparis(a)redhat.com, eric.wittmann(a)redhat.com, ewolinet(a)redhat.com, extras-orphan(a)fedoraproject.org, fjuma(a)redhat.com, gblomqui(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gvarsami(a)redhat.com, hbraun(a)redhat.com, iweiss(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcammara(a)redhat.com, jcantril(a)redhat.com, jcoleman(a)redhat.com, jhardy(a)redhat.com, jnethert(a)redhat.com, jobarker(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jolee(a)redhat.com, jpallich(a)redhat.com, jperkins(a)redhat.com, jschatte(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kaycoth(a)redhat.com, kconner(a)redhat.com, kloczko.tomasz(a)gmail.com, krathod(a)redhat.com, kwills(a)redhat.com, ldimaggi(a)redhat.com, lef(a)fedoraproject.org, lgao(a)redhat.com, loleary(a)redhat.com, mabashia(a)redhat.com, mihkel.vain(a)gmail.com, msochure(a)redhat.com, msvehla(a)redhat.com, notting(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, osapryki(a)redhat.com, pantinor(a)redhat.com, pdelbell(a)redhat.com, pdrozd(a)redhat.com, pjindal(a)redhat.com, pmackay(a)redhat.com, puntogil(a)libero.it, relrod(a)redhat.com, rguimara(a)redhat.com, rpetrell(a)redhat.com, rstancel(a)redhat.com, rsvoboda(a)redhat.com, rwagner(a)redhat.com, sdoran(a)redhat.com, smaestri(a)redhat.com, smcdonal(a)redhat.com, spinder(a)redhat.com, sponnaga(a)redhat.com, sthorger(a)redhat.com, tcunning(a)redhat.com, theute(a)redhat.com, tkirby(a)redhat.com, tkuratom(a)redhat.com, tom.jenkinson(a)redhat.com, yborgess(a)redhat.com Target Milestone: --- Classification: Other An issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element. External Reference: https://lists.debian.org/debian-lts-announce/2021/09/msg00015.html -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2011190

1 42

[Bug 1995259] New: CVE-2021-37714 jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
by bugzilla＠redhat.com 09 Sep '22

09 Sep '22

https://bugzilla.redhat.com/show_bug.cgi?id=1995259 Bug ID: 1995259 Summary: CVE-2021-37714 jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: aboyko(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, asoldano(a)redhat.com, atangrin(a)redhat.com, ataylor(a)redhat.com, avibelli(a)redhat.com, bbaranow(a)redhat.com, bgeorges(a)redhat.com, bibryam(a)redhat.com, bmaxwell(a)redhat.com, brian.stansberry(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, clement.escoffier(a)redhat.com, dandread(a)redhat.com, darran.lofthouse(a)redhat.com, dbecker(a)redhat.com, dkreling(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, eleandro(a)redhat.com, etirelli(a)redhat.com, fjuma(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gsmet(a)redhat.com, gvarsami(a)redhat.com, hamadhan(a)redhat.com, hbraun(a)redhat.com, hhorak(a)redhat.com, ibek(a)redhat.com, iweiss(a)redhat.com, janstey(a)redhat.com, jaromir.capik(a)email.cz, java-maint-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jcoleman(a)redhat.com, jjoyce(a)redhat.com, jnethert(a)redhat.com, jochrist(a)redhat.com, jolee(a)redhat.com, jorton(a)redhat.com, jpallich(a)redhat.com, jperkins(a)redhat.com, jrokos(a)redhat.com, jross(a)redhat.com, jschatte(a)redhat.com, jschluet(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kaycoth(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, kwills(a)redhat.com, ldimaggi(a)redhat.com, lgao(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com, lthon(a)redhat.com, mburns(a)redhat.com, mizdebsk(a)redhat.com, mkolesni(a)redhat.com, mnovotny(a)redhat.com, msochure(a)redhat.com, msvehla(a)redhat.com, mszynkie(a)redhat.com, nwallace(a)redhat.com, pantinor(a)redhat.com, pdrozd(a)redhat.com, peholase(a)redhat.com, pgallagh(a)redhat.com, pjindal(a)redhat.com, pmackay(a)redhat.com, probinso(a)redhat.com, rguimara(a)redhat.com, rrajasek(a)redhat.com, rruss(a)redhat.com, rstancel(a)redhat.com, rsvoboda(a)redhat.com, rwagner(a)redhat.com, sbiarozk(a)redhat.com, sclewis(a)redhat.com, scohen(a)redhat.com, sdouglas(a)redhat.com, slinaber(a)redhat.com, smaestri(a)redhat.com, sthorger(a)redhat.com, tcunning(a)redhat.com, tkirby(a)redhat.com, tom.jenkinson(a)redhat.com, tzimanyi(a)redhat.com, yborgess(a)redhat.com Target Milestone: --- Classification: Other jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes. References: https://jsoup.org/news/release-1.14.1 https://jsoup.org/news/release-1.14.2 https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c -- You are receiving this mail because: You are on the CC list for the bug.

1 35

[Bug 1934116] New: CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS
by bugzilla＠redhat.com 09 Sep '22

09 Sep '22

https://bugzilla.redhat.com/show_bug.cgi?id=1934116 Bug ID: 1934116 Summary: CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: abenaiss(a)redhat.com, aboyko(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, aos-bugs(a)redhat.com, ataylor(a)redhat.com, bibryam(a)redhat.com, bmontgom(a)redhat.com, chazlett(a)redhat.com, drieden(a)redhat.com, eclipse-sig(a)lists.fedoraproject.org, eparis(a)redhat.com, etirelli(a)redhat.com, ganandan(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, gvarsami(a)redhat.com, hbraun(a)redhat.com, ibek(a)redhat.com, janstey(a)redhat.com, java-maint(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jburrell(a)redhat.com, jcoleman(a)redhat.com, jjohnstn(a)redhat.com, jochrist(a)redhat.com, jokerman(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, krzysztof.daniel(a)gmail.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, mat.booth(a)redhat.com, mcermak(a)redhat.com, mizdebsk(a)redhat.com, mnovotny(a)redhat.com, mprchlik(a)redhat.com, nstielau(a)redhat.com, nwallace(a)redhat.com, pantinor(a)redhat.com, patrickm(a)redhat.com, pbhattac(a)redhat.com, pdrozd(a)redhat.com, pjindal(a)redhat.com, rrajasek(a)redhat.com, rsynek(a)redhat.com, rwagner(a)redhat.com, sdaley(a)redhat.com, sd-operator-metering(a)redhat.com, sochotni(a)redhat.com, sponnaga(a)redhat.com, sthorger(a)redhat.com, tcunning(a)redhat.com, tflannag(a)redhat.com, tkirby(a)redhat.com, vbobade(a)redhat.com, vkadlcik(a)redhat.com Target Milestone: --- Classification: Other In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values. References: https://bugs.eclipse.org/bugs/show_bug.cgi?id=571128 https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww… -- You are receiving this mail because: You are on the CC list for the bug.

1 39

[Bug 1964677] New: fasterxml-oss-parent-42 is available
by bugzilla＠redhat.com 09 Sep '22

09 Sep '22

https://bugzilla.redhat.com/show_bug.cgi?id=1964677 Bug ID: 1964677 Summary: fasterxml-oss-parent-42 is available Product: Fedora Version: rawhide Status: NEW Component: fasterxml-oss-parent Keywords: FutureFeature, Triaged Assignee: java-maint-sig(a)lists.fedoraproject.org Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: cfu(a)redhat.com, ckelley(a)redhat.com, edewata(a)redhat.com, java-maint-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jmagne(a)redhat.com, mharmsen(a)redhat.com, puntogil(a)libero.it, roman(a)fenkhuber.at Target Milestone: --- Classification: Fedora Latest upstream release: 42 Current version/release in rawhide: 41-2.fc34 URL: https://github.com/FasterXML/oss-parent Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/114915/ -- You are receiving this mail because: You are on the CC list for the bug.

1 6

[Bug 1955315] New: mockito-3.9.10 is available
by bugzilla＠redhat.com 08 Sep '22

08 Sep '22

https://bugzilla.redhat.com/show_bug.cgi?id=1955315 Bug ID: 1955315 Summary: mockito-3.9.10 is available Product: Fedora Version: rawhide Status: NEW Component: mockito Keywords: FutureFeature, Triaged Assignee: stuart(a)gathman.org Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: akurtako(a)redhat.com, java-maint-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jerboaa(a)gmail.com, mat.booth(a)gmail.com, mizdebsk(a)redhat.com, projects.rg(a)smart.ms, roman(a)fenkhuber.at, stuart(a)gathman.org Target Milestone: --- Classification: Fedora Latest upstream release: 3.9.10 Current version/release in rawhide: 3.5.13-2.fc34 URL: http://mockito.org Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/7297/ -- You are receiving this mail because: You are on the CC list for the bug.

1 21

[Bug 2034584] New: CVE-2021-22096 springframework: malicious input leads to insertion of additional log entries
by bugzilla＠redhat.com 08 Sep '22

08 Sep '22

https://bugzilla.redhat.com/show_bug.cgi?id=2034584 Bug ID: 2034584 Summary: CVE-2021-22096 springframework: malicious input leads to insertion of additional log entries Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team(a)redhat.com Reporter: darunesh(a)redhat.com CC: aboyko(a)redhat.com, ahenning(a)redhat.com, aileenc(a)redhat.com, akoufoud(a)redhat.com, alazarot(a)redhat.com, almorale(a)redhat.com, anstephe(a)redhat.com, chazlett(a)redhat.com, dchen(a)redhat.com, drieden(a)redhat.com, etirelli(a)redhat.com, extras-orphan(a)fedoraproject.org, ggaughan(a)redhat.com, gmalinko(a)redhat.com, hvyas(a)redhat.com, ibek(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jochrist(a)redhat.com, jolee(a)redhat.com, jrokos(a)redhat.com, jschatte(a)redhat.com, jstastny(a)redhat.com, jwon(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, lef(a)fedoraproject.org, lsurette(a)redhat.com, michal.skrivanek(a)redhat.com, mnovotny(a)redhat.com, mperina(a)redhat.com, pdelbell(a)redhat.com, pjindal(a)redhat.com, pskopek(a)redhat.com, puntogil(a)libero.it, rrajasek(a)redhat.com, sbonazzo(a)redhat.com, sguilhen(a)redhat.com, tzimanyi(a)redhat.com Target Milestone: --- Classification: Other In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. References: https://tanzu.vmware.com/security/cve-2021-22096 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2034584

1 14

[Bug 1934401] New: beust-jcommander-1.81 is available
by bugzilla＠redhat.com 07 Sep '22

07 Sep '22

https://bugzilla.redhat.com/show_bug.cgi?id=1934401 Bug ID: 1934401 Summary: beust-jcommander-1.81 is available Product: Fedora Version: rawhide Status: NEW Component: beust-jcommander Keywords: FutureFeature, Triaged Assignee: java-maint-sig(a)lists.fedoraproject.org Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: decathorpe(a)gmail.com, jaromir.capik(a)email.cz, java-maint-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, jvanek(a)redhat.com, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora Latest upstream release: 1.81 Current version/release in rawhide: 1.78-5.fc34 URL: https://github.com/cbeust/jcommander Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/179/ -- You are receiving this mail because: You are on the CC list for the bug.

1 6

[Bug 1988114] New: plexus-utils-3.4.0 is available
by bugzilla＠redhat.com 07 Sep '22

07 Sep '22

https://bugzilla.redhat.com/show_bug.cgi?id=1988114 Bug ID: 1988114 Summary: plexus-utils-3.4.0 is available Product: Fedora Version: rawhide Status: NEW Component: plexus-utils Keywords: FutureFeature, Triaged Assignee: mizdebsk(a)redhat.com Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: fnasser(a)redhat.com, java-maint-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, mizdebsk(a)redhat.com Target Milestone: --- Classification: Fedora Latest upstream release: 3.4.0 Current version/release in rawhide: 3.3.0-7.fc35 URL: https://codehaus-plexus.github.io/plexus-utils/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/6072/ -- You are receiving this mail because: You are on the CC list for the bug.

1 6

[Bug 1866569] New: apache-commons-net-3.7 is available
by bugzilla＠redhat.com 07 Sep '22

07 Sep '22

https://bugzilla.redhat.com/show_bug.cgi?id=1866569 Bug ID: 1866569 Summary: apache-commons-net-3.7 is available Product: Fedora Version: rawhide Status: NEW Component: apache-commons-net Keywords: FutureFeature, Triaged Assignee: luis(a)blackfile.net Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: java-sig-commits(a)lists.fedoraproject.org, luis(a)blackfile.net, mizdebsk(a)redhat.com, sochotni(a)redhat.com, SpikeFedora(a)gmail.com Target Milestone: --- Classification: Fedora Latest upstream release: 3.7 Current version/release in rawhide: 3.6-8.fc32 URL: http://www.apache.org/dist/commons/net/source/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/81/ -- You are receiving this mail because: You are on the CC list for the bug.

1 6

[Bug 1884441] New: jackson-databind-2.11.3 is available
by bugzilla＠redhat.com 03 Sep '22

03 Sep '22

https://bugzilla.redhat.com/show_bug.cgi?id=1884441 Bug ID: 1884441 Summary: jackson-databind-2.11.3 is available Product: Fedora Version: rawhide Status: NEW Component: jackson-databind Keywords: FutureFeature, Triaged Assignee: java-maint-sig(a)lists.fedoraproject.org Reporter: upstream-release-monitoring(a)fedoraproject.org QA Contact: extras-qa(a)fedoraproject.org CC: decathorpe(a)gmail.com, java-maint-sig(a)lists.fedoraproject.org, java-sig-commits(a)lists.fedoraproject.org, lef(a)fedoraproject.org, puntogil(a)libero.it Target Milestone: --- Classification: Fedora Latest upstream release: 2.11.3 Current version/release in rawhide: 2.11.2-2.fc33 URL: https://github.com/FasterXML/jackson-databind/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/10963/ -- You are receiving this mail because: You are on the CC list for the bug.

1 15

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

java-sig-commits February 2022