From bugzilla at redhat.com Wed Apr 20 20:11:51 2011 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 20 Apr 2011 16:11:51 -0400 Subject: [RHSA-2011:0460-01] Important: jboss-seam2 security update Message-ID: <201104202011.p3KKBqaA027435@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: jboss-seam2 security update Advisory ID: RHSA-2011:0460-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-0460.html Issue date: 2011-04-20 CVE Names: CVE-2011-1484 ===================================================================== 1. Summary: Updated jboss-seam2 packages that fix one security issue are now available for JBoss Enterprise Application Platform 4.3 for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS - noarch JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES - noarch JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server - noarch 3. Description: The JBoss Seam 2 framework is an application framework for building web applications in Java. It was found that JBoss Seam 2 did not properly block access to JBoss Expression Language (EL) constructs in page exception handling, allowing arbitrary Java methods to be executed. A remote attacker could use this flaw to execute arbitrary code via a specially-crafted URL provided to certain applications based on the JBoss Seam 2 framework. Note: A properly configured and enabled Java Security Manager would prevent exploitation of this flaw. (CVE-2011-1484) Red Hat would like to thank Martin Kouba from IT SYSTEMS a.s. for reporting this issue. Users of jboss-seam2 should upgrade to these updated packages, which correct this issue. The JBoss server process must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 692421 - CVE-2011-1484 JBoss Seam privilege escalation caused by EL interpolation in FacesMessages 6. Package List: JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS: Source: ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jboss-seam2-2.0.2.FP-1.ep1.27.el4.src.rpm noarch: jboss-seam2-2.0.2.FP-1.ep1.27.el4.noarch.rpm jboss-seam2-docs-2.0.2.FP-1.ep1.27.el4.noarch.rpm JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES: Source: ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jboss-seam2-2.0.2.FP-1.ep1.27.el4.src.rpm noarch: jboss-seam2-2.0.2.FP-1.ep1.27.el4.noarch.rpm jboss-seam2-docs-2.0.2.FP-1.ep1.27.el4.noarch.rpm JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-seam2-2.0.2.FP-1.ep1.27.el5.src.rpm noarch: jboss-seam2-2.0.2.FP-1.ep1.27.el5.noarch.rpm jboss-seam2-docs-2.0.2.FP-1.ep1.27.el5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-1484.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert at redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2011 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFNrz3uXlSAg2UNWIIRAriKAJ4uI3k0H9C405nKo6XhiHzQ8b21bACdFq/I 98yTXQ0lZ/rdLV2Ux+jS0bU= =Xhqt -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Apr 20 20:14:25 2011 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 20 Apr 2011 16:14:25 -0400 Subject: [RHSA-2011:0461-01] Important: jboss-seam2 security update Message-ID: <201104202014.p3KKEPst003275@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: jboss-seam2 security update Advisory ID: RHSA-2011:0461-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-0461.html Issue date: 2011-04-20 CVE Names: CVE-2011-1484 ===================================================================== 1. Summary: Updated jboss-seam2 packages that fix one security issue are now available for JBoss Enterprise Application Platform 5.1 for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: JBoss Enterprise Application Platform 5 for RHEL 4 AS - noarch JBoss Enterprise Application Platform 5 for RHEL 4 ES - noarch JBoss Enterprise Application Platform 5 for RHEL 5 Server - noarch 3. Description: The JBoss Seam 2 framework is an application framework for building web applications in Java. It was found that JBoss Seam 2 did not properly block access to JBoss Expression Language (EL) constructs in page exception handling, allowing arbitrary Java methods to be executed. A remote attacker could use this flaw to execute arbitrary code via a specially-crafted URL provided to certain applications based on the JBoss Seam 2 framework. Note: A properly configured and enabled Java Security Manager would prevent exploitation of this flaw. (CVE-2011-1484) Red Hat would like to thank Martin Kouba from IT SYSTEMS a.s. for reporting this issue. Users of jboss-seam2 should upgrade to these updated packages, which correct this issue. The JBoss server process must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 692421 - CVE-2011-1484 JBoss Seam privilege escalation caused by EL interpolation in FacesMessages 6. Package List: JBoss Enterprise Application Platform 5 for RHEL 4 AS: Source: ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jboss-seam2-2.2.2.EAP-17.el4_8.src.rpm noarch: jboss-seam2-2.2.2.EAP-17.el4_8.noarch.rpm jboss-seam2-docs-2.2.2.EAP-17.el4_8.noarch.rpm jboss-seam2-examples-2.2.2.EAP-17.el4_8.noarch.rpm jboss-seam2-runtime-2.2.2.EAP-17.el4_8.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 4 ES: Source: ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jboss-seam2-2.2.2.EAP-17.el4_8.src.rpm noarch: jboss-seam2-2.2.2.EAP-17.el4_8.noarch.rpm jboss-seam2-docs-2.2.2.EAP-17.el4_8.noarch.rpm jboss-seam2-examples-2.2.2.EAP-17.el4_8.noarch.rpm jboss-seam2-runtime-2.2.2.EAP-17.el4_8.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-seam2-2.2.2.EAP-17.ep5.el5.src.rpm noarch: jboss-seam2-2.2.2.EAP-17.ep5.el5.noarch.rpm jboss-seam2-docs-2.2.2.EAP-17.ep5.el5.noarch.rpm jboss-seam2-examples-2.2.2.EAP-17.ep5.el5.noarch.rpm jboss-seam2-runtime-2.2.2.EAP-17.ep5.el5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-1484.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert at redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2011 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFNrz6MXlSAg2UNWIIRAqFCAJ9g+p/vQiHvfabn2hHgjit6i0ugewCfS8FA d3m7BxqFgAN3AroARY9XYks= =tG01 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Apr 20 20:17:27 2011 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 20 Apr 2011 16:17:27 -0400 Subject: [RHSA-2011:0462-01] Important: jboss-seam security update Message-ID: <201104202017.p3KKHRVw005337@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: jboss-seam security update Advisory ID: RHSA-2011:0462-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-0462.html Issue date: 2011-04-20 CVE Names: CVE-2011-1484 ===================================================================== 1. Summary: An updated jboss-seam.jar file for JBoss Enterprise Application Platform 4.3.0.CP09 and 5.1.0 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: The JBoss Seam 2 framework is an application framework for building web applications in Java. It was found that JBoss Seam 2 did not properly block access to JBoss Expression Language (EL) constructs in page exception handling, allowing arbitrary Java methods to be executed. A remote attacker could use this flaw to execute arbitrary code via a specially-crafted URL provided to certain applications based on the JBoss Seam 2 framework. Note: A properly configured and enabled Java Security Manager would prevent exploitation of this flaw. (CVE-2011-1484) Red Hat would like to thank Martin Kouba from IT SYSTEMS a.s. for reporting this issue. All users of JBoss Enterprise Application Platform 4.3.0.CP09 and 5.1.0 as provided from the Red Hat Customer Portal are advised to install this update. 3. Solution: The References section of this erratum contains download links (you must log in to download the updated file). Before applying the update, backup your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). Important: JBoss Enterprise Application Platform 4.3.0.CP09 ships with both the JBoss Seam and JBoss Seam 2 frameworks. Ensure you only replace version 2 with the updated jboss-seam.jar file. The JBoss server process must be restarted for the update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 692421 - CVE-2011-1484 JBoss Seam privilege escalation caused by EL interpolation in FacesMessages 5. References: https://www.redhat.com/security/data/cve/CVE-2011-1484.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=appplatform&version=5.1.0 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=appplatform&version=4.3.0.GA_CP09 6. Contact: The Red Hat security contact is <secalert at redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2011 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFNrz8oXlSAg2UNWIIRAgn+AJ91cOK9DgIJ10tTO5L8Cpbv8qEVRgCfXeAI zipaX6Mm2Gq1XtiaX9D3cvM= =1yEX -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Apr 20 20:19:25 2011 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 20 Apr 2011 16:19:25 -0400 Subject: [RHSA-2011:0463-01] Important: JBoss Enterprise SOA Platform 4.3.0.CP04 and 5.1.0 security update Message-ID: <201104202019.p3KKJPsO005692@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise SOA Platform 4.3.0.CP04 and 5.1.0 security update Advisory ID: RHSA-2011:0463-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-0463.html Issue date: 2011-04-20 CVE Names: CVE-2011-1484 ===================================================================== 1. Summary: An updated jboss-seam.jar file for JBoss Enterprise SOA Platform 4.3.0.CP04 and 5.1.0 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: JBoss Enterprise SOA Platform is the next-generation ESB and business process automation infrastructure. JBoss Enterprise SOA Platform allows IT to leverage existing (MoM and EAI), modern (SOA and BPM-Rules), and future (EDA and CEP) integration methodologies to dramatically improve business process execution speed and quality. It was found that JBoss Seam 2 did not properly block access to JBoss Expression Language (EL) constructs in page exception handling, allowing arbitrary Java methods to be executed. A remote attacker could use this flaw to execute arbitrary code via a specially-crafted URL provided to certain applications based on the JBoss Seam 2 framework. Note: A properly configured and enabled Java Security Manager would prevent exploitation of this flaw. (CVE-2011-1484) Red Hat would like to thank Martin Kouba from IT SYSTEMS a.s. for reporting this issue. All users of JBoss Enterprise SOA Platform 4.3.0.CP04 and 5.1.0 as provided from the Red Hat Customer Portal are advised to install this update. 3. Solution: The References section of this erratum contains download links (you must log in to download the updated file). Before applying the update, backup your existing JBoss Enterprise SOA Platform installation (including its databases, applications, configuration files, and so on). Important: JBoss Enterprise SOA Platform 4.3.0.CP04 ships with both the JBoss Seam and JBoss Seam 2 frameworks. Ensure you only replace version 2 with the updated jboss-seam.jar file. The JBoss Application Server process must be restarted for the update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 692421 - CVE-2011-1484 JBoss Seam privilege escalation caused by EL interpolation in FacesMessages 5. References: https://www.redhat.com/security/data/cve/CVE-2011-1484.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=securityPatches&version=4.3.0.GA_CP04 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=securityPatches&version=5.1.0+GA 6. Contact: The Red Hat security contact is <secalert at redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2011 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFNrz+dXlSAg2UNWIIRAn3YAJ9/RYiYFB8y6o1jxkytknMbV+15aACfbUxS 6yKKidXFTA5kD3HkFEDOiiY= =W78x -----END PGP SIGNATURE-----