[Bugs] [Bug 13513] New: [CVE 21] derby 10.13.1.1 CVEs found

[bugzilla]

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13513

          Platform: 2021.1
            Bug ID: 13513
           Summary: [CVE 21] derby 10.13.1.1  CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2018-1313,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: e.kosachev на rosalinux.ru, s.matveev на rosalinux.ru,
                    y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package derby version 10.13.1.1

INFO (CVEs are): derby 10.13.1.1
 cves found
CVE-2018-1313
Desc: In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet
can be used to request the Derby Network Server to boot a database whose
location and contents are under the user's control. If the Derby Network Server
is not running with a Java Security Manager policy file, the attack is
successful. If the server is using a policy file, the policy file must permit
the database location to be read for the attack to work. The default Derby
Network Server policy file distributed with the affected releases includes a
permissive policy as the default Network Server policy, which allows the attack
to work.
Link: https://nvd.nist.gov/vuln/detail/CVE-2018-1313
Severity: MEDIUM

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230823/6425ef82/attachment.html>