FreeBSD Bugzilla – Attachment 199650 Details for
Bug 233573
www/payara: Update to 5.183
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch to add Payara vulnerabilities to the security/vuxml/vuln.xml
security-vuxml-payara.patch (text/plain), 8.06 KB, created by
Dmytro Bilokha
on 2018-11-28 19:43:35 UTC
(
hide
)
Description:
Patch to add Payara vulnerabilities to the security/vuxml/vuln.xml
Filename:
MIME Type:
Creator:
Dmytro Bilokha
Created:
2018-11-28 19:43:35 UTC
Size:
8.06 KB
patch
obsolete
>Index: security/vuxml/vuln.xml >=================================================================== >--- security/vuxml/vuln.xml (revision 486101) >+++ security/vuxml/vuln.xml (working copy) >@@ -58,6 +58,169 @@ > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > --> > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> >+ <vuln vid="93f8e0ff-f33d-11e8-be46-0019dbb15b3f"> >+ <topic>payara -- Default typing issue in Jackson Databind</topic> >+ <affects> >+ <package> >+ <name>payara</name> >+ <range><eq>4.1.2.181.3</eq></range> >+ <range><eq>4.1.2.182</eq></range> >+ <range><eq>5.181.3</eq></range> >+ <range><eq>5.182</eq></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489"> >+ <p>FasterXML jackson-databind before 2.8.11.1 and 2.9.x before >+ 2.9.5 allows unauthenticated remote code execution because of >+ an incomplete fix for the CVE-2017-7525 deserialization flaw. >+ This is exploitable by sending maliciously crafted JSON input >+ to the readValue method of the ObjectMapper, bypassing a >+ blacklist that is ineffective if the c3p0 libraries are >+ available in the classpath.</p> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489</url> >+ <cvename>CVE-2018-7489</cvename> >+ </references> >+ <dates> >+ <discovery>2018-02-26</discovery> >+ <entry>2018-11-28</entry> >+ </dates> >+ </vuln> >+ >+ <vuln vid="22bc5327-f33f-11e8-be46-0019dbb15b3f"> >+ <topic>payara -- Code execution via crafted PUT requests to JSPs</topic> >+ <affects> >+ <package> >+ <name>payara</name> >+ <range><eq>4.1.2.174</eq></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12615"> >+ <p>When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP >+ PUTs enabled (e.g. via setting the readonly initialisation >+ parameter of the Default to false) it was possible to upload a >+ JSP file to the server via a specially crafted request. This >+ JSP could then be requested and any code it contained would be >+ executed by the server.</p> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12615</url> >+ <cvename>CVE-2017-12615</cvename> >+ </references> >+ <dates> >+ <discovery>2017-08-07</discovery> >+ <entry>2018-11-28</entry> >+ </dates> >+ </vuln> >+ >+ <vuln vid="d70c9e18-f340-11e8-be46-0019dbb15b3f"> >+ <topic>payara -- Multiple vulnerabilities</topic> >+ <affects> >+ <package> >+ <name>payara</name> >+ <range><eq>4.1.2.173</eq></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031"> >+ <p>Apache Commons FileUpload before 1.3.3 >+ DiskFileItem File Manipulation Remote Code Execution.</p> >+ </blockquote> >+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3239"> >+ <p>Vulnerability in the Oracle GlassFish Server component of >+ Oracle Fusion Middleware (subcomponent: Administration). >+ Supported versions that are affected are 3.0.1 and 3.1.2. >+ Easily exploitable vulnerability allows low privileged attacker >+ with logon to the infrastructure where Oracle GlassFish Server >+ executes to compromise Oracle GlassFish Server. Successful >+ attacks of this vulnerability can result in unauthorized read >+ access to a subset of Oracle GlassFish Server accessible data. >+ CVSS v3.0 Base Score 3.3 (Confidentiality impacts).</p> >+ </blockquote> >+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3247"> >+ <p>Vulnerability in the Oracle GlassFish Server component of Oracle >+ Fusion Middleware (subcomponent: Core). Supported versions that >+ are affected are 2.1.1, 3.0.1 and 3.1.2. Easily exploitable >+ vulnerability allows unauthenticated attacker with network access >+ via SMTP to compromise Oracle GlassFish Server. Successful >+ attacks require human interaction from a person other than the >+ attacker. Successful attacks of this vulnerability can result in >+ unauthorized update, insert or delete access to some of Oracle >+ GlassFish Server accessible data. CVSS v3.0 Base Score 4.3 >+ (Integrity impacts).</p> >+ </blockquote> >+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3249"> >+ <p>Vulnerability in the Oracle GlassFish Server component of >+ Oracle Fusion Middleware (subcomponent: Security). Supported >+ versions that are affected are 2.1.1, 3.0.1 and 3.1.2. >+ Easily exploitable vulnerability allows unauthenticated attacker >+ with network access via LDAP to compromise Oracle GlassFish Server. >+ Successful attacks of this vulnerability can result in unauthorized >+ update, insert or delete access to some of Oracle GlassFish Server >+ accessible data as well as unauthorized read access to a subset of >+ Oracle GlassFish Server accessible data and unauthorized ability >+ to cause a partial denial of service (partial DOS) of Oracle >+ GlassFish Server. CVSS v3.0 Base Score 7.3 (Confidentiality, >+ Integrity and Availability impacts).</p> >+ </blockquote> >+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3250"> >+ <p>Vulnerability in the Oracle GlassFish Server component of Oracle >+ Fusion Middleware (subcomponent: Security). Supported versions that >+ are affected are 2.1.1, 3.0.1 and 3.1.2. Easily exploitable >+ vulnerability allows unauthenticated attacker with network access >+ via HTTP to compromise Oracle GlassFish Server. Successful attacks >+ of this vulnerability can result in unauthorized update, insert or >+ delete access to some of Oracle GlassFish Server accessible data as >+ well as unauthorized read access to a subset of Oracle GlassFish >+ Server accessible data and unauthorized ability to cause a partial >+ denial of service (partial DOS) of Oracle GlassFish Server. >+ CVSS v3.0 Base Score 7.3 (Confidentiality, Integrity and >+ Availability impacts).</p> >+ </blockquote> >+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5528"> >+ <p>Vulnerability in the Oracle GlassFish Server component of Oracle >+ Fusion Middleware (subcomponent: Security). Supported versions that >+ are affected are 2.1.1, 3.0.1 and 3.1.2. Difficult to exploit >+ vulnerability allows unauthenticated attacker with network access >+ via multiple protocols to compromise Oracle GlassFish Server. While >+ the vulnerability is in Oracle GlassFish Server, attacks may >+ significantly impact additional products. Successful attacks of this >+ vulnerability can result in takeover of Oracle GlassFish Server. >+ CVSS v3.0 Base Score 9.0 (Confidentiality, Integrity and >+ Availability impacts).</p> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031</url> >+ <cvename>CVE-2016-1000031</cvename> >+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3239</url> >+ <cvename>CVE-2017-3239</cvename> >+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3247</url> >+ <cvename>CVE-2017-3247</cvename> >+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3249</url> >+ <cvename>CVE-2017-3249</cvename> >+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3250</url> >+ <cvename>CVE-2017-3250</cvename> >+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5528</url> >+ <cvename>CVE-2016-5528</cvename> >+ </references> >+ <dates> >+ <discovery>2016-06-16</discovery> >+ <entry>2018-11-28</entry> >+ </dates> >+ </vuln> >+ > <vuln vid="54976998-f248-11e8-81e2-005056a311d1"> > <topic>samba -- multiple vulnerabilities</topic> > <affects>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=199650">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
dmytro
:
maintainer-approval+
Actions:
View
|
Diff
Attachments on
bug 233573
:
199610
| 199650