CVE-2012-2969 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2969): Caucho Quercus, as distributed in Resin before 4.0.29, allows remote attackers to bypass intended restrictions on filename extensions for created files via a %00 sequence in a pathname within an HTTP request. CVE-2012-2968 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2968): Directory traversal vulnerability in Caucho Quercus, as distributed in Resin before 4.0.29, allows remote attackers to create files in arbitrary directories via a .. (dot dot) in a pathname within an HTTP request. CVE-2012-2967 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2967): Caucho Quercus, as distributed in Resin before 4.0.29, does not properly implement the == (equals sign equals sign) operator for comparisons, which has unspecified impact and context-dependent attack vectors. CVE-2012-2966 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2966): Caucho Quercus, as distributed in Resin before 4.0.29, overwrites entries in the SERVER superglobal array on the basis of POST parameters, which has unspecified impact and remote attack vectors. CVE-2012-2965 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2965): Caucho Quercus, as distributed in Resin before 4.0.29, does not properly handle unspecified characters in the names of variables, which has unknown impact and remote attack vectors, related to an "HTTP Parameter Contamination" issue. Maintainers, please bump.
| Author: Patrice Clement <monsieurp@gentoo.org> | Date: Wed Aug 12 23:50:16 2015 +0000 | | www-servers/resin: Version bump. Fixes bug 472958 and bug 431416. | | Package-Manager: portage-2.2.18 | Signed-off-by: Patrice Clement <monsieurp@gentoo.org> | | create mode 100644 www-servers/resin/files/4.0.44/VarType.java.patch | create mode 100644 www-servers/resin/files/4.0.44/build.xml.patch | create mode 100644 www-servers/resin/files/4.0.44/resin-compile.patch | create mode 100644 www-servers/resin/files/4.0.44/resin.conf | create mode 100644 www-servers/resin/files/4.0.44/resin.init | create mode 100644 www-servers/resin/resin-4.0.44.ebuild Arch teams, Please stabilise: =www-servers/resin-4.0.44 Target arches: amd64 x86 Thank you!
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
* commit 58f7931 (HEAD, master) | Author: Patrice Clement <monsieurp@gentoo.org> | Date: Fri Aug 21 13:20:32 2015 +0000 | | www-servers/resin: Remove vunerable versions. Fixes security bug 431416. | | Package-Manager: portage-2.2.18 | Signed-off-by: Patrice Clement <monsieurp@gentoo.org> | | delete mode 100644 www-servers/resin/files/4.0.13/resin.conf | delete mode 100644 www-servers/resin/files/4.0.13/resin.init | delete mode 100644 www-servers/resin/files/4.0.14/resin.conf | delete mode 100644 www-servers/resin/files/4.0.14/resin.init | delete mode 100644 www-servers/resin/files/4.0.15/resin.conf | delete mode 100644 www-servers/resin/files/4.0.15/resin.init | delete mode 100644 www-servers/resin/files/4.0.22/resin.conf | delete mode 100644 www-servers/resin/files/4.0.22/resin.init | delete mode 100644 www-servers/resin/files/4.0.25/resin.conf | delete mode 100644 www-servers/resin/files/4.0.25/resin.init | delete mode 100644 www-servers/resin/files/4.0.26/resin.conf | delete mode 100644 www-servers/resin/files/4.0.26/resin.init | delete mode 100644 www-servers/resin/resin-4.0.22.ebuild | delete mode 100644 www-servers/resin/resin-4.0.25.ebuild | delete mode 100644 www-servers/resin/resin-4.0.26.ebuild Security, Please proceed.
GLSA Vote: No
amd64, x86 arches, Please DO NOT STABILIZE withing even testing. it fails to compile here, see bug #558442 for details.
We will have another round of stabilisation for this package as I've put together a fix that should mend the issue. Agostino, I'm going to be a bit of a pain here but could you please test this package specifically with icedtea-7 *AND* oracle-jdk-bin-1.8 and make sure it works with both versions? Thanks a lot!
(In reply to Patrice Clement from comment #7) > Agostino, I'm going to be a bit of a pain here but could you please test > this package specifically with icedtea-7 *AND* oracle-jdk-bin-1.8 and make > sure it works with both versions? It works for me with oracle-jdk-bin-1.7 and oracle-jdk-bin-1.8 (In reply to Anton Bolshakov from comment #6) > amd64, x86 arches, > > Please DO NOT STABILIZE withing even testing. > > it fails to compile here, see bug #558442 for details. Nobody said that we should test the java packages with all java versions in the world. I usually test with the latest stable in tree.
(In reply to Agostino Sarubbo from comment #8) > Nobody said that we should test the java packages with all java versions in > the world. I usually test with the latest stable in tree. We'll be killing off Java 6 ASAP and reducing the VM selection to just Oracle and IcedTea. These are similar enough that testing either one should be sufficient. In terms of testing both 7 and 8, we don't expect the arch teams to do that but I at least try to do that myself.
* commit 66a9358 (HEAD, master) | Author: Patrice Clement <monsieurp@gentoo.org> | Date: Tue Aug 25 12:06:07 2015 +0000 | | www-servers/resin: Drop vunerable version. Fixes security bug 431416. | | Package-Manager: portage-2.2.18 | Signed-off-by: Patrice Clement <monsieurp@gentoo.org> | | delete mode 100644 www-servers/resin/resin-4.0.44.ebuild | * commit 444c96a | Author: Patrice Clement <monsieurp@gentoo.org> | Date: Tue Aug 25 12:04:34 2015 +0000 | | www-servers/resin: Stable for amd64+x86. Fixes bug 431416. | | Package-Manager: portage-2.2.18 | Signed-off-by: Patrice Clement <monsieurp@gentoo.org> | | Commits signed off by Agostino. Security, Please vote again.
(In reply to Agostino Sarubbo from comment #8) > Nobody said that we should test the java packages with all java versions in > the world. I usually test with the latest stable in tree. resin depends on virtual/jdk, the current stable 7. In turn, virtual pulls: =dev-java/icedtea-bin-7* =dev-java/icedtea-7* =dev-java/oracle-jdk-bin-1.7.0* =dev-java/soylatte-jdk-bin-7* in that order. And it fails with java 7 In addition, I'm unable to compile one of its stable dep, see bug #547914. So no, you did not tested it with the stable in the tree.
* commit 67e2d53 | Author: Patrice Clement <monsieurp@gentoo.org> | Date: Thu Sep 3 15:11:23 2015 +0000 | | www-servers/resin: Bump dev-java/mojarra SLOT to 2.2. Fixes security bug 501280. | | Package-Manager: portage-2.2.18 | Signed-off-by: Patrice Clement <monsieurp@gentoo.org> | | create mode 100644 www-servers/resin/resin-4.0.44-r2.ebuild Unrelated to this bug really but for the sake of completeness, I'm updating the header.
GLSA vote: no.