From bugzilla at redhat.com Mon Jun 2 14:12:37 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 2 Jun 2014 14:12:37 +0000 Subject: [RHSA-2014:0590-01] Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update Message-ID: <201406021412.s52ECcUf005342@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update Advisory ID: RHSA-2014:0590-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0590.html Issue date: 2014-06-02 CVE Names: CVE-2014-0107 ===================================================================== 1. Summary: An update for JBoss Enterprise Application Platform 5.2.0, which fixes one security issue and one bug, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: JBoss Enterprise Application Platform is a platform for Java applications, which integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam. It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java. (CVE-2014-0107) This update also fixes the following bug: It was observed that when using the Transfomer to convert a StreamSource to DOMResult, the performance of the conversion degraded as the size of the character data increased. For example, converting a 50 MB XML BLOB would take a very long time to finish. This issue has been resolved in this release by adjusting both the SAX2DOM and DOMBuilder classes to handle larger inputs more efficiently. (JBPAPP-10991) All users of JBoss Enterprise Application Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to apply this update. The JBoss server process must be restarted for this update to take effect. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). 4. Bugs fixed (https://bugzilla.redhat.com/): 1080248 - CVE-2014-0107 Xalan-Java: insufficient constraints in secure processing feature 5. References: https://www.redhat.com/security/data/cve/CVE-2014-0107.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=appplatform&version=5.2.0 https://issues.jboss.org/browse/JBPAPP-10991 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTjIYlXlSAg2UNWIIRArIlAKCbE0yUemWpXDxDEVFQMgTD1K2RwgCcDKsr PEpyrzN/2fjsUz5FvOQFgX8= =0IwS -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Jun 2 14:13:58 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 2 Jun 2014 14:13:58 +0000 Subject: [RHSA-2014:0591-01] Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update Message-ID: <201406021414.s52EDx0Y000884@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update Advisory ID: RHSA-2014:0591-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0591.html Issue date: 2014-06-02 CVE Names: CVE-2014-0107 ===================================================================== 1. Summary: Updated packages for JBoss Enterprise Application Platform 5.2.0 which fix one security issue and one bug are now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS - noarch Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES - noarch Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server - noarch Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server - noarch 3. Description: JBoss Enterprise Application Platform is a platform for Java applications, which integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam. It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java. (CVE-2014-0107) This update also fixes the following bug: It was observed that when using the Transfomer to convert a StreamSource to DOMResult, the performance of the conversion degraded as the size of the character data increased. For example, converting a 50 MB XML BLOB would take a very long time to finish. This issue has been resolved in this release by adjusting both the SAX2DOM and DOMBuilder classes to handle larger inputs more efficiently. (JBPAPP-10991) All users of JBoss Enterprise Application Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing Red Hat JBoss Enterprise Application Platform 5 installation (including all applications and configuration files). This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1080248 - CVE-2014-0107 Xalan-Java: insufficient constraints in secure processing feature 6. Package List: Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS: Source: ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/xalan-j2-2.7.1-12_patch_08.ep5.el4.src.rpm noarch: xalan-j2-2.7.1-12_patch_08.ep5.el4.noarch.rpm Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES: Source: ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/xalan-j2-2.7.1-12_patch_08.ep5.el4.src.rpm noarch: xalan-j2-2.7.1-12_patch_08.ep5.el4.noarch.rpm Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/xalan-j2-2.7.1-12_patch_08.ep5.el5.src.rpm noarch: xalan-j2-2.7.1-12_patch_08.ep5.el5.noarch.rpm Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/xalan-j2-2.7.1-12_patch_08.ep5.el6.src.rpm noarch: xalan-j2-2.7.1-12_patch_08.ep5.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0107.html https://access.redhat.com/security/updates/classification/#important https://issues.jboss.org/browse/JBPAPP-10991 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTjIZ5XlSAg2UNWIIRAp8eAJ9AeruhcjZp02SgDOHko6Vw6ByolgCeKiM0 icwKrRY1RLV3vjZL87xMI3E= =e7BM -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jun 5 15:04:49 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 5 Jun 2014 15:04:49 +0000 Subject: [RHSA-2014:0630-01] Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update Message-ID: <201406051504.s55F4n3K010110@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update Advisory ID: RHSA-2014:0630-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0630.html Issue date: 2014-06-05 CVE Names: CVE-2014-0224 ===================================================================== 1. Summary: An update for Red Hat JBoss Enterprise Application Platform 5.2.0 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform is a platform for Java applications, which integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server. (CVE-2014-0224) Note: In order to exploit this flaw, both the server and the client must be using a vulnerable version of OpenSSL; the server must be using OpenSSL version 1.0.1 and above, and the client must be using any version of OpenSSL. Red Hat JBoss Enterprise Application Platform includes OpenSSL 0.9.8e, so this flaw is only exploitable when OpenSSL in JBoss EAP is used as a client, communicating with a vulnerable server running OpenSSL version 1.0.1 and above. For more information about this flaw, refer to: https://access.redhat.com/site/articles/904433 Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges KIKUCHI Masashi of Lepidum as the original reporter of this issue. All users of Red Hat JBoss Enterprise Application Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to apply this update. The JBoss server process must be restarted for this update to take effect. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications (including all applications and configuration files). 4. Bugs fixed (https://bugzilla.redhat.com/): 1103586 - CVE-2014-0224 openssl: SSL/TLS MITM vulnerability 5. References: https://www.redhat.com/security/data/cve/CVE-2014-0224.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/site/articles/904433 https://access.redhat.com/site/solutions/906533 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=5.2.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTkIb/XlSAg2UNWIIRAkOCAJ9XqUMKtoK0p+zJjK2zMsXIBHPwDwCfdkox AN/OXHh6dPJ4n0ttLhaJtiA= =A3Sq -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jun 5 15:05:22 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 5 Jun 2014 15:05:22 +0000 Subject: [RHSA-2014:0632-01] Important: Red Hat JBoss Web Server 2.0.1 openssl security update Message-ID: <201406051505.s55F5MRr019046@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 2.0.1 openssl security update Advisory ID: RHSA-2014:0632-01 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0632.html Issue date: 2014-06-05 CVE Names: CVE-2014-0224 ===================================================================== 1. Summary: An update for the openssl component for Red Hat JBoss Web Server 2.0.1 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server. (CVE-2014-0224) Note: In order to exploit this flaw, both the server and the client must be using a vulnerable version of OpenSSL; the server must be using OpenSSL version 1.0.1 and above, and the client must be using any version of OpenSSL. Red Hat JBoss Web Server includes OpenSSL 0.9.8e, so this flaw is only exploitable when OpenSSL in JBoss Web Server is used as a client, communicating with a vulnerable server running OpenSSL version 1.0.1 and above. For more information about this flaw, refer to: https://access.redhat.com/site/articles/904433 Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges KIKUCHI Masashi of Lepidum as the original reporter of this issue. All users of Red Hat JBoss Web Server 2.0.1 as provided from the Red Hat Customer Portal are advised to apply this update. The Red Hat JBoss Web Server process must be restarted for the update to take effect. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). 4. Bugs fixed (https://bugzilla.redhat.com/): 1103586 - CVE-2014-0224 openssl: SSL/TLS MITM vulnerability 5. References: https://www.redhat.com/security/data/cve/CVE-2014-0224.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/site/articles/904433 https://access.redhat.com/site/solutions/906533 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=2.0.1 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTkIcaXlSAg2UNWIIRApmzAJ4gy2H6twBs40xTKH0Nq9Eg7dMN0QCfcIQM Rhwtr+Jf0wSCUZJp7b2ksBM= =x1Z+ -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jun 5 15:05:45 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 5 Jun 2014 15:05:45 +0000 Subject: [RHSA-2014:0633-01] Important: Red Hat JBoss Enterprise Web Platform 5.2.0 security update Message-ID: <201406051505.s55F5k9u010996@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Web Platform 5.2.0 security update Advisory ID: RHSA-2014:0633-01 Product: Red Hat JBoss Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0633.html Issue date: 2014-06-05 CVE Names: CVE-2014-0224 ===================================================================== 1. Summary: An update for Red Hat JBoss Enterprise Web Platform 5.2.0 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Red Hat JBoss Enterprise Web Platform is a platform for Java applications, which integrates the JBoss Web Server with JBoss Hibernate and JBoss Seam. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server. (CVE-2014-0224) Note: In order to exploit this flaw, both the server and the client must be using a vulnerable version of OpenSSL; the server must be using OpenSSL version 1.0.1 and above, and the client must be using any version of OpenSSL. Red Hat JBoss Enterprise Web Platform includes OpenSSL 0.9.8e, so this flaw is only exploitable when OpenSSL in JBoss EWP is used as a client, communicating with a vulnerable server running OpenSSL version 1.0.1 and above. For more information about this flaw, refer to: https://access.redhat.com/site/articles/904433 Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges KIKUCHI Masashi of Lepidum as the original reporter of this issue. All users of Red Hat JBoss Enterprise Web Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to apply this update. The JBoss server process must be restarted for this update to take effect. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing Red Hat JBoss Enterprise Web Platform installation and deployed applications (including all applications and configuration files). 4. Bugs fixed (https://bugzilla.redhat.com/): 1103586 - CVE-2014-0224 openssl: SSL/TLS MITM vulnerability 5. References: https://www.redhat.com/security/data/cve/CVE-2014-0224.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/site/articles/904433 https://access.redhat.com/site/solutions/906533 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=enterpriseweb.platform&downloadType=securityPatches&version=5.2.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTkIc+XlSAg2UNWIIRAtE+AKCJqLVbiW44/PqblUb7adwvJvkgNACgt8fC Bsw+vunpag3CmakvlplkcBM= =ha1L -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jun 5 15:29:47 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 5 Jun 2014 15:29:47 +0000 Subject: [RHSA-2014:0631-01] Important: Red Hat JBoss Enterprise Application Platform 6.2.3 security update Message-ID: <201406051529.s55FTlVm023541@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.2.3 security update Advisory ID: RHSA-2014:0631-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0631.html Issue date: 2014-06-05 CVE Names: CVE-2014-0224 ===================================================================== 1. Summary: An update for Red Hat JBoss Enterprise Application Platform 6.2.3 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server. (CVE-2014-0224) Note: In order to exploit this flaw, both the server and the client must be using a vulnerable version of OpenSSL; the server must be using OpenSSL version 1.0.1 and above, and the client must be using any version of OpenSSL. Red Hat JBoss Enterprise Application Platform includes OpenSSL 0.9.8e, so this flaw is only exploitable when OpenSSL in JBoss EAP is used as a client, communicating with a vulnerable server running OpenSSL version 1.0.1 and above. For more information about this flaw, refer to: https://access.redhat.com/site/articles/904433 Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges KIKUCHI Masashi of Lepidum as the original reporter of this issue. All users of Red Hat JBoss Enterprise Application Platform 6.2.3 as provided from the Red Hat Customer Portal are advised to apply this update. The JBoss server process must be restarted for the update to take effect. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications (including all applications and configuration files). 4. Bugs fixed (https://bugzilla.redhat.com/): 1103586 - CVE-2014-0224 openssl: SSL/TLS MITM vulnerability 5. References: https://www.redhat.com/security/data/cve/CVE-2014-0224.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/site/articles/904433 https://access.redhat.com/site/solutions/906533 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.2.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTkIzSXlSAg2UNWIIRAsQ0AKC58jPq2+I7hKtfDJxZtjjR8g8KXACfUcOm d+QFVVhMuZ18akqwETiZV5o= =8v9a -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Jun 23 18:51:07 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 23 Jun 2014 18:51:07 +0000 Subject: [RHSA-2014:0783-01] Moderate: Red Hat JBoss Web Server 2.0.1 httpd security and bug fix update Message-ID: <201406231851.s5NIp78O016778@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Web Server 2.0.1 httpd security and bug fix update Advisory ID: RHSA-2014:0783-01 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0783.html Issue date: 2014-06-23 CVE Names: CVE-2013-6438 CVE-2014-0098 ===================================================================== 1. Summary: Updated httpd packages that fix two security issues and one bug are now available for Red Hat JBoss Web Server 2.0.1 for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 2 for RHEL 5 Server - i386, x86_64 Red Hat JBoss Web Server 2 for RHEL 6 Server - i386, x86_64 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. It was found that the mod_dav module did not correctly strip leading white space from certain elements in a parsed XML. In certain httpd configurations that use the mod_dav module (for example when using the mod_dav_svn module), a remote attacker could send a specially crafted DAV request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user. (CVE-2013-6438) A buffer over-read flaw was found in the httpd mod_log_config module. In configurations where cookie logging is enabled, a remote attacker could use this flaw to crash the httpd child process via an HTTP request with a malformed cookie header. (CVE-2014-0098) This update also fixes the following bug: It was discovered that the mod_log_config module, which provides logging of client requests, truncated cookie values at the first occurrence of an equal sign ('=') when using the "%{abc}C" syntax in a LogFormat definition. (ASF Bug 53104) All users of Red Hat JBoss Web Server 2.0.1 should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, users must restart the httpd service for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1077867 - CVE-2013-6438 httpd: mod_dav denial of service via crafted DAV WRITE request 1077871 - CVE-2014-0098 httpd: mod_log_config does not properly handle logging certain cookies resulting in DoS 6. Package List: Red Hat JBoss Web Server 2 for RHEL 5 Server: Source: httpd-2.2.22-27.ep6.el5.src.rpm i386: httpd-2.2.22-27.ep6.el5.i386.rpm httpd-debuginfo-2.2.22-27.ep6.el5.i386.rpm httpd-devel-2.2.22-27.ep6.el5.i386.rpm httpd-manual-2.2.22-27.ep6.el5.i386.rpm httpd-tools-2.2.22-27.ep6.el5.i386.rpm mod_ssl-2.2.22-27.ep6.el5.i386.rpm x86_64: httpd-2.2.22-27.ep6.el5.x86_64.rpm httpd-debuginfo-2.2.22-27.ep6.el5.x86_64.rpm httpd-devel-2.2.22-27.ep6.el5.x86_64.rpm httpd-manual-2.2.22-27.ep6.el5.x86_64.rpm httpd-tools-2.2.22-27.ep6.el5.x86_64.rpm mod_ssl-2.2.22-27.ep6.el5.x86_64.rpm Red Hat JBoss Web Server 2 for RHEL 6 Server: Source: httpd-2.2.22-27.ep6.el6.src.rpm i386: httpd-2.2.22-27.ep6.el6.i386.rpm httpd-debuginfo-2.2.22-27.ep6.el6.i386.rpm httpd-devel-2.2.22-27.ep6.el6.i386.rpm httpd-manual-2.2.22-27.ep6.el6.i386.rpm httpd-tools-2.2.22-27.ep6.el6.i386.rpm mod_ssl-2.2.22-27.ep6.el6.i386.rpm x86_64: httpd-2.2.22-27.ep6.el6.x86_64.rpm httpd-debuginfo-2.2.22-27.ep6.el6.x86_64.rpm httpd-devel-2.2.22-27.ep6.el6.x86_64.rpm httpd-manual-2.2.22-27.ep6.el6.x86_64.rpm httpd-tools-2.2.22-27.ep6.el6.x86_64.rpm mod_ssl-2.2.22-27.ep6.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-6438.html https://www.redhat.com/security/data/cve/CVE-2014-0098.html https://access.redhat.com/security/updates/classification/#moderate https://issues.apache.org/bugzilla/show_bug.cgi?id=53104 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTqHYNXlSAg2UNWIIRAtLJAJ9/QkOOASQTaIpG14x5sENmJvKX9wCcD9wW YjOmsA9djsOnsCuZVOxKqBY= =KCtT -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Jun 23 18:52:00 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 23 Jun 2014 18:52:00 +0000 Subject: [RHSA-2014:0784-01] Moderate: Red Hat JBoss Web Server 2.0.1 httpd security and bug fix update Message-ID: <201406231852.s5NIq0R9015406@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Web Server 2.0.1 httpd security and bug fix update Advisory ID: RHSA-2014:0784-01 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0784.html Issue date: 2014-06-23 CVE Names: CVE-2013-6438 CVE-2014-0098 ===================================================================== 1. Summary: An update for the Apache HTTP Server component of Red Hat JBoss Web Server 2.0.1 that fixes two security issues and one bug is now available from the Red Hat Customer Portal for Red Hat Enterprise Linux 5 and 6, Solaris, and Microsoft Windows. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. It was found that the mod_dav module did not correctly strip leading white space from certain elements in a parsed XML. In certain httpd configurations that use the mod_dav module (for example when using the mod_dav_svn module), a remote attacker could send a specially crafted DAV request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user. (CVE-2013-6438) A buffer over-read flaw was found in the httpd mod_log_config module. In configurations where cookie logging is enabled, a remote attacker could use this flaw to crash the httpd child process via an HTTP request with a malformed cookie header. (CVE-2014-0098) This update also fixes the following bug: It was discovered that the mod_log_config module, which provides logging of client requests, truncated cookie values at the first occurrence of an equal sign ('=') when using the "%{abc}C" syntax in a LogFormat definition. (ASF Bug 53104) All users of Red Hat JBoss Web Server 2.0.1 as provided from the Red Hat Customer Portal are advised to apply this update. The Apache HTTP Server must be restarted for this update to take effect. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). 4. Bugs fixed (https://bugzilla.redhat.com/): 1077867 - CVE-2013-6438 httpd: mod_dav denial of service via crafted DAV WRITE request 1077871 - CVE-2014-0098 httpd: mod_log_config does not properly handle logging certain cookies resulting in DoS 5. References: https://www.redhat.com/security/data/cve/CVE-2013-6438.html https://www.redhat.com/security/data/cve/CVE-2014-0098.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=2.0.1 https://issues.apache.org/bugzilla/show_bug.cgi?id=53104 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTqHc6XlSAg2UNWIIRAoKBAJwPbw1hXQhowqe6LHaq/yes1mSE3QCfcNzw ZVxB89bCtE4JOlAvUMh/0xE= =YkUW -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Jun 23 18:53:00 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 23 Jun 2014 18:53:00 +0000 Subject: [RHSA-2014:0785-01] Important: Red Hat JBoss Web Framework Kit 2.5.0 security update Message-ID: <201406231853.s5NIr1cf023825@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Framework Kit 2.5.0 security update Advisory ID: RHSA-2014:0785-01 Product: Red Hat JBoss Web Framework Kit Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0785.html Issue date: 2014-06-23 CVE Names: CVE-2014-0248 ===================================================================== 1. Summary: An update for the Seam component of Red Hat JBoss Web Framework Kit 2.5.0 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Red Hat JBoss Web Framework Kit combines popular open source web frameworks into a single solution for Java applications. Seam is an open source development platform for building rich Internet applications in Java. Seam integrates technologies such as Asynchronous JavaScript and XML (AJAX), JavaServer Faces (JSF), Java Persistence API (JPA), and Enterprise Java Beans (EJB). Seam 2.3 provides support for JSF 2, RichFaces 4, and JPA 2 capabilities, running on top of Red Hat JBoss Enterprise Application Platform 6. It was found that the org.jboss.seam.web.AuthenticationFilter class implementation did not properly use Seam logging. A remote attacker could send specially crafted authentication headers to an application, which could result in arbitrary code execution with the privileges of the user running that application. (CVE-2014-0248) All users of Red Hat JBoss Web Framework Kit 2.5.0 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing installation of Red Hat JBoss Web Framework Kit. The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (https://bugzilla.redhat.com/): 1101619 - CVE-2014-0248 JBoss Seam: RCE via unsafe logging in AuthenticationFilter 5. References: https://www.redhat.com/security/data/cve/CVE-2014-0248.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit&downloadType=securityPatches&version=2.5.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTqHdoXlSAg2UNWIIRAtaPAJ45cpvX/0QMR6qHhf9HA53OrvTWVgCeNWNq S++zth5HhzSZjoufaSqYpPU= =aJ59 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jun 25 16:58:03 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 25 Jun 2014 16:58:03 +0000 Subject: [RHSA-2014:0791-01] Important: Red Hat JBoss Enterprise Web Platform 5.2.0 security update Message-ID: <201406251658.s5PGw4SH026430@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Web Platform 5.2.0 security update Advisory ID: RHSA-2014:0791-01 Product: Red Hat JBoss Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0791.html Issue date: 2014-06-25 CVE Names: CVE-2014-0248 ===================================================================== 1. Summary: An update for Red Hat JBoss Enterprise Web Platform 5.2.0 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Red Hat JBoss Enterprise Web Platform is a platform for Java applications, which integrates the JBoss Web Server with JBoss Hibernate and JBoss Seam. It was found that the org.jboss.seam.web.AuthenticationFilter class implementation did not properly use Seam logging. A remote attacker could send specially crafted authentication headers to an application, which could result in arbitrary code execution with the privileges of the user running that application. (CVE-2014-0248) The CVE-2014-0248 issue was discovered by Marek Schmidt of Red Hat. All users of Red Hat JBoss Enterprise Web Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to apply this update. The JBoss server process must be restarted for this update to take effect. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Web Platform installation (including all applications and configuration files). 4. Bugs fixed (https://bugzilla.redhat.com/): 1101619 - CVE-2014-0248 JBoss Seam: RCE via unsafe logging in AuthenticationFilter 5. References: https://www.redhat.com/security/data/cve/CVE-2014-0248.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=enterpriseweb.platform&downloadType=securityPatches&version=5.2.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTqv+KXlSAg2UNWIIRApTSAJ46hiX39zZAP4rI27EZqnSkX0VNvACeI8m1 KQdX9k/Zu0o9D24Dremua0M= =HyrJ -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jun 25 16:59:16 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 25 Jun 2014 16:59:16 +0000 Subject: [RHSA-2014:0792-01] Important: Red Hat JBoss Enterprise Web Platform 5.2.0 security update Message-ID: <201406251659.s5PGxH7i014113@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Web Platform 5.2.0 security update Advisory ID: RHSA-2014:0792-01 Product: Red Hat JBoss Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0792.html Issue date: 2014-06-25 CVE Names: CVE-2014-0248 ===================================================================== 1. Summary: Updated packages for Red Hat JBoss Enterprise Web Platform 5.2.0 that fix one security issue are now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Platform 5 for RHEL 4 AS - noarch Red Hat JBoss Web Platform 5 for RHEL 4 ES - noarch Red Hat JBoss Web Platform 5 for RHEL 5 Server - noarch Red Hat JBoss Web Platform 5 for RHEL 6 Server - noarch 3. Description: Red Hat JBoss Enterprise Web Platform is a platform for Java applications, which integrates the JBoss Web Server with JBoss Hibernate and JBoss Seam. It was found that the org.jboss.seam.web.AuthenticationFilter class implementation did not properly use Seam logging. A remote attacker could send specially crafted authentication headers to an application, which could result in arbitrary code execution with the privileges of the user running that application. (CVE-2014-0248) The CVE-2014-0248 issue was discovered by Marek Schmidt of Red Hat. All users of Red Hat JBoss Enterprise Web Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing Red Hat JBoss Enterprise Web Platform 5 installation (including all applications and configuration files). This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1101619 - CVE-2014-0248 JBoss Seam: RCE via unsafe logging in AuthenticationFilter 6. Package List: Red Hat JBoss Web Platform 5 for RHEL 4 AS: Source: jboss-seam2-2.2.6.EAP5-10.ep5.el4.src.rpm noarch: jboss-seam2-2.2.6.EAP5-10.ep5.el4.noarch.rpm jboss-seam2-docs-2.2.6.EAP5-10.ep5.el4.noarch.rpm jboss-seam2-examples-2.2.6.EAP5-10.ep5.el4.noarch.rpm jboss-seam2-runtime-2.2.6.EAP5-10.ep5.el4.noarch.rpm Red Hat JBoss Web Platform 5 for RHEL 4 ES: Source: jboss-seam2-2.2.6.EAP5-10.ep5.el4.src.rpm noarch: jboss-seam2-2.2.6.EAP5-10.ep5.el4.noarch.rpm jboss-seam2-docs-2.2.6.EAP5-10.ep5.el4.noarch.rpm jboss-seam2-examples-2.2.6.EAP5-10.ep5.el4.noarch.rpm jboss-seam2-runtime-2.2.6.EAP5-10.ep5.el4.noarch.rpm Red Hat JBoss Web Platform 5 for RHEL 5 Server: Source: jboss-seam2-2.2.6.EAP5-12.ep5.el5.src.rpm noarch: jboss-seam2-2.2.6.EAP5-12.ep5.el5.noarch.rpm jboss-seam2-docs-2.2.6.EAP5-12.ep5.el5.noarch.rpm jboss-seam2-examples-2.2.6.EAP5-12.ep5.el5.noarch.rpm jboss-seam2-runtime-2.2.6.EAP5-12.ep5.el5.noarch.rpm Red Hat JBoss Web Platform 5 for RHEL 6 Server: Source: jboss-seam2-2.2.6.EAP5-16.el6_5.src.rpm noarch: jboss-seam2-2.2.6.EAP5-16.el6_5.noarch.rpm jboss-seam2-docs-2.2.6.EAP5-16.el6_5.noarch.rpm jboss-seam2-examples-2.2.6.EAP5-16.el6_5.noarch.rpm jboss-seam2-runtime-2.2.6.EAP5-16.el6_5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0248.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTqv+sXlSAg2UNWIIRAsD/AKCAe7kKgHy4oz86xKj+StAjZ0gPTwCcCpwE QBCikMt1S5qH3yG68GQpNEo= =UksH -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jun 25 16:59:49 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 25 Jun 2014 16:59:49 +0000 Subject: [RHSA-2014:0793-01] Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update Message-ID: <201406251659.s5PGxn9U028162@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update Advisory ID: RHSA-2014:0793-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0793.html Issue date: 2014-06-25 CVE Names: CVE-2014-0248 ===================================================================== 1. Summary: Updated packages for Red Hat JBoss Enterprise Application Platform 5.2.0 that fix one security issue are now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS - noarch Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES - noarch Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server - noarch Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform is a platform for Java applications, which integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam. It was found that the org.jboss.seam.web.AuthenticationFilter class implementation did not properly use Seam logging. A remote attacker could send specially crafted authentication headers to an application, which could result in arbitrary code execution with the privileges of the user running that application. (CVE-2014-0248) The CVE-2014-0248 issue was discovered by Marek Schmidt of Red Hat. All users of Red Hat JBoss Enterprise Application Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing Red Hat JBoss Enterprise Application Platform 5 installation (including all applications and configuration files). This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1101619 - CVE-2014-0248 JBoss Seam: RCE via unsafe logging in AuthenticationFilter 6. Package List: Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS: Source: jboss-seam2-2.2.6.EAP5-10.ep5.el4.src.rpm noarch: jboss-seam2-2.2.6.EAP5-10.ep5.el4.noarch.rpm jboss-seam2-docs-2.2.6.EAP5-10.ep5.el4.noarch.rpm jboss-seam2-examples-2.2.6.EAP5-10.ep5.el4.noarch.rpm jboss-seam2-runtime-2.2.6.EAP5-10.ep5.el4.noarch.rpm Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES: Source: jboss-seam2-2.2.6.EAP5-10.ep5.el4.src.rpm noarch: jboss-seam2-2.2.6.EAP5-10.ep5.el4.noarch.rpm jboss-seam2-docs-2.2.6.EAP5-10.ep5.el4.noarch.rpm jboss-seam2-examples-2.2.6.EAP5-10.ep5.el4.noarch.rpm jboss-seam2-runtime-2.2.6.EAP5-10.ep5.el4.noarch.rpm Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server: Source: jboss-seam2-2.2.6.EAP5-12.ep5.el5.src.rpm noarch: jboss-seam2-2.2.6.EAP5-12.ep5.el5.noarch.rpm jboss-seam2-docs-2.2.6.EAP5-12.ep5.el5.noarch.rpm jboss-seam2-examples-2.2.6.EAP5-12.ep5.el5.noarch.rpm jboss-seam2-runtime-2.2.6.EAP5-12.ep5.el5.noarch.rpm Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server: Source: jboss-seam2-2.2.6.EAP5-16.el6_5.src.rpm noarch: jboss-seam2-2.2.6.EAP5-16.el6_5.noarch.rpm jboss-seam2-docs-2.2.6.EAP5-16.el6_5.noarch.rpm jboss-seam2-examples-2.2.6.EAP5-16.el6_5.noarch.rpm jboss-seam2-runtime-2.2.6.EAP5-16.el6_5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0248.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTqv/0XlSAg2UNWIIRAqJhAJ95LROkhvpVVC6RCeccX8VHYLdWwwCgph1F 5VmM8x/d8/PVYpDmY0goCFw= =4Dqo -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jun 25 17:04:51 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 25 Jun 2014 17:04:51 +0000 Subject: [RHSA-2014:0794-01] Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update Message-ID: <201406251704.s5PH4pqE006157@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update Advisory ID: RHSA-2014:0794-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0794.html Issue date: 2014-06-25 CVE Names: CVE-2014-0248 ===================================================================== 1. Summary: An update for Red Hat JBoss Enterprise Application Platform 5.2.0 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform is a platform for Java applications, which integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam. It was found that the org.jboss.seam.web.AuthenticationFilter class implementation did not properly use Seam logging. A remote attacker could send specially crafted authentication headers to an application, which could result in arbitrary code execution with the privileges of the user running that application. (CVE-2014-0248) The CVE-2014-0248 issue was discovered by Marek Schmidt of Red Hat. All users of Red Hat JBoss Enterprise Application Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to apply this update. The JBoss server process must be restarted for this update to take effect. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). 4. Bugs fixed (https://bugzilla.redhat.com/): 1101619 - CVE-2014-0248 JBoss Seam: RCE via unsafe logging in AuthenticationFilter 5. References: https://www.redhat.com/security/data/cve/CVE-2014-0248.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=appplatform&version=5.2.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTqwAkXlSAg2UNWIIRAv7sAKCEdvwySxK9lnu/slbi+Y1aIsRxgQCbBYbc YdpGWmsRc+b8CukJ5V9yb7g= =4OdR -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jun 26 15:17:55 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 26 Jun 2014 15:17:55 +0000 Subject: [RHSA-2014:0797-01] Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 update Message-ID: <201406261517.s5QFHuZC019466@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 update Advisory ID: RHSA-2014:0797-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0797.html Issue date: 2014-06-26 CVE Names: CVE-2014-0034 CVE-2014-0035 CVE-2014-0109 CVE-2014-0110 CVE-2014-3481 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.2.4 and fix multiple security issues, several bugs, and add various enhancements are now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. Apache CXF is an open source services framework, which is a part of Red Hat JBoss Enterprise Application Platform. It was found that the SecurityTokenService (STS), provided as a part of Apache CXF, could under certain circumstances accept invalid SAML tokens as valid. A remote attacker could use a specially crafted SAML token to gain access to an application that uses STS for validation of SAML tokens. (CVE-2014-0034) A denial of service flaw was found in the way Apache CXF created error messages for certain POST requests. A remote attacker could send a specially crafted request which, when processed by an application using Apache CXF, could consume an excessive amount of memory on the system, possibly triggering an Out Of Memory (OOM) error. (CVE-2014-0109) It was found that when a large invalid SOAP message was processed by Apache CXF, it could be saved to a temporary file in the /tmp directory. A remote attacker could send a specially crafted SOAP message that, when processed by an application using Apache CXF, would use an excessive amount of disk space, possibly causing a denial of service. (CVE-2014-0110) It was found that the Java API for RESTful Web Services (JAX-RS) implementation enabled external entity expansion by default. A remote attacker could use this flaw to view the contents of arbitrary files accessible to the application server user. (CVE-2014-3481) It was discovered that UsernameTokens were sent in plain text by an Apache CXF client that used a Symmetric EncryptBeforeSigning password policy. A man-in-the-middle attacker could use this flaw to obtain the user name and password used by the client application using Apache CXF. (CVE-2014-0035) The CVE-2014-3481 issue was discovered by the Red Hat JBoss Enterprise Application Platform QE team. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.2.3, and includes bug fixes and enhancements. Documentation for these changes will be available shortly from the Red Hat JBoss Enterprise Application Platform 6.2.4 Release Notes, linked to in the References. All users of Red Hat JBoss Enterprise Application Platform 6.2 as provided from the Red Hat Customer Portal are advised to apply this update. The JBoss server process must be restarted for the update to take effect. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. 4. Bugs fixed (https://bugzilla.redhat.com/): 1093526 - CVE-2014-0109 Apache CXF: HTML content posted to SOAP endpoint could cause OOM errors 1093527 - CVE-2014-0110 Apache CXF: Large invalid content could cause temporary space to fill 1093529 - CVE-2014-0034 Apache CXF: The SecurityTokenService accepts certain invalid SAML Tokens as valid 1093530 - CVE-2014-0035 Apache CXF: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy 1105242 - CVE-2014-3481 JBoss AS JAX-RS: Information disclosure via XML eXternal Entity (XXE) 5. References: https://www.redhat.com/security/data/cve/CVE-2014-0034.html https://www.redhat.com/security/data/cve/CVE-2014-0035.html https://www.redhat.com/security/data/cve/CVE-2014-0109.html https://www.redhat.com/security/data/cve/CVE-2014-0110.html https://www.redhat.com/security/data/cve/CVE-2014-3481.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.2.0 https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/6.2.4_Release_Notes/index.html 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTrDluXlSAg2UNWIIRAqNPAKCsYKN/GCSyoVqnxcdYTFMPNj76swCfTPQa 6z5eJ4LSCjc/8y8kjlc/GEo= =ojpW -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jun 26 15:18:23 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 26 Jun 2014 15:18:23 +0000 Subject: [RHSA-2014:0798-01] Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 update Message-ID: <201406261518.s5QFIOrI016169@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 update Advisory ID: RHSA-2014:0798-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0798.html Issue date: 2014-06-26 CVE Names: CVE-2014-0034 CVE-2014-0035 CVE-2014-0109 CVE-2014-0110 CVE-2014-3481 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.2.4 and fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 5 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. Apache CXF is an open source services framework, which is a part of Red Hat JBoss Enterprise Application Platform. It was found that the SecurityTokenService (STS), provided as a part of Apache CXF, could under certain circumstances accept invalid SAML tokens as valid. A remote attacker could use a specially crafted SAML token to gain access to an application that uses STS for validation of SAML tokens. (CVE-2014-0034) A denial of service flaw was found in the way Apache CXF created error messages for certain POST requests. A remote attacker could send a specially crafted request which, when processed by an application using Apache CXF, could consume an excessive amount of memory on the system, possibly triggering an Out Of Memory (OOM) error. (CVE-2014-0109) It was found that when a large invalid SOAP message was processed by Apache CXF, it could be saved to a temporary file in the /tmp directory. A remote attacker could send a specially crafted SOAP message that, when processed by an application using Apache CXF, would use an excessive amount of disk space, possibly causing a denial of service. (CVE-2014-0110) It was found that the Java API for RESTful Web Services (JAX-RS) implementation enabled external entity expansion by default. A remote attacker could use this flaw to view the contents of arbitrary files accessible to the application server user. (CVE-2014-3481) It was discovered that UsernameTokens were sent in plain text by an Apache CXF client that used a Symmetric EncryptBeforeSigning password policy. A man-in-the-middle attacker could use this flaw to obtain the user name and password used by the client application using Apache CXF. (CVE-2014-0035) The CVE-2014-3481 issue was discovered by the Red Hat JBoss Enterprise Application Platform QE team. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.2.3, and includes bug fixes and enhancements. Documentation for these changes will be available shortly from the Red Hat JBoss Enterprise Application Platform 6.2.4 Release Notes, linked to in the References. All users of Red Hat JBoss Enterprise Application Platform 6.2 on Red Hat Enterprise Linux 5 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Also, back up any customized Red Hat JBoss Enterprise Application Platform 6 configuration files. On update, the configuration files that have been locally modified will not be updated. The updated version of such files will be stored as the rpmnew files. Make sure to locate any such files after the update and merge any changes manually. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1090473 - RHEL5 RPMs: Upgrade wss4j to 1.6.15.redhat-1 1093526 - CVE-2014-0109 Apache CXF: HTML content posted to SOAP endpoint could cause OOM errors 1093527 - CVE-2014-0110 Apache CXF: Large invalid content could cause temporary space to fill 1093529 - CVE-2014-0034 Apache CXF: The SecurityTokenService accepts certain invalid SAML Tokens as valid 1093530 - CVE-2014-0035 Apache CXF: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy 1103767 - Tracker bug for the EAP 6.2.4 release for RHEL-5. 1103873 - RHEL5 RPMs: Upgrade jboss-aesh to 0.33.12.redhat-1 1104167 - RHEL5 RPMs: Upgrade jbossweb to 7.3.2.Final-redhat-1 1105242 - CVE-2014-3481 JBoss AS JAX-RS: Information disclosure via XML eXternal Entity (XXE) 1105592 - RHEL5 RPMs: Upgrade hibernate4-eap6 to 4.2.7.SP5-redhat-1 1105658 - RHEL5 RPMs: Upgrade jboss-security-negotiation to 2.2.10.Final-redhat-1 1106546 - RHEL5 RPMs: Upgrade jboss-xnio-base to 3.0.10.GA-redhat-1 1106580 - RHEL5 RPMs: Upgrade apache-cxf to 2.7.11.redhat-3 1106583 - RHEL5 RPMs: Upgrade jbossts to 4.17.15.Final-redhat-5 1106586 - RHEL5 RPMs: Upgrade picketbox to 4.0.19.SP8-redhat-1 1106590 - RHEL5 RPMs: Upgrade weld-core to 1.1.17.SP3-redhat-1 1109954 - RHEL5 RPMs: Upgrade resteasy to 2.3.7.2-redhat-1 6. Package List: Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 5 Server: Source: apache-cxf-2.7.11-3.redhat_3.1.ep6.el5.src.rpm hibernate4-eap6-4.2.7-9.SP5_redhat_1.1.ep6.el5.src.rpm jboss-aesh-0.33.12-1.redhat_1.1.ep6.el5.src.rpm jboss-as-appclient-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-cli-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-client-all-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-clustering-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-cmp-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-configadmin-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-connector-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-controller-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-controller-client-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-core-security-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-deployment-repository-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-deployment-scanner-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-domain-http-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-domain-management-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-ee-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-ee-deployment-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-ejb3-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-embedded-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-host-controller-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-jacorb-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-jaxr-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-jaxrs-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-jdr-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-jmx-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-jpa-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-jsf-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-jsr77-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-logging-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-mail-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-management-client-content-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-messaging-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-modcluster-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-naming-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-network-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-osgi-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-osgi-configadmin-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-osgi-service-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-platform-mbean-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-pojo-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-process-controller-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-protocol-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-remoting-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-sar-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-security-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-server-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-system-jmx-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-threads-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-transactions-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-version-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-web-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-webservices-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-weld-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-xts-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-security-negotiation-2.2.10-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-xnio-base-3.0.10-1.GA_redhat_1.1.ep6.el5.src.rpm jbossas-appclient-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jbossas-bundles-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jbossas-core-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jbossas-domain-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jbossas-javadocs-7.3.4-1.Final_redhat_1.ep6.el5.src.rpm jbossas-modules-eap-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jbossas-product-eap-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jbossas-standalone-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jbossas-welcome-content-eap-7.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm jbossts-4.17.15-5.Final_redhat_5.1.ep6.el5.src.rpm jbossweb-7.3.2-1.Final_redhat_1.1.ep6.el5.src.rpm picketbox-4.0.19-8.SP8_redhat_1.1.ep6.el5.src.rpm resteasy-2.3.7.2-1.Final_redhat_1.1.ep6.el5.src.rpm weld-core-1.1.17-4.SP3_redhat_1.1.ep6.el5.src.rpm wss4j-1.6.15-1.redhat_1.1.ep6.el5.src.rpm noarch: apache-cxf-2.7.11-3.redhat_3.1.ep6.el5.noarch.rpm hibernate4-core-eap6-4.2.7-9.SP5_redhat_1.1.ep6.el5.noarch.rpm hibernate4-eap6-4.2.7-9.SP5_redhat_1.1.ep6.el5.noarch.rpm hibernate4-entitymanager-eap6-4.2.7-9.SP5_redhat_1.1.ep6.el5.noarch.rpm hibernate4-envers-eap6-4.2.7-9.SP5_redhat_1.1.ep6.el5.noarch.rpm hibernate4-infinispan-eap6-4.2.7-9.SP5_redhat_1.1.ep6.el5.noarch.rpm jboss-aesh-0.33.12-1.redhat_1.1.ep6.el5.noarch.rpm jboss-as-appclient-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-cli-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-client-all-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-clustering-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-cmp-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-configadmin-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-connector-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-controller-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-controller-client-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-core-security-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-deployment-repository-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-deployment-scanner-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-domain-http-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-domain-management-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-ee-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-ee-deployment-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-ejb3-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-embedded-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-host-controller-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-jacorb-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-jaxr-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-jaxrs-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-jdr-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-jmx-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-jpa-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-jsf-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-jsr77-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-logging-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-mail-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-management-client-content-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-messaging-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-modcluster-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-naming-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-network-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-osgi-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-osgi-configadmin-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-osgi-service-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-platform-mbean-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-pojo-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-process-controller-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-protocol-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-remoting-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-sar-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-security-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-server-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-system-jmx-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-threads-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-transactions-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-version-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-web-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-webservices-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-weld-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-xts-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-security-negotiation-2.2.10-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-xnio-base-3.0.10-1.GA_redhat_1.1.ep6.el5.noarch.rpm jbossas-appclient-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-bundles-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-core-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-domain-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-javadocs-7.3.4-1.Final_redhat_1.ep6.el5.noarch.rpm jbossas-modules-eap-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-product-eap-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-standalone-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-welcome-content-eap-7.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossts-4.17.15-5.Final_redhat_5.1.ep6.el5.noarch.rpm jbossweb-7.3.2-1.Final_redhat_1.1.ep6.el5.noarch.rpm picketbox-4.0.19-8.SP8_redhat_1.1.ep6.el5.noarch.rpm resteasy-2.3.7.2-1.Final_redhat_1.1.ep6.el5.noarch.rpm weld-core-1.1.17-4.SP3_redhat_1.1.ep6.el5.noarch.rpm wss4j-1.6.15-1.redhat_1.1.ep6.el5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0034.html https://www.redhat.com/security/data/cve/CVE-2014-0035.html https://www.redhat.com/security/data/cve/CVE-2014-0109.html https://www.redhat.com/security/data/cve/CVE-2014-0110.html https://www.redhat.com/security/data/cve/CVE-2014-3481.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/6.2.4_Release_Notes/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTrDmMXlSAg2UNWIIRAnj7AJ4toUb7iQxZ7613lYKEWPUIRjY76QCgo7lI gG+p+ESHH2Ff0pRqNP2Ws1A= =g9wp -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jun 26 15:19:24 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 26 Jun 2014 15:19:24 +0000 Subject: [RHSA-2014:0799-01] Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 update Message-ID: <201406261519.s5QFJPoK027569@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 update Advisory ID: RHSA-2014:0799-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0799.html Issue date: 2014-06-26 CVE Names: CVE-2014-0034 CVE-2014-0035 CVE-2014-0109 CVE-2014-0110 CVE-2014-3481 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.2.4 and fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 6 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. Apache CXF is an open source services framework, which is a part of Red Hat JBoss Enterprise Application Platform. It was found that the SecurityTokenService (STS), provided as a part of Apache CXF, could under certain circumstances accept invalid SAML tokens as valid. A remote attacker could use a specially crafted SAML token to gain access to an application that uses STS for validation of SAML tokens. (CVE-2014-0034) A denial of service flaw was found in the way Apache CXF created error messages for certain POST requests. A remote attacker could send a specially crafted request which, when processed by an application using Apache CXF, could consume an excessive amount of memory on the system, possibly triggering an Out Of Memory (OOM) error. (CVE-2014-0109) It was found that when a large invalid SOAP message was processed by Apache CXF, it could be saved to a temporary file in the /tmp directory. A remote attacker could send a specially crafted SOAP message that, when processed by an application using Apache CXF, would use an excessive amount of disk space, possibly causing a denial of service. (CVE-2014-0110) It was found that the Java API for RESTful Web Services (JAX-RS) implementation enabled external entity expansion by default. A remote attacker could use this flaw to view the contents of arbitrary files accessible to the application server user. (CVE-2014-3481) It was discovered that UsernameTokens were sent in plain text by an Apache CXF client that used a Symmetric EncryptBeforeSigning password policy. A man-in-the-middle attacker could use this flaw to obtain the user name and password used by the client application using Apache CXF. (CVE-2014-0035) The CVE-2014-3481 issue was discovered by the Red Hat JBoss Enterprise Application Platform QE team. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.2.3, and includes bug fixes and enhancements. Documentation for these changes will be available shortly from the Red Hat JBoss Enterprise Application Platform 6.2.4 Release Notes, linked to in the References. All users of Red Hat JBoss Enterprise Application Platform 6.2 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Also, back up any customized Red Hat JBoss Enterprise Application Platform 6 configuration files. On update, the configuration files that have been locally modified will not be updated. The updated version of such files will be stored as the rpmnew files. Make sure to locate any such files after the update and merge any changes manually. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1090472 - RHEL6 RPMs: Upgrade wss4j to 1.6.15.redhat-1 1093526 - CVE-2014-0109 Apache CXF: HTML content posted to SOAP endpoint could cause OOM errors 1093527 - CVE-2014-0110 Apache CXF: Large invalid content could cause temporary space to fill 1093529 - CVE-2014-0034 Apache CXF: The SecurityTokenService accepts certain invalid SAML Tokens as valid 1093530 - CVE-2014-0035 Apache CXF: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy 1103769 - Tracker bug for the EAP 6.2.4 release for RHEL-6. 1103872 - RHEL6 RPMs: Upgrade jboss-aesh to 0.33.12.redhat-1 1104166 - RHEL6 RPMs: Upgrade jbossweb to 7.3.2.Final-redhat-1 1105242 - CVE-2014-3481 JBoss AS JAX-RS: Information disclosure via XML eXternal Entity (XXE) 1105591 - RHEL6 RPMs: Upgrade hibernate4-eap6 to 4.2.7.SP5-redhat-1 1105657 - RHEL6 RPMs: Upgrade jboss-security-negotiation to 2.2.10.Final-redhat-1 1106545 - RHEL6 RPMs: Upgrade jboss-xnio-base to 3.0.10.GA-redhat-1 1106579 - RHEL6 RPMs: Upgrade apache-cxf to 2.7.11.redhat-3 1106582 - RHEL6 RPMs: Upgrade jbossts to 4.17.15.Final-redhat-5 1106585 - RHEL6 RPMs: Upgrade picketbox to 4.0.19.SP8-redhat-1 1106589 - RHEL6 RPMs: Upgrade weld-core to 1.1.17.SP3-redhat-1 1109953 - RHEL6 RPMs: Upgrade resteasy to 2.3.7.2-redhat-1 6. Package List: Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 6 Server: Source: apache-cxf-2.7.11-3.redhat_3.1.ep6.el6.src.rpm hibernate4-eap6-4.2.7-9.SP5_redhat_1.1.ep6.el6.src.rpm jboss-aesh-0.33.12-1.redhat_1.1.ep6.el6.src.rpm jboss-as-appclient-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-cli-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-client-all-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-clustering-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-cmp-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-configadmin-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-connector-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-controller-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-controller-client-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-core-security-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-deployment-repository-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-deployment-scanner-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-domain-http-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-domain-management-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-ee-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-ee-deployment-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-ejb3-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-embedded-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-host-controller-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-jacorb-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-jaxr-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-jaxrs-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-jdr-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-jmx-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-jpa-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-jsf-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-jsr77-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-logging-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-mail-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-management-client-content-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-messaging-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-modcluster-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-naming-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-network-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-osgi-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-osgi-configadmin-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-osgi-service-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-platform-mbean-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-pojo-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-process-controller-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-protocol-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-remoting-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-sar-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-security-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-server-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-system-jmx-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-threads-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-transactions-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-version-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-web-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-webservices-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-weld-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-xts-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-security-negotiation-2.2.10-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-xnio-base-3.0.10-1.GA_redhat_1.1.ep6.el6.src.rpm jbossas-appclient-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jbossas-bundles-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jbossas-core-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jbossas-domain-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jbossas-javadocs-7.3.4-1.Final_redhat_1.ep6.el6.src.rpm jbossas-modules-eap-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jbossas-product-eap-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jbossas-standalone-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jbossas-welcome-content-eap-7.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm jbossts-4.17.15-5.Final_redhat_5.1.ep6.el6.src.rpm jbossweb-7.3.2-1.Final_redhat_1.1.ep6.el6.src.rpm picketbox-4.0.19-8.SP8_redhat_1.1.ep6.el6.src.rpm resteasy-2.3.7.2-1.Final_redhat_1.1.ep6.el6.src.rpm weld-core-1.1.17-4.SP3_redhat_1.1.ep6.el6.src.rpm wss4j-1.6.15-1.redhat_1.1.ep6.el6.src.rpm noarch: apache-cxf-2.7.11-3.redhat_3.1.ep6.el6.noarch.rpm hibernate4-core-eap6-4.2.7-9.SP5_redhat_1.1.ep6.el6.noarch.rpm hibernate4-eap6-4.2.7-9.SP5_redhat_1.1.ep6.el6.noarch.rpm hibernate4-entitymanager-eap6-4.2.7-9.SP5_redhat_1.1.ep6.el6.noarch.rpm hibernate4-envers-eap6-4.2.7-9.SP5_redhat_1.1.ep6.el6.noarch.rpm hibernate4-infinispan-eap6-4.2.7-9.SP5_redhat_1.1.ep6.el6.noarch.rpm jboss-aesh-0.33.12-1.redhat_1.1.ep6.el6.noarch.rpm jboss-as-appclient-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-cli-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-client-all-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-clustering-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-cmp-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-configadmin-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-connector-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-controller-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-controller-client-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-core-security-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-deployment-repository-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-deployment-scanner-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-domain-http-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-domain-management-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-ee-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-ee-deployment-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-ejb3-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-embedded-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-host-controller-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-jacorb-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-jaxr-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-jaxrs-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-jdr-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-jmx-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-jpa-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-jsf-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-jsr77-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-logging-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-mail-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-management-client-content-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-messaging-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-modcluster-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-naming-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-network-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-osgi-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-osgi-configadmin-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-osgi-service-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-platform-mbean-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-pojo-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-process-controller-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-protocol-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-remoting-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-sar-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-security-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-server-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-system-jmx-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-threads-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-transactions-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-version-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-web-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-webservices-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-weld-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-xts-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-security-negotiation-2.2.10-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-xnio-base-3.0.10-1.GA_redhat_1.1.ep6.el6.noarch.rpm jbossas-appclient-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossas-bundles-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossas-core-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossas-domain-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossas-javadocs-7.3.4-1.Final_redhat_1.ep6.el6.noarch.rpm jbossas-modules-eap-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossas-product-eap-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossas-standalone-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossas-welcome-content-eap-7.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossts-4.17.15-5.Final_redhat_5.1.ep6.el6.noarch.rpm jbossweb-7.3.2-1.Final_redhat_1.1.ep6.el6.noarch.rpm picketbox-4.0.19-8.SP8_redhat_1.1.ep6.el6.noarch.rpm resteasy-2.3.7.2-1.Final_redhat_1.1.ep6.el6.noarch.rpm weld-core-1.1.17-4.SP3_redhat_1.1.ep6.el6.noarch.rpm wss4j-1.6.15-1.redhat_1.1.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0034.html https://www.redhat.com/security/data/cve/CVE-2014-0035.html https://www.redhat.com/security/data/cve/CVE-2014-0109.html https://www.redhat.com/security/data/cve/CVE-2014-0110.html https://www.redhat.com/security/data/cve/CVE-2014-3481.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/6.2.4_Release_Notes/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTrDncXlSAg2UNWIIRAo0CAJ44H+nOdRkGRnSOuVflmtTetRKdlgCfdlHT iW653d/8GyJaW0lXTxHtLcY= =oV4n -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Jun 30 21:05:05 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 30 Jun 2014 21:05:05 +0000 Subject: [RHSA-2014:0818-01] Important: Red Hat JBoss BRMS 6.0.2 update Message-ID: <201406302105.s5UL56ub024737@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss BRMS 6.0.2 update Advisory ID: RHSA-2014:0818-01 Product: Red Hat JBoss BRMS Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0818.html Issue date: 2014-06-30 CVE Names: CVE-2014-0107 CVE-2014-0193 CVE-2014-0363 CVE-2014-0364 ===================================================================== 1. Summary: Red Hat JBoss BRMS 6.0.2, which fixes multiple security issues, various bugs, and adds enhancements, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules. This release of Red Hat JBoss BRMS 6.0.2 serves as a replacement for Red Hat JBoss BRMS 6.0.1, and includes bug fixes and enhancements. Refer to the Red Hat JBoss BRMS 6.0.2 Release Notes for information on the most significant of these changes. The Release Notes will be available shortly at https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BRMS/ The following security issues are fixed with this release: It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java. (CVE-2014-0107) It was found that the ServerTrustManager in the Smack XMPP API did not verify basicConstraints and nameConstraints in X.509 certificate chains. A man-in-the-middle attacker could use this flaw to spoof servers and obtain sensitive information. (CVE-2014-0363) It was found that the ParseRoster component in the Smack XMPP API did not verify the From attribute of a roster-query IQ stanza. A remote attacker could use this flaw to spoof IQ responses. (CVE-2014-0364) A flaw was found in the WebSocket08FrameDecoder implementation that could allow a remote attacker to trigger an Out Of Memory Exception by issuing a series of TextWebSocketFrame and ContinuationWebSocketFrames. Depending on the server configuration, this could lead to a denial of service. (CVE-2014-0193) Red Hat would like to thank James Roper of Typesafe for reporting the CVE-2014-0193 issue. All users of Red Hat JBoss BRMS 6.0.1 as provided from the Red Hat Customer Portal are advised to upgrade to Red Hat JBoss BRMS 6.0.2. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1080248 - CVE-2014-0107 Xalan-Java: insufficient constraints in secure processing feature 1092783 - CVE-2014-0193 netty: DoS via memory exhaustion during data aggregation 1093273 - CVE-2014-0363 smack: incorrect X.509 certificate validation 1093276 - CVE-2014-0364 smack: IQ response spoofing 5. References: https://www.redhat.com/security/data/cve/CVE-2014-0107.html https://www.redhat.com/security/data/cve/CVE-2014-0193.html https://www.redhat.com/security/data/cve/CVE-2014-0363.html https://www.redhat.com/security/data/cve/CVE-2014-0364.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions&version=6.0.2 https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BRMS/ 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTsdBRXlSAg2UNWIIRApgoAJ4qZy1snKmPfN+becwbawV/V16oMACgqjUu AB1LmsvFsa2NmQDx4i2NwXk= =6scE -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Jun 30 21:05:58 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 30 Jun 2014 21:05:58 +0000 Subject: [RHSA-2014:0819-01] Important: Red Hat JBoss BPM Suite 6.0.2 update Message-ID: <201406302105.s5UL5xcM003656@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss BPM Suite 6.0.2 update Advisory ID: RHSA-2014:0819-01 Product: Red Hat JBoss BPM Suite Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0819.html Issue date: 2014-06-30 CVE Names: CVE-2014-0107 CVE-2014-0363 CVE-2014-0364 ===================================================================== 1. Summary: Red Hat JBoss BPM Suite 6.0.2, which fixes multiple security issues, various bugs, and adds enhancements, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes. This release of Red Hat JBoss BPM Suite 6.0.2 serves as a replacement for Red Hat JBoss BPM Suite 6.0.1, and includes bug fixes and enhancements. Refer to the Red Hat JBoss BPM Suite 6.0.2 Release Notes for information on the most significant of these changes. The Release Notes will be available shortly at https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BPM_Suite/ The following security issues are fixed with this release: It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java. (CVE-2014-0107) It was found that the ServerTrustManager in the Smack XMPP API did not verify basicConstraints and nameConstraints in X.509 certificate chains. A man-in-the-middle attacker could use this flaw to spoof servers and obtain sensitive information. (CVE-2014-0363) It was found that the ParseRoster component in the Smack XMPP API did not verify the From attribute of a roster-query IQ stanza. A remote attacker could use this flaw to spoof IQ responses. (CVE-2014-0364) All users of Red Hat JBoss BPM Suite 6.0.1 as provided from the Red Hat Customer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.0.2. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1080248 - CVE-2014-0107 Xalan-Java: insufficient constraints in secure processing feature 1093273 - CVE-2014-0363 smack: incorrect X.509 certificate validation 1093276 - CVE-2014-0364 smack: IQ response spoofing 5. References: https://www.redhat.com/security/data/cve/CVE-2014-0107.html https://www.redhat.com/security/data/cve/CVE-2014-0363.html https://www.redhat.com/security/data/cve/CVE-2014-0364.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=distributions&version=6.0.2 https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BPM_Suite/ 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTsdEPXlSAg2UNWIIRAvu/AJ9C0hY1754u7KoZ03V58FsJRlQDTwCgl0j2 UmrOhtSbWfvLWRBLgK2+Mkc= =Lnv7 -----END PGP SIGNATURE-----