From bugzilla at redhat.com  Wed Mar  5 19:38:44 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Wed, 5 Mar 2014 19:38:44 +0000
Subject: [RHSA-2014:0252-01] Moderate: Red Hat JBoss Enterprise Application
	Platform 6.2.1 security update
Message-ID: <201403051938.s25JciYR009347@int-mx01.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Enterprise Application Platform 6.2.1 security update
Advisory ID:       RHSA-2014:0252-01
Product:           Red Hat JBoss Enterprise Application Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-0252.html
Issue date:        2014-03-05
CVE Names:         CVE-2014-0050 
=====================================================================

1. Summary:

An update for Red Hat JBoss Enterprise Application Platform 6.2.1 that
fixes one security issue is now available from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Description:

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.

A denial of service flaw was found in the way Apache Commons FileUpload,
which is embedded in the JBoss Web component of JBoss EAP, handled
small-sized buffers used by MultipartStream. A remote attacker could use
this flaw to create a malformed Content-Type header for a multipart
request, causing JBoss Web to enter an infinite loop when processing such
an incoming request. (CVE-2014-0050)

All users of Red Hat JBoss Enterprise Application Platform 6.2.1 as
provided from the Red Hat Customer Portal are advised to apply this update.
The JBoss server process must be restarted for the update to take effect.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing Red Hat JBoss Enterprise Application Platform installation and
deployed applications.

4. Bugs fixed (https://bugzilla.redhat.com/):

1062337 - CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream

5. References:

https://www.redhat.com/security/data/cve/CVE-2014-0050.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.2.0
https://access.redhat.com/site/solutions/625683

6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFTF30bXlSAg2UNWIIRAqvaAKC1K+8HyC3G0x/P2ulmgtsm3OjAyQCgubUb
4AIXtV5VIMftZRelpzUc1X4=
=vNm1
-----END PGP SIGNATURE-----




From bugzilla at redhat.com  Wed Mar  5 19:39:39 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Wed, 5 Mar 2014 19:39:39 +0000
Subject: [RHSA-2014:0253-01] Moderate: Red Hat JBoss Enterprise Application
	Platform 6.2.1 security update
Message-ID: <201403051939.s25JdeOL009373@int-mx02.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Enterprise Application Platform 6.2.1 security update
Advisory ID:       RHSA-2014:0253-01
Product:           Red Hat JBoss Enterprise Application Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-0253.html
Issue date:        2014-03-05
CVE Names:         CVE-2014-0050 
=====================================================================

1. Summary:

Updated Red Hat JBoss Enterprise Application Platform 6.2.1 packages that
fix one security issue are now available for Red Hat Enterprise Linux 5
and 6.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Relevant releases/architectures:

Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 5 Server - noarch
Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 6 Server - noarch

3. Description:

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.

A denial of service flaw was found in the way Apache Commons FileUpload,
which is embedded in the JBoss Web component of JBoss EAP, handled
small-sized buffers used by MultipartStream. A remote attacker could use
this flaw to create a malformed Content-Type header for a multipart
request, causing JBoss Web to enter an infinite loop when processing such
an incoming request. (CVE-2014-0050)

Warning: Before applying this update, back up your existing Red Hat JBoss
Enterprise Application Platform installation and deployed applications.

All users of Red Hat JBoss Enterprise Application Platform 6.2.1 on Red Hat
Enterprise Linux 5 and 6 are advised to upgrade to these updated packages.
The JBoss server process must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied. Also, back up any customized Red
Hat JBoss Enterprise Application Platform 6 configuration files. On update,
the configuration files that have been locally modified will not be
updated. The updated version of such files will be stored as the rpmnew
files. Make sure to locate any such files after the update and merge any
changes manually.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1062337 - CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream

6. Package List:

Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 5 Server:

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossweb-7.3.0-2.Final_redhat_2.1.ep6.el5.src.rpm

noarch:
jbossweb-7.3.0-2.Final_redhat_2.1.ep6.el5.noarch.rpm

Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 6 Server:

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbossweb-7.3.0-2.Final_redhat_2.1.ep6.el6.src.rpm

noarch:
jbossweb-7.3.0-2.Final_redhat_2.1.ep6.el6.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2014-0050.html
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFTF31bXlSAg2UNWIIRAjh9AJ0Z6wlc5sD2obdtprZbQf5wLKTRPQCeIYTG
YGZnEAcbRzVfWmAGxaIwWJ0=
=aFqZ
-----END PGP SIGNATURE-----




From bugzilla at redhat.com  Thu Mar 13 19:33:44 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Thu, 13 Mar 2014 19:33:44 +0000
Subject: [RHSA-2014:0294-01] Important: XStream security update
Message-ID: <201403131933.s2DJXiYW023910@int-mx01.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: XStream security update
Advisory ID:       RHSA-2014:0294-01
Product:           Red Hat JBoss Data Virtualization
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-0294.html
Issue date:        2014-03-13
CVE Names:         CVE-2013-7285 
=====================================================================

1. Summary:

An update for the XStream component that fixes one security issue is now
available from the Red Hat Customer Portal for Red Hat JBoss Data
Virtualization 6.0.0.

The Red Hat Security Response Team has rated this update as having
Important security impact. Common Vulnerability Scoring System (CVSS) base
score, which gives detailed severity rating, is available from the CVE link
in the References section.

2. Description:

XStream is a simple library to serialize and de-serialize objects to and
from XML.

It was found that XStream could deserialize arbitrary user-supplied XML
content, representing objects of any type. A remote attacker able to pass
XML to XStream could use this flaw to perform a variety of attacks,
including remote code execution in the context of the server running the
XStream application. (CVE-2013-7285)

The main distribution of Red Hat JBoss Data Virtualization 6.0.0 does not
contain the vulnerable XStream library and is not vulnerable to
CVE-2013-7285. Only users of Red Hat JBoss Data Virtualization 6.0.0 who
installed an optional S-RAMP distribution as provided from the Red Hat
Customer Portal are advised to apply this update.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the updates). Before applying the updates, back up your
existing installation, including all applications, configuration files,
databases and database settings, and so on.

It is recommended to halt the server by stopping the JBoss Application
Server process before installing this update, and then after installing the
update, restart the server by starting the JBoss Application Server
process.

4. Bugs fixed (https://bugzilla.redhat.com/):

1051277 - CVE-2013-7285 XStream: remote code execution due to insecure XML deserialization

5. References:

https://www.redhat.com/security/data/cve/CVE-2013-7285.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform&downloadType=securityPatches&version=6.0.0

6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFTIgf6XlSAg2UNWIIRAgyTAKC8c85Vikb/43xfqifbFG2QNXr2JgCbBOvK
bJVLZawVh1QzA3mJwNciDnM=
=wEnz
-----END PGP SIGNATURE-----




From bugzilla at redhat.com  Mon Mar 24 18:09:19 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Mon, 24 Mar 2014 18:09:19 +0000
Subject: [RHSA-2014:0323-01] Important: Red Hat JBoss Fuse/A-MQ 6.0.0 security
	update
Message-ID: <201403241809.s2OI9Je2024679@int-mx02.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Fuse/A-MQ 6.0.0 security update
Advisory ID:       RHSA-2014:0323-01
Product:           Red Hat JBoss Fuse
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-0323.html
Issue date:        2014-03-24
CVE Names:         CVE-2013-7285 CVE-2014-0002 CVE-2014-0003 
=====================================================================

1. Summary:

Red Hat JBoss Fuse and A-MQ 6.0.0 R1 P3 (Patch 3 on Rollup Patch 1), which
addresses three security issues and contains several bug fixes, is now
available from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having
Important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

2. Description:

Red Hat JBoss Fuse 6.0.0 is an integration platform based on Apache
ServiceMix. Red Hat JBoss A-MQ 6.0.0, based on Apache ActiveMQ, is a
standards compliant messaging system that is tailored for use in mission
critical applications.

This patch is an update to Red Hat JBoss Fuse 6.0.0 and Red Hat JBoss A-MQ
6.0.0. It includes bug fixes, which are documented in the readme file
included with the patch files.

The following security issues are fixed with this release:

It was found that XStream could deserialize arbitrary user-supplied XML
content, representing objects of any type. A remote attacker able to pass
XML to XStream could use this flaw to perform a variety of attacks,
including remote code execution in the context of the server running the
XStream application. (CVE-2013-7285)

It was found that the Apache Camel XSLT component allowed XSL stylesheets
to call external Java methods. A remote attacker able to submit messages to
a Camel route could use this flaw to perform arbitrary remote code
execution in the context of the Camel server process. (CVE-2014-0003)

It was found that the Apache Camel XSLT component would resolve entities in
XML messages when transforming them using an XSLT route. A remote attacker
able to submit messages to an XSLT Camel route could use this flaw to read
files accessible to the user running the application server and,
potentially, perform other more advanced XML External Entity (XXE) attacks.
(CVE-2014-0002)

The CVE-2014-0003 and CVE-2014-0002 issues were discovered by David Jorm of
the Red Hat Security Response Team.

All users of Red Hat JBoss Fuse 6.0.0 and Red Hat JBoss A-MQ 6.0.0 as
provided from the Red Hat Customer Portal are advised to apply this patch.

3. Solution:

The References section of this erratum contains download links (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1049675 - CVE-2014-0002 Camel: XML eXternal Entity (XXE) flaw in XSLT component
1049692 - CVE-2014-0003 Camel: remote code execution via XSL
1051277 - CVE-2013-7285 XStream: remote code execution due to insecure XML deserialization

5. References:

https://www.redhat.com/security/data/cve/CVE-2013-7285.html
https://www.redhat.com/security/data/cve/CVE-2014-0002.html
https://www.redhat.com/security/data/cve/CVE-2014-0003.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.0.0
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=securityPatches&version=6.0.0

6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFTMHTDXlSAg2UNWIIRAgxrAKCBokPQTtEQSIIheko8LRMu35DsZwCfVBQU
lcR5+RT80azmerMU8TJOIeE=
=j5uJ
-----END PGP SIGNATURE-----




From bugzilla at redhat.com  Wed Mar 26 16:36:43 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Wed, 26 Mar 2014 16:36:43 +0000
Subject: [RHSA-2014:0335-01] Moderate: Red Hat JBoss Web Framework Kit 2.5.0
	update
Message-ID: <201403261636.s2QGahAc021244@int-mx11.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Web Framework Kit 2.5.0 update
Advisory ID:       RHSA-2014:0335-01
Product:           Red Hat JBoss Web Framework Kit
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-0335.html
Issue date:        2014-03-26
CVE Names:         CVE-2014-0086 
=====================================================================

1. Summary:

Red Hat JBoss Web Framework Kit 2.5.0, which fixes one security issue,
various bugs, and adds enhancements, is now available from the Red Hat
Customer Portal.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Description:

Red Hat JBoss Web Framework Kit combines popular open source web frameworks
into a single solution for Java applications.

This release serves as a replacement for Red Hat JBoss Web Framework Kit
2.4.0, and includes bug fixes and enhancements. Refer to the 2.5.0 Release
Notes for information on the most significant of these changes, available
shortly from https://access.redhat.com/site/documentation/

This release also fixes the following security issue:

It was found that malformed Atmosphere requests caused RichFaces to leak
memory. A remote, unauthenticated attacker could use this flaw to send a
large number of these requests to a RichFaces application that uses the
Atmosphere framework, leading to an out of memory error and a corresponding
denial of service on the application server. (CVE-2014-0086)

All users of Red Hat JBoss Web Framework Kit 2.4.0 as provided from the Red
Hat Customer Portal are advised to upgrade to Red Hat JBoss Web Framework
Kit 2.5.0.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing installation of Red Hat JBoss Enterprise Application Platform or
Red Hat JBoss Web Server, and applications deployed to it.

The JBoss server process must be restarted for this update to take effect.

4. Bugs fixed (https://bugzilla.redhat.com/):

1067268 - CVE-2014-0086 JBoss RichFaces: remote denial of service via memory exhaustion

5. References:

https://www.redhat.com/security/data/cve/CVE-2014-0086.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit&downloadType=distributions
https://access.redhat.com/site/documentation/Red_Hat_JBoss_Web_Framework_Kit/

6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFTMwIHXlSAg2UNWIIRAl3uAKCA+kWuSLsZjGD/m+gG6d+3woEQNwCgmRCz
dsSgwUIouTtua42OZxO70OI=
=ji0A
-----END PGP SIGNATURE-----




From bugzilla at redhat.com  Mon Mar 31 18:17:19 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Mon, 31 Mar 2014 18:17:19 +0000
Subject: [RHSA-2014:0343-01] Moderate: Red Hat JBoss Enterprise Application
	Platform 6.2.2 update
Message-ID: <201403311817.s2VIHJ1H012729@int-mx13.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Enterprise Application Platform 6.2.2 update
Advisory ID:       RHSA-2014:0343-01
Product:           Red Hat JBoss Enterprise Application Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-0343.html
Issue date:        2014-03-31
CVE Names:         CVE-2013-4286 CVE-2014-0093 
=====================================================================

1. Summary:

Updated packages that provide Red Hat JBoss Enterprise Application Platform
6.2.2 and fix two security issues, several bugs, and add various
enhancements are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server - noarch
Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 5 Server - noarch

3. Description:

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.

It was found that when JBoss Web processed a series of HTTP requests in
which at least one request contained either multiple content-length
headers, or one content-length header with a chunked transfer-encoding
header, JBoss Web would incorrectly handle the request. A remote attacker
could use this flaw to poison a web cache, perform cross-site scripting
(XSS) attacks, or obtain sensitive information from other requests.
(CVE-2013-4286)

It was found that Java Security Manager permissions configured via a policy
file were not properly applied, causing all deployed applications to be
granted the java.security.AllPermission permission. In certain cases, an
attacker could use this flaw to circumvent expected security measures to
perform actions which would otherwise be restricted. (CVE-2014-0093)

The CVE-2014-0093 issue was discovered by Josef Cacek of the Red Hat JBoss
EAP Quality Engineering team.

This release serves as an update for Red Hat JBoss Enterprise Application
Platform 6.2, and includes bug fixes and enhancements. Documentation for
these changes will be available shortly from the Red Hat JBoss Enterprise
Application Platform 6.2.2 Release Notes, linked to in the References.

All users of Red Hat JBoss Enterprise Application Platform 6.2 on Red Hat
Enterprise Linux 5 are advised to upgrade to these updated packages.
The JBoss server process must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied. Also, back up any customized Red
Hat JBoss Enterprise Application Platform 6 configuration files. On update,
the configuration files that have been locally modified will not be
updated. The updated version of such files will be stored as the rpmnew
files. Make sure to locate any such files after the update and merge any
changes manually.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1063448 - Tracker bug for the EAP 6.2.2 release for RHEL-5.
1066498 - RHEL5 RPMs: Upgrade jboss-metadata to 7.0.9.Final-redhat-1
1066504 - RHEL5 RPMs: Upgrade glassfish-jsf-eap6 to 2.1.27.redhat-8
1066506 - RHEL5 RPMs: Upgrade jboss-jsf-api_2.1_spec to 2.1.27.Final-redhat-1
1066513 - RHEL5 RPMs: Upgrade jboss-remote-naming to 1.0.8.Final-redhat-1
1067101 - RHEL5 RPMs: Upgrade jboss-ejb-client to 1.0.25.Final-redhat-1
1067168 - RHEL5 RPMs: Upgrade jboss-security-negotiation to 2.2.7.Final-redhat-1
1067321 - RHEL5 RPMs: Upgrade wss4j to 1.6.14.redhat-1
1067509 - RHEL5 RPMs: Upgrade apache-cxf to 2.7.10.redhat-1
1067649 - RHEL5 RPMs: Upgrade jbossws-cxf to 4.2.4.Final-redhat-1
1068712 - RHEL5 RPMs: Upgrade jboss-remoting3 to 3.2.19.GA-redhat-1
1069602 - RHEL5 RPMs: Upgrade jbossas-javadocs to 7.3.2.Final-redhat-2
1069921 - CVE-2013-4286 tomcat: incomplete fix for CVE-2005-2090
1070046 - CVE-2014-0093 JBoss EAP 6: JSM policy not respected by deployed applications
1076115 - RHEL5 RPMs: Upgrade jboss-el-api_2.2_spec to 1.0.4.Final-redhat-1
1076134 - RHEL5 RPMs: Upgrade jbossweb to 7.3.1.Final-redhat-1
1076168 - RHEL5 RPMs: Upgrade jboss-modules to 1.3.3.Final-redhat-1

6. Package List:

Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server:

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/ironjacamar-eap6-1.0.23-5.Final_redhat_5.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-appclient-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-cli-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-client-all-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-clustering-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-cmp-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-configadmin-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-connector-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-controller-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-controller-client-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-core-security-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-deployment-repository-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-deployment-scanner-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-domain-http-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-domain-management-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-ee-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-ee-deployment-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-ejb3-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-embedded-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-host-controller-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-jacorb-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-jaxr-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-jaxrs-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-jdr-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-jmx-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-jpa-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-jsf-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-jsr77-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-logging-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-mail-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-management-client-content-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-messaging-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-modcluster-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-naming-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-network-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-osgi-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-osgi-configadmin-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-osgi-service-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-platform-mbean-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-pojo-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-process-controller-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-protocol-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-remoting-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-sar-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-security-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-server-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-system-jmx-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-threads-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-transactions-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-version-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-web-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-webservices-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-weld-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-xts-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-el-api_2.2_spec-1.0.4-2.Final_redhat_1.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-modules-1.3.3-1.Final_redhat_1.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossas-core-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossas-javadocs-7.3.2-2.1.Final_redhat_2.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossas-modules-eap-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossas-product-eap-7.3.2-2.Final_redhat_2.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossweb-7.3.1-1.Final_redhat_1.1.ep6.el5.src.rpm

noarch:
ironjacamar-common-api-eap6-1.0.23-5.Final_redhat_5.1.ep6.el5.noarch.rpm
ironjacamar-common-impl-eap6-1.0.23-5.Final_redhat_5.1.ep6.el5.noarch.rpm
ironjacamar-common-spi-eap6-1.0.23-5.Final_redhat_5.1.ep6.el5.noarch.rpm
ironjacamar-core-api-eap6-1.0.23-5.Final_redhat_5.1.ep6.el5.noarch.rpm
ironjacamar-core-impl-eap6-1.0.23-5.Final_redhat_5.1.ep6.el5.noarch.rpm
ironjacamar-deployers-common-eap6-1.0.23-5.Final_redhat_5.1.ep6.el5.noarch.rpm
ironjacamar-eap6-1.0.23-5.Final_redhat_5.1.ep6.el5.noarch.rpm
ironjacamar-jdbc-eap6-1.0.23-5.Final_redhat_5.1.ep6.el5.noarch.rpm
ironjacamar-spec-api-eap6-1.0.23-5.Final_redhat_5.1.ep6.el5.noarch.rpm
ironjacamar-validator-eap6-1.0.23-5.Final_redhat_5.1.ep6.el5.noarch.rpm
jboss-as-appclient-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-cli-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-client-all-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-clustering-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-cmp-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-configadmin-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-connector-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-controller-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-controller-client-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-core-security-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-deployment-repository-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-deployment-scanner-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-domain-http-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-domain-management-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-ee-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-ee-deployment-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-ejb3-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-embedded-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-host-controller-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-jacorb-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-jaxr-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-jaxrs-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-jdr-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-jmx-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-jpa-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-jsf-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-jsr77-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-logging-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-mail-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-management-client-content-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-messaging-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-modcluster-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-naming-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-network-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-osgi-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-osgi-configadmin-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-osgi-service-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-platform-mbean-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-pojo-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-process-controller-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-protocol-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-remoting-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-sar-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-security-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-server-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-system-jmx-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-threads-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-transactions-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-version-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-web-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-webservices-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-weld-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-xts-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-el-api_2.2_spec-1.0.4-2.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-modules-1.3.3-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jbossas-core-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jbossas-javadocs-7.3.2-2.1.Final_redhat_2.ep6.el5.noarch.rpm
jbossas-modules-eap-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jbossas-product-eap-7.3.2-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jbossweb-7.3.1-1.Final_redhat_1.1.ep6.el5.noarch.rpm

Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 5 Server:

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/apache-cxf-2.7.10-1.redhat_1.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/glassfish-jsf-eap6-2.1.27-6.redhat_8.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-ejb-client-1.0.25-1.Final_redhat_1.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-jsf-api_2.1_spec-2.1.27-2.Final_redhat_1.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-metadata-7.0.9-1.Final_redhat_1.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-remote-naming-1.0.8-1.Final_redhat_1.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-remoting3-3.2.19-1.GA_redhat_1.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-security-negotiation-2.2.7-1.Final_redhat_1.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossws-cxf-4.2.4-1.Final_redhat_1.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/picketbox-4.0.19-4.SP4_redhat_1.1.ep6.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/wss4j-1.6.14-2.redhat_1.1.ep6.el5.src.rpm

noarch:
apache-cxf-2.7.10-1.redhat_1.1.ep6.el5.noarch.rpm
glassfish-jsf-eap6-2.1.27-6.redhat_8.1.ep6.el5.noarch.rpm
jboss-ejb-client-1.0.25-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-jsf-api_2.1_spec-2.1.27-2.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-metadata-7.0.9-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-metadata-appclient-7.0.9-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-metadata-common-7.0.9-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-metadata-ear-7.0.9-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-metadata-ejb-7.0.9-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-metadata-web-7.0.9-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-remote-naming-1.0.8-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-remoting3-3.2.19-1.GA_redhat_1.1.ep6.el5.noarch.rpm
jboss-security-negotiation-2.2.7-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jbossws-cxf-4.2.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm
picketbox-4.0.19-4.SP4_redhat_1.1.ep6.el5.noarch.rpm
wss4j-1.6.14-2.redhat_1.1.ep6.el5.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2013-4286.html
https://www.redhat.com/security/data/cve/CVE-2014-0093.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/6.2.2_Release_Notes/index.html

8. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFTObD+XlSAg2UNWIIRAqzUAJ0TyQmmOx2DM/xZce1llhN9FMajGQCfeFFt
T9Iz3PjXwq4wApYazG135Zk=
=sTvn
-----END PGP SIGNATURE-----




From bugzilla at redhat.com  Mon Mar 31 18:18:41 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Mon, 31 Mar 2014 18:18:41 +0000
Subject: [RHSA-2014:0344-01] Moderate: Red Hat JBoss Enterprise Application
	Platform 6.2.2 update
Message-ID: <201403311818.s2VIIf7C025502@int-mx12.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Enterprise Application Platform 6.2.2 update
Advisory ID:       RHSA-2014:0344-01
Product:           Red Hat JBoss Enterprise Application Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-0344.html
Issue date:        2014-03-31
CVE Names:         CVE-2013-4286 CVE-2014-0093 
=====================================================================

1. Summary:

Updated packages that provide Red Hat JBoss Enterprise Application Platform
6.2.2 and fix two security issues, several bugs, and add various
enhancements are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server - noarch
Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 6 Server - noarch

3. Description:

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.

It was found that when JBoss Web processed a series of HTTP requests in
which at least one request contained either multiple content-length
headers, or one content-length header with a chunked transfer-encoding
header, JBoss Web would incorrectly handle the request. A remote attacker
could use this flaw to poison a web cache, perform cross-site scripting
(XSS) attacks, or obtain sensitive information from other requests.
(CVE-2013-4286)

It was found that Java Security Manager permissions configured via a policy
file were not properly applied, causing all deployed applications to be
granted the java.security.AllPermission permission. In certain cases, an
attacker could use this flaw to circumvent expected security measures to
perform actions which would otherwise be restricted. (CVE-2014-0093)

The CVE-2014-0093 issue was discovered by Josef Cacek of the Red Hat JBoss
EAP Quality Engineering team.

This release serves as an update for Red Hat JBoss Enterprise Application
Platform 6.2, and includes bug fixes and enhancements. Documentation for
these changes will be available shortly from the Red Hat JBoss Enterprise
Application Platform 6.2.2 Release Notes, linked to in the References.

All users of Red Hat JBoss Enterprise Application Platform 6.2 on Red Hat
Enterprise Linux 6 are advised to upgrade to these updated packages.
The JBoss server process must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied. Also, back up any customized Red
Hat JBoss Enterprise Application Platform 6 configuration files. On update,
the configuration files that have been locally modified will not be
updated. The updated version of such files will be stored as the rpmnew
files. Make sure to locate any such files after the update and merge any
changes manually.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1063441 - Tracker bug for the EAP 6.2.2 release for RHEL-6.
1066497 - RHEL6 RPMs: Upgrade jboss-metadata to 7.0.9.Final-redhat-1
1066503 - RHEL6 RPMs: Upgrade glassfish-jsf-eap6 to 2.1.27.redhat-8
1066505 - RHEL6 RPMs: Upgrade jboss-jsf-api_2.1_spec to 2.1.27.Final-redhat-1
1066512 - RHEL6 RPMs: Upgrade jboss-remote-naming to 1.0.8.Final-redhat-1
1067100 - RHEL6 RPMs: Upgrade jboss-ejb-client to 1.0.25.Final-redhat-1
1067167 - RHEL6 RPMs: Upgrade jboss-security-negotiation to 2.2.7.Final-redhat-1
1067320 - RHEL6 RPMs: Upgrade wss4j to 1.6.14.redhat-1
1067508 - RHEL6 RPMs: Upgrade apache-cxf to 2.7.10.redhat-1
1067648 - RHEL6 RPMs: Upgrade jbossws-cxf to 4.2.4.Final-redhat-1
1068711 - RHEL6 RPMs: Upgrade jboss-remoting3 to 3.2.19.GA-redhat-1
1069601 - RHEL6 RPMs: Upgrade jbossas-javadocs to 7.3.2.Final-redhat-2
1069921 - CVE-2013-4286 tomcat: incomplete fix for CVE-2005-2090
1070046 - CVE-2014-0093 JBoss EAP 6: JSM policy not respected by deployed applications
1076114 - RHEL6 RPMs: Upgrade jboss-el-api_2.2_spec to 1.0.4.Final-redhat-1
1076133 - RHEL6 RPMs: Upgrade jbossweb to 7.3.1.Final-redhat-1
1076167 - RHEL6 RPMs: Upgrade jboss-modules to 1.3.3.Final-redhat-1

6. Package List:

Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server:

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/ironjacamar-eap6-1.0.23-5.Final_redhat_5.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-appclient-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-cli-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-client-all-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-clustering-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-cmp-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-configadmin-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-connector-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-controller-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-controller-client-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-core-security-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-deployment-repository-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-deployment-scanner-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-domain-http-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-domain-management-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-ee-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-ee-deployment-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-ejb3-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-embedded-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-host-controller-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-jacorb-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-jaxr-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-jaxrs-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-jdr-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-jmx-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-jpa-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-jsf-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-jsr77-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-logging-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-mail-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-management-client-content-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-messaging-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-modcluster-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-naming-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-network-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-osgi-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-osgi-configadmin-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-osgi-service-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-platform-mbean-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-pojo-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-process-controller-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-protocol-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-remoting-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-sar-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-security-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-server-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-system-jmx-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-threads-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-transactions-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-version-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-web-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-webservices-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-weld-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-xts-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-el-api_2.2_spec-1.0.4-2.Final_redhat_1.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-modules-1.3.3-1.Final_redhat_1.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbossas-core-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbossas-javadocs-7.3.2-2.1.Final_redhat_2.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbossas-modules-eap-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbossas-product-eap-7.3.2-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbossweb-7.3.1-1.Final_redhat_1.1.ep6.el6.src.rpm

noarch:
ironjacamar-common-api-eap6-1.0.23-5.Final_redhat_5.1.ep6.el6.noarch.rpm
ironjacamar-common-impl-eap6-1.0.23-5.Final_redhat_5.1.ep6.el6.noarch.rpm
ironjacamar-common-spi-eap6-1.0.23-5.Final_redhat_5.1.ep6.el6.noarch.rpm
ironjacamar-core-api-eap6-1.0.23-5.Final_redhat_5.1.ep6.el6.noarch.rpm
ironjacamar-core-impl-eap6-1.0.23-5.Final_redhat_5.1.ep6.el6.noarch.rpm
ironjacamar-deployers-common-eap6-1.0.23-5.Final_redhat_5.1.ep6.el6.noarch.rpm
ironjacamar-eap6-1.0.23-5.Final_redhat_5.1.ep6.el6.noarch.rpm
ironjacamar-jdbc-eap6-1.0.23-5.Final_redhat_5.1.ep6.el6.noarch.rpm
ironjacamar-spec-api-eap6-1.0.23-5.Final_redhat_5.1.ep6.el6.noarch.rpm
ironjacamar-validator-eap6-1.0.23-5.Final_redhat_5.1.ep6.el6.noarch.rpm
jboss-as-appclient-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-cli-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-client-all-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-clustering-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-cmp-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-configadmin-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-connector-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-controller-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-controller-client-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-core-security-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-deployment-repository-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-deployment-scanner-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-domain-http-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-domain-management-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-ee-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-ee-deployment-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-ejb3-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-embedded-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-host-controller-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-jacorb-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-jaxr-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-jaxrs-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-jdr-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-jmx-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-jpa-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-jsf-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-jsr77-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-logging-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-mail-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-management-client-content-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-messaging-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-modcluster-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-naming-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-network-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-osgi-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-osgi-configadmin-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-osgi-service-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-platform-mbean-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-pojo-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-process-controller-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-protocol-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-remoting-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-sar-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-security-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-server-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-system-jmx-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-threads-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-transactions-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-version-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-web-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-webservices-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-weld-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-xts-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-el-api_2.2_spec-1.0.4-2.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-modules-1.3.3-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jbossas-core-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jbossas-javadocs-7.3.2-2.1.Final_redhat_2.ep6.el6.noarch.rpm
jbossas-modules-eap-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jbossas-product-eap-7.3.2-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jbossweb-7.3.1-1.Final_redhat_1.1.ep6.el6.noarch.rpm

Red Hat JBoss Enterprise Application Platform 6.2 for RHEL 6 Server:

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/apache-cxf-2.7.10-1.redhat_1.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/glassfish-jsf-eap6-2.1.27-6.redhat_8.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-ejb-client-1.0.25-1.Final_redhat_1.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-jsf-api_2.1_spec-2.1.27-2.Final_redhat_1.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-metadata-7.0.9-1.Final_redhat_1.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-remote-naming-1.0.8-1.Final_redhat_1.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-remoting3-3.2.19-1.GA_redhat_1.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-security-negotiation-2.2.7-1.Final_redhat_1.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbossws-cxf-4.2.4-1.Final_redhat_1.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/picketbox-4.0.19-4.SP4_redhat_1.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/wss4j-1.6.14-2.redhat_1.1.ep6.el6.src.rpm

noarch:
apache-cxf-2.7.10-1.redhat_1.1.ep6.el6.noarch.rpm
glassfish-jsf-eap6-2.1.27-6.redhat_8.1.ep6.el6.noarch.rpm
jboss-ejb-client-1.0.25-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-jsf-api_2.1_spec-2.1.27-2.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-metadata-7.0.9-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-metadata-appclient-7.0.9-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-metadata-common-7.0.9-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-metadata-ear-7.0.9-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-metadata-ejb-7.0.9-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-metadata-web-7.0.9-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-remote-naming-1.0.8-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-remoting3-3.2.19-1.GA_redhat_1.1.ep6.el6.noarch.rpm
jboss-security-negotiation-2.2.7-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jbossws-cxf-4.2.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm
picketbox-4.0.19-4.SP4_redhat_1.1.ep6.el6.noarch.rpm
wss4j-1.6.14-2.redhat_1.1.ep6.el6.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2013-4286.html
https://www.redhat.com/security/data/cve/CVE-2014-0093.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/6.2.2_Release_Notes/index.html

8. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFTObFUXlSAg2UNWIIRAsjmAJ9xaawGWfvDfUKXU/J5/G2ytsg5DQCeLuoe
SHOsHKMRJUl8NzbQoXxhdxs=
=vucv
-----END PGP SIGNATURE-----




From bugzilla at redhat.com  Mon Mar 31 18:21:48 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Mon, 31 Mar 2014 18:21:48 +0000
Subject: [RHSA-2014:0345-01] Moderate: Red Hat JBoss Enterprise Application
	Platform 6.2.2 update
Message-ID: <201403311821.s2VILmSM031662@int-mx09.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Enterprise Application Platform 6.2.2 update
Advisory ID:       RHSA-2014:0345-01
Product:           Red Hat JBoss Enterprise Application Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-0345.html
Issue date:        2014-03-31
CVE Names:         CVE-2013-4286 CVE-2014-0093 
=====================================================================

1. Summary:

An update for Red Hat JBoss Enterprise Application Platform 6.2.2 that
fixes two security issues, several bugs, and adds various enhancements is
now available from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Description:

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.

It was found that when JBoss Web processed a series of HTTP requests in
which at least one request contained either multiple content-length
headers, or one content-length header with a chunked transfer-encoding
header, JBoss Web would incorrectly handle the request. A remote attacker
could use this flaw to poison a web cache, perform cross-site scripting
(XSS) attacks, or obtain sensitive information from other requests.
(CVE-2013-4286)

It was found that Java Security Manager permissions configured via a policy
file were not properly applied, causing all deployed applications to be
granted the java.security.AllPermission permission. In certain cases, an
attacker could use this flaw to circumvent expected security measures to
perform actions which would otherwise be restricted. (CVE-2014-0093)

The CVE-2014-0093 issue was discovered by Josef Cacek of the Red Hat JBoss
EAP Quality Engineering team.

This release serves as an update for Red Hat JBoss Enterprise Application
Platform 6.2, and includes bug fixes and enhancements. Documentation for
these changes will be available shortly from the Red Hat JBoss Enterprise
Application Platform 6.2.2 Release Notes, linked to in the References.

All users of Red Hat JBoss Enterprise Application Platform 6.2 as provided
from the Red Hat Customer Portal are advised to apply this update.
The JBoss server process must be restarted for the update to take effect.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing Red Hat JBoss Enterprise Application Platform installation and
deployed applications.

4. Bugs fixed (https://bugzilla.redhat.com/):

1069921 - CVE-2013-4286 tomcat: incomplete fix for CVE-2005-2090
1070046 - CVE-2014-0093 JBoss EAP 6: JSM policy not respected by deployed applications

5. References:

https://www.redhat.com/security/data/cve/CVE-2013-4286.html
https://www.redhat.com/security/data/cve/CVE-2014-0093.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.2.0
https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/6.2.2_Release_Notes/index.html

6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFTObIUXlSAg2UNWIIRAuKmAKC6by2LxBV/6NT4nCg5VQlQvtfTJgCgu5FD
HX1yK8E4JCx51a8AUZu+f2Q=
=xUhZ
-----END PGP SIGNATURE-----




