| Summary: |
[CVE 21] scala 2.10.6 CVEs found |
| Product: |
[ROSA-based products] ROSA Fresh
|
Reporter: |
Yury <y.tumanov> |
| Component: |
System (kernel, glibc, systemd, bash, PAM...) | Assignee: |
ROSA Linux Bugs <bugs> |
| Status: |
RESOLVED
WONTFIX
|
QA Contact: |
ROSA Linux Bugs <bugs> |
| Severity: |
critical
|
|
|
| Priority: |
Highest
|
CC: |
a.proklov, e.kosachev, s.matveev, v.potapov, y.tumanov
|
| Version: |
All | Flags: |
y.tumanov:
secteam_verified?
|
| Target Milestone: |
--- | |
|
| Hardware: |
All | |
|
| OS: |
Linux | |
|
| URL: |
CVE-2017-15288, CVE-2020-7907,
|
| Whiteboard: |
|
|
Platform:
|
2021.1
|
ROSA Vulnerability identifier:
|
|
|---|
|
RPM Package:
|
|
ISO-related:
|
|
|---|
|
Bad POT generating:
|
|
Upstream:
|
|
|---|
Please patch CVEs for package scala version 2.10.6 INFO (CVEs are): scala 2.10.6 cves found CVE-2017-15288 Desc: The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and 2.12.x before 2.12.4 uses weak permissions for private files in /tmp/scala-devel/${USER:shared}/scalac-compile-server-port, which allows local users to write to arbitrary class files and consequently gain privileges. Link: https://nvd.nist.gov/vuln/detail/CVE-2017-15288 Severity: HIGH CVE-2020-7907 Desc: In the JetBrains Scala plugin before 2019.2.1, some artefact dependencies were resolved over unencrypted connections. Link: https://nvd.nist.gov/vuln/detail/CVE-2020-7907 Severity: HIGH