{"update": {"autokarma": true, "autotime": false, "stable_karma": 2, "stable_days": 0, "unstable_karma": -2, "require_bugs": true, "require_testcases": true, "display_name": "", "notes": "\n\nSecurity fix: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file (CVE-2018-1002200)\n\nA path traversal vulnerability has been discovered in plexus-archiver when extracting a carefully crafted zip file which holds path traversal file names. A remote attacker could use this vulnerability to write files outside the target directory and overwrite existing files with malicious code or vulnerable configurations.\n\nRed Hat would like to thank Danny Grander (Snyk) for reporting this issue. External References: https://snyk.io/research/zip-slip-vulnerability", "type": "security", "status": "stable", "request": null, "severity": "medium", "suggest": "unspecified", "locked": false, "pushed": true, "critpath": false, "critpath_groups": null, "close_bugs": true, "date_submitted": "2018-06-06 07:49:14", "date_modified": null, "date_approved": null, "date_testing": "2018-06-06 15:01:18", "date_stable": "2018-06-14 19:12:51", "alias": "FEDORA-2018-7a9a2f6ec0", "test_gating_status": "ignored", "from_tag": null, "date_pushed": "2018-06-14 19:12:51", "meets_testing_requirements": true, "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2018-7a9a2f6ec0", "title": "plexus-archiver-3.5-6.fc28", "version_hash": "fafe30659c80e7771ebe70fa18ef580c503d85d4", "release": {"name": "F28", "long_name": "Fedora 28", "version": "28", "id_prefix": "FEDORA", "branch": "f28", "dist_tag": "f28", "stable_tag": "f28-updates", "testing_tag": "f28-updates-testing", "candidate_tag": "f28-updates-candidate", "pending_signing_tag": "f28-signing-pending", "pending_testing_tag": "f28-updates-testing-pending", "pending_stable_tag": "f28-updates-pending", "override_tag": "f28-override", "mail_template": "fedora_errata_template", "state": "archived", "composed_by_bodhi": true, "create_automatic_updates": null, "package_manager": "dnf", "testing_repository": "updates-testing", "released_on": null, "eol": null, "critpath_mandatory_days_in_testing": 14, "mandatory_days_in_testing": 7, "critpath_min_karma": 2, "min_karma": 1, "setting_status": null}, "user": {"name": "mizdebsk", "email": "mizdebsk@redhat.com", "id": 436, "avatar": "https://seccdn.libravatar.org/avatar/decdd711b4d9d90c0b4ac6f350af84bbcbf5c4ce9578c9fd89740876889ced5a?s=24&d=retro", "openid": "mizdebsk.id.fedoraproject.org", "groups": [{"name": "sysadmin-main"}, {"name": "provenpackager"}, {"name": "packager"}, {"name": "sysadmin-veteran"}, {"name": "fedorabugs"}, {"name": "gitmaven-rpminstall-plugin"}, {"name": "ipausers"}, {"name": "communishift"}, {"name": "sysadmin"}, {"name": "gitjava-deptools"}, {"name": "sysadmin-odcs"}, {"name": "fedora-contributor"}, {"name": "modularity-wg"}, {"name": "git-javapackages"}, {"name": "sysadmin-copr"}, {"name": "sysadmin-dns"}, {"name": "qa"}, {"name": "sysadmin-jenkins"}, {"name": "signed_fpca"}, {"name": "sysadmin-mbs"}, {"name": "sysadmin-koschei"}]}, "comments": [{"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for testing by mizdebsk. ", "timestamp": "2018-06-06 07:49:14", "update_id": 116928, "user_id": 91, "id": 795019, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to testing.", "timestamp": "2018-06-06 15:03:15", "update_id": 116928, "user_id": 91, "id": 795281, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes", "timestamp": "2018-06-13 18:00:45", "update_id": 116928, "user_id": 91, "id": 798438, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for stable by mizdebsk. ", "timestamp": "2018-06-14 08:00:13", "update_id": 116928, "user_id": 91, "id": 798790, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to stable.", "timestamp": "2018-06-14 19:17:30", "update_id": 116928, "user_id": 91, "id": 799161, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}], "builds": [{"nvr": "plexus-archiver-3.5-6.fc28", "signed": true, "release_id": 21, "type": "rpm", "epoch": 0}], "bugs": [{"bug_id": 1584392, "title": "CVE-2018-1002200 plexus-archiver: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file", "security": true, "parent": true, "feedback": []}, {"bug_id": 1587817, "title": "CVE-2018-1002200 plexus-archiver: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file [fedora-28]", "security": true, "parent": false, "feedback": []}], "updateid": "FEDORA-2018-7a9a2f6ec0", "karma": 0, "content_type": "rpm", "test_cases": []}, "can_edit": false, "ci_allowed": false}