[Bugs] [Bug 13220] New: bookkeeper 4.3.2 cve-s found

[bugzilla]

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13220

          Platform: 2021.1
            Bug ID: 13220
           Summary: bookkeeper 4.3.2 cve-s found
    Classification: ROSA-based products
           Product: Certified ROSA distros
           Version: Chrome
          Hardware: All
                OS: Linux
            Status: CONFIRMED
          Severity: critical
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
  Target Milestone: ---
             Group: ROSA-plus-NTCIT

Included in Log4j 1.2 is a SocketServer class that is vulnerable to
deserialization of untrusted data which can be exploited to remotely execute
arbitrary code when combined with a deserialization gadget when listening to
untrusted network traffic for log data. This affects Log4j versions up to 1.2
up to 1.2.17.       https://nvd.nist.gov/vuln/detail/CVE-2019-17571 CRITICAL

The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not
close the connection to the bookkeeper server when TLS hostname verification
fails. This leaves the bookkeeper client vulnerable to a man in the middle
attack. The problem affects BookKeeper client prior to versions 4.14.6 and
4.15.1.   https://nvd.nist.gov/vuln/detail/CVE-2022-32531 MEDIUM

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230416/5860c402/attachment.html>