https://bugzilla.redhat.com/show_bug.cgi?id=1879042 There doesn't seem to be a fix available yet.
CC: (none) => zombie_ryushuWhiteboard: (none) => MGA7TOOBlocks: (none) => 24817
Blocks: 24817 => (none)
Blocks: (none) => 24817
Depends on: (none) => 27794
Status comment: (none) => No fix available as of end of 2020
Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO
A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality.
CVE: (none) => CVE-2020-25633
Removing Mageia 7 from whiteboard due to EOL: https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/
Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO
Removing Mageia 8 from whiteboard due to EOL.
Whiteboard: MGA8TOO => MGA9TOOCC: (none) => geiger.david68210
Adding the flag: affects_mga9 + to all bugs with MGA9TOO on the whiteboard, without removing MGA9TOO (for now).
Flags: (none) => affects_mga9+
Paging through https://access.redhat.com/security/cve/cve-2020-25633#additional-info : It seems they fixed it for many of their products. However, I find nothing at https://resteasy.jboss.org/ But there is this (still opem) issue about that CVE: https://github.com/jakartaee/rest/issues/917 Do we still need the four pki-resteasy packages at all?
CC: (none) => marja11URL: (none) => https://access.redhat.com/security/cve/cve-2020-25633
(In reply to Marja Van Waes from comment #5) > Paging through > https://access.redhat.com/security/cve/cve-2020-25633#additional-info : > > It seems they fixed it for many of their products. > > However, I find nothing at https://resteasy.jboss.org/ > > But there is this (still opem) issue about that CVE: > > https://github.com/jakartaee/rest/issues/917 > > Do we still need the four pki-resteasy packages at all? Let's just obsolete them. If you don't agree, then stop this report from blocking bug 32127
Summary: resteasy new security issue CVE-2020-25633 => Obsolete resteasy (was: new security issue CVE-2020-25633)Blocks: (none) => 32127
Agreed. IIRC, Fedora removed most of these old Java library packages, as they were no longer being maintained. We should be doing the same.
It seems sponsorship of RestEasy was taken over by Commonhaus.org and the general information page is at https://resteasy.dev/ and the source moved to https://github.com/resteasy/resteasy some time ago and is still being developed. CVE-2020-25633 was fixed a long time ago. See https://issues.redhat.com/browse/RESTEASY-2721
CC: (none) => rihoward1
(In reply to r howard from comment #8) > It seems sponsorship of RestEasy was taken over by Commonhaus.org and the > general information page is at https://resteasy.dev/ and the source moved to > https://github.com/resteasy/resteasy some time ago and is still being > developed. CVE-2020-25633 was fixed a long time ago. See > https://issues.redhat.com/browse/RESTEASY-2721 Thanks for the feedback. Assigning to daviddavid, because he told us not to obsolete resteasy. (also removing the whiteboard string, since it was replaced by a flag)
Status comment: No fix available as of end of 2020 => (none)Assignee: java => geiger.david68210Blocks: 32127 => (none)Summary: Obsolete resteasy (was: new security issue CVE-2020-25633) => resteasy: new security issue CVE-2020-25633)Whiteboard: MGA9TOO => (none)