From bugzilla at redhat.com  Wed Sep  3 22:29:25 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Wed, 3 Sep 2014 22:29:25 +0000
Subject: [RHSA-2014:1149-01] Moderate: Red Hat JBoss Operations Network 3.2.3
	update
Message-ID: <201409032229.s83MTPon006961@int-mx11.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Operations Network 3.2.3 update
Advisory ID:       RHSA-2014:1149-01
Product:           Red Hat JBoss Operations Network
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1149.html
Issue date:        2014-09-03
CVE Names:         CVE-2014-0075 CVE-2014-0099 
=====================================================================

1. Summary:

Red Hat JBoss Operations Network 3.2.3, which fixes two security issues and
several bugs, is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Description:

Red Hat JBoss Operations Network is a middleware management solution that
provides a single point of control to deploy, manage, and monitor JBoss
Enterprise Middleware, applications, and services.

This JBoss Operations Network 3.2.3 release serves as a replacement for
JBoss Operations Network 3.2.2, and includes several bug fixes. Refer to
the JBoss Operations Network 3.2.3 Release Notes for information on the
most significant of these changes. The Release Notes will be available
shortly from https://access.redhat.com/documentation/en-US/

The following security issues are also fixed with this release:

It was discovered that JBoss Web did not limit the length of chunk sizes
when using chunked transfer encoding. A remote attacker could use this flaw
to perform a denial of service attack against JBoss Web by streaming an
unlimited quantity of data, leading to excessive consumption of server
resources. (CVE-2014-0075)

It was found that JBoss Web did not check for overflowing values when
parsing request content length headers. A remote attacker could use this
flaw to perform an HTTP request smuggling attack on a JBoss Web server
located behind a reverse proxy that processed the content length header
correctly. (CVE-2014-0099)

The CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product
Security.

All users of JBoss Operations Network 3.2.2 as provided from the Red Hat
Customer Portal are advised to upgrade to JBoss Operations Network 3.2.3.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing JBoss Operations Network installation (including its databases,
applications, configuration files, the JBoss Operations Network server's
file system directory, and so on).

Refer to the JBoss Operations Network 3.2.3 Release Notes for
installation information.

4. Bugs fixed (https://bugzilla.redhat.com/):

1072776 - CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter
1102030 - CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header

5. References:

https://www.redhat.com/security/data/cve/CVE-2014-0075.html
https://www.redhat.com/security/data/cve/CVE-2014-0099.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em&downloadType=securityPatches&version=3.2.0
https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/

6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUB5Y8XlSAg2UNWIIRAkn6AKDAZUiEXF/U8JdBkC4iXbtFrGm5lQCfZOFu
bNln2zQKFpka7hlHeZ51jFA=
=QArM
-----END PGP SIGNATURE-----




From bugzilla at redhat.com  Thu Sep  4 17:36:39 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Thu, 4 Sep 2014 17:36:39 +0000
Subject: [RHSA-2014:1162-01] Important: Red Hat JBoss Enterprise Application
	Platform 6.3.0 security update
Message-ID: <201409041736.s84Had7c008211@int-mx10.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Enterprise Application Platform 6.3.0 security update
Advisory ID:       RHSA-2014:1162-01
Product:           Red Hat JBoss Enterprise Application Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1162.html
Issue date:        2014-09-04
CVE Names:         CVE-2012-6153 CVE-2014-3577 
=====================================================================

1. Summary:

Updated Red Hat JBoss Enterprise Application Platform 6.3.0 packages that
fix two security issues are now available for Red Hat Enterprise Linux 5,
6, and 7.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat JBoss EAP 6.3 for RHEL 5 - noarch
Red Hat JBoss EAP 6.3 for RHEL 6 - noarch
Red Hat JBoss EAP 6.3 for RHEL 7 - noarch

3. Description:

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.

It was found that the fix for CVE-2012-5783 was incomplete: the code added
to check that the server host name matches the domain name in a subject's
Common Name (CN) field in X.509 certificates was flawed.
A man-in-the-middle attacker could use this flaw to spoof an SSL server
using a specially crafted X.509 certificate. (CVE-2012-6153)

It was discovered that the HttpClient incorrectly extracted host name from
an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle
attacker could use this flaw to spoof an SSL server using a specially
crafted X.509 certificate. (CVE-2014-3577)

The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat
Product Security.

For additional information on these flaws, refer to the Knowledgebase
article in the References section.

All users of Red Hat JBoss Enterprise Application Platform 6.3.0 on Red Hat
Enterprise Linux 5, 6, and 7 are advised to upgrade to these updated
packages. The JBoss server process must be restarted for the update to
take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied. Also, back up any customized Red
Hat JBoss Enterprise Application Platform 6 configuration files. On update,
the configuration files that have been locally modified will not be
updated. The updated version of such files will be stored as the rpmnew
files. Make sure to locate any such files after the update and merge any
changes manually.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1129074 - CVE-2014-3577 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-6153 fix
1129916 - CVE-2012-6153 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-5783 fix

6. Package List:

Red Hat JBoss EAP 6.3 for RHEL 5:

Source:
httpcomponents-eap6-6-12.redhat_2.1.ep6.el5.src.rpm

noarch:
httpclient-eap6-4.2.1-12.redhat_2.1.ep6.el5.noarch.rpm
httpcomponents-client-eap6-4.2.1-12.redhat_2.1.ep6.el5.noarch.rpm
httpcomponents-core-eap6-4.2.1-12.redhat_2.1.ep6.el5.noarch.rpm
httpcomponents-project-eap6-6-12.redhat_2.1.ep6.el5.noarch.rpm
httpcore-eap6-4.2.1-12.redhat_2.1.ep6.el5.noarch.rpm
httpmime-eap6-4.2.1-12.redhat_2.1.ep6.el5.noarch.rpm

Red Hat JBoss EAP 6.3 for RHEL 6:

Source:
httpcomponents-eap6-6-12.redhat_2.1.ep6.el6.src.rpm

noarch:
httpclient-eap6-4.2.1-12.redhat_2.1.ep6.el6.noarch.rpm
httpcomponents-client-eap6-4.2.1-12.redhat_2.1.ep6.el6.noarch.rpm
httpcomponents-core-eap6-4.2.1-12.redhat_2.1.ep6.el6.noarch.rpm
httpcomponents-project-eap6-6-12.redhat_2.1.ep6.el6.noarch.rpm
httpcore-eap6-4.2.1-12.redhat_2.1.ep6.el6.noarch.rpm
httpmime-eap6-4.2.1-12.redhat_2.1.ep6.el6.noarch.rpm

Red Hat JBoss EAP 6.3 for RHEL 7:

Source:
httpcomponents-eap6-6-12.redhat_2.1.ep6.el7.src.rpm

noarch:
httpclient-eap6-4.2.1-12.redhat_2.1.ep6.el7.noarch.rpm
httpcomponents-client-eap6-4.2.1-12.redhat_2.1.ep6.el7.noarch.rpm
httpcomponents-core-eap6-4.2.1-12.redhat_2.1.ep6.el7.noarch.rpm
httpcomponents-project-eap6-6-12.redhat_2.1.ep6.el7.noarch.rpm
httpcore-eap6-4.2.1-12.redhat_2.1.ep6.el7.noarch.rpm
httpmime-eap6-4.2.1-12.redhat_2.1.ep6.el7.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2012-6153.html
https://www.redhat.com/security/data/cve/CVE-2014-3577.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/solutions/1165533

8. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUCKMRXlSAg2UNWIIRAgw9AKCsFn6selet1xbRkBQWwFQKJc3jMQCZAYa5
JEN+aoMN188Hw4dbWCvQ7jw=
=ekRw
-----END PGP SIGNATURE-----




From bugzilla at redhat.com  Thu Sep  4 17:37:23 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Thu, 4 Sep 2014 17:37:23 +0000
Subject: [RHSA-2014:1163-01] Important: Red Hat JBoss Enterprise Application
	Platform 6.3.0 security update
Message-ID: <201409041737.s84HbN9Q012556@int-mx11.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Enterprise Application Platform 6.3.0 security update
Advisory ID:       RHSA-2014:1163-01
Product:           Red Hat JBoss Enterprise Application Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1163.html
Issue date:        2014-09-04
CVE Names:         CVE-2012-6153 CVE-2014-3577 
=====================================================================

1. Summary:

An update for Red Hat JBoss Enterprise Application Platform 6.3.0 that
fixes two security issues is now available from the Red Hat Customer
Portal.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Description:

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.

It was found that the fix for CVE-2012-5783 was incomplete: the code added
to check that the server host name matches the domain name in a subject's
Common Name (CN) field in X.509 certificates was flawed.
A man-in-the-middle attacker could use this flaw to spoof an SSL server
using a specially crafted X.509 certificate. (CVE-2012-6153)

It was discovered that the HttpClient incorrectly extracted host name from
an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle
attacker could use this flaw to spoof an SSL server using a specially
crafted X.509 certificate. (CVE-2014-3577)

The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat
Product Security.

For additional information on these flaws, refer to the Knowledgebase
article in the References section.

All users of Red Hat JBoss Enterprise Application Platform 6.3.0 as
provided from the Red Hat Customer Portal are advised to apply this update.
The JBoss server process must be restarted for the update to take effect.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing Red Hat JBoss Enterprise Application Platform installation and
deployed applications.

4. Bugs fixed (https://bugzilla.redhat.com/):

1129074 - CVE-2014-3577 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-6153 fix
1129916 - CVE-2012-6153 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-5783 fix

5. References:

https://www.redhat.com/security/data/cve/CVE-2012-6153.html
https://www.redhat.com/security/data/cve/CVE-2014-3577.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.3
https://access.redhat.com/solutions/1165533

6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUCKNJXlSAg2UNWIIRAsQcAJ90qSSjk8iXJ6PLCnFr75i79JIc6wCfWwng
KhkyHssMTB7BeHuTp7iu8Qo=
=gTxb
-----END PGP SIGNATURE-----




From bugzilla at redhat.com  Wed Sep 10 05:39:21 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Wed, 10 Sep 2014 05:39:21 +0000
Subject: [RHSA-2014:1170-01] Important: Red Hat JBoss Fuse/A-MQ 6.1.0 security
	update
Message-ID: <201409100539.s8A5dLVV013039@int-mx09.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Fuse/A-MQ 6.1.0 security update
Advisory ID:       RHSA-2014:1170-01
Product:           Red Hat JBoss Fuse
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1170.html
Issue date:        2014-09-10
CVE Names:         CVE-2014-3120 
=====================================================================

1. Summary:

This advisory contains instructions on how to resolve one security issue
in the Elasticsearch component in Red Hat JBoss Fuse and A-MQ 6.1.0.

Red Hat Product Security has rated this security issue as having Important
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Description:

Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform. Red
Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant
messaging system that is tailored for use in mission critical applications.

Red Hat JBoss Fuse and A-MQ include the insight plug-in, which provides
insight into a Fuse Fabric using Elasticsearch to query data for logs,
metrics or historic Camel messages. This plug-in is not enabled by default,
and is provided as a technology preview. If it is enabled by installing the
feature, for example:

JBossFuse:karaf at root> features:install insight-elasticsearch

Then an Elasticsearch server will be started. It was discovered that the
default configuration of Elasticsearch enabled dynamic scripting, allowing
a remote attacker to execute arbitrary MVEL expressions and Java code via
the source parameter passed to _search. (CVE-2014-3120)

All users of Red Hat JBoss Fuse and A-MQ 6.1.0 as provided from the Red Hat
Customer Portal who have enabled Elasticsearch are advised to follow the
instructions provided in the Solution section of this advisory.

3. Solution:

To mitigate this issue, follow the instructions at
https://access.redhat.com/solutions/1191453

For more information, refer to https://access.redhat.com/solutions/1189133

4. Bugs fixed (https://bugzilla.redhat.com/):

1124252 - CVE-2014-3120 elasticsearch: remote code execution flaw via dynamic scripting

5. References:

https://www.redhat.com/security/data/cve/CVE-2014-3120.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/solutions/1191453
https://access.redhat.com/solutions/1189133
https://access.redhat.com/support/offerings/techpreview

6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUD+P4XlSAg2UNWIIRAqj+AJ9AcGh+/6lzUWj8lzEdZnRSC8+9ogCfQDcR
yjAl4kEfr8cOgKvP62Dz0xk=
=O0P6
-----END PGP SIGNATURE-----




From bugzilla at redhat.com  Wed Sep 10 05:45:44 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Wed, 10 Sep 2014 05:45:44 +0000
Subject: [RHSA-2014:1171-01] Important: Fuse ESB Enterprise/Fuse MQ Enterprise
	7.1.0 update
Message-ID: <201409100545.s8A5jidu024415@int-mx11.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Fuse ESB Enterprise/Fuse MQ Enterprise 7.1.0 update
Advisory ID:       RHSA-2014:1171-01
Product:           Fuse Enterprise Middleware
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1171.html
Issue date:        2014-09-10
CVE Names:         CVE-2014-3120 
=====================================================================

1. Summary:

This advisory contains instructions on how to resolve one security issue
in the Elasticsearch component in Fuse ESB Enterprise and Fuse MQ
Enterprise 7.1.0.

Red Hat Product Security has rated this security issue as having Important
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Description:

Fuse ESB Enterprise is an integration platform based on Apache ServiceMix.
Fuse MQ Enterprise, based on Apache ActiveMQ, is a standards-compliant
messaging system that is tailored for use in mission critical applications.

Fuse ESB Enterprise and Fuse MQ Enterprise include the insight plug-in,
which provides insight into a Fuse Fabric using Elasticsearch to query data
for logs, metrics or historic Camel messages. This plug-in is not enabled
by default, and is provided as a technology preview. If it is enabled by
installing the feature, for example:

JBossFuse:karaf at root> features:install insight-elasticsearch

Then an Elasticsearch server will be started. It was discovered that the
default configuration of Elasticsearch enabled dynamic scripting, allowing
a remote attacker to execute arbitrary MVEL expressions and Java code via
the source parameter passed to _search. (CVE-2014-3120)

All users of Fuse ESB Enterprise and Fuse MQ Enterprise 7.1.0 as provided
from the Red Hat Customer Portal who have enabled Elasticsearch are advised
to follow the instructions provided in the Solution section of this
advisory.

3. Solution:

To mitigate this issue, follow the instructions at
https://access.redhat.com/solutions/1191453

For more information, refer to https://access.redhat.com/solutions/1189133

4. Bugs fixed (https://bugzilla.redhat.com/):

1124252 - CVE-2014-3120 elasticsearch: remote code execution flaw via dynamic scripting

5. References:

https://www.redhat.com/security/data/cve/CVE-2014-3120.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/solutions/1191453
https://access.redhat.com/solutions/1189133
https://access.redhat.com/support/offerings/techpreview

6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUD+V5XlSAg2UNWIIRAq17AJ4uaH05P7smwmn65TlUkAGQ1CxF/wCgiPT9
ErXsWqsOvWdJ/Sc97FhECP4=
=YMNu
-----END PGP SIGNATURE-----




From bugzilla at redhat.com  Wed Sep 17 16:51:57 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Wed, 17 Sep 2014 16:51:57 +0000
Subject: [RHSA-2014:1256-01] Moderate: Red Hat JBoss Web Server 2.1.0 openssl
	security update
Message-ID: <201409171651.s8HGpv01006090@int-mx09.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Web Server 2.1.0 openssl security update
Advisory ID:       RHSA-2014:1256-01
Product:           Red Hat JBoss Web Server
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1256.html
Issue date:        2014-09-17
CVE Names:         CVE-2014-3505 CVE-2014-3506 CVE-2014-3508 
                   CVE-2014-3510 
=====================================================================

1. Summary:

An update for the openssl component for Red Hat JBoss Web Server 2.1.0 that
fixes multiple security issues is now available from the Red Hat Customer
Portal.

Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL),
Transport Layer Security (TLS), and Datagram Transport Layer Security
(DTLS) protocols, as well as a full-strength, general purpose cryptography
library.

It was discovered that the OBJ_obj2txt() function could fail to properly
NUL-terminate its output. This could possibly cause an application using
OpenSSL functions to format fields of X.509 certificates to disclose
portions of its memory. (CVE-2014-3508)

Two flaws were discovered in the way OpenSSL handled DTLS packets. A remote
attacker could use these flaws to cause a DTLS server or client using
OpenSSL to crash or use excessive amounts of memory. (CVE-2014-3505,
CVE-2014-3506)

A NULL pointer dereference flaw was found in the way OpenSSL performed a
handshake when using the anonymous Diffie-Hellman (DH) key exchange. A
malicious server could cause a DTLS client using OpenSSL to crash if that
client had anonymous DH cipher suites enabled. (CVE-2014-3510)

All users of Red Hat JBoss Web Server 2.1.0 as provided from the Red Hat
Customer Portal are advised to apply this update. The Red Hat JBoss Web
Server process must be restarted for the update to take effect.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing Red Hat JBoss Web Server installation (including all applications
and configuration files).

4. Bugs fixed (https://bugzilla.redhat.com/):

1127490 - CVE-2014-3508 openssl: information leak in pretty printing functions
1127499 - CVE-2014-3505 openssl: DTLS packet processing double free
1127500 - CVE-2014-3506 openssl: DTLS memory exhaustion
1127503 - CVE-2014-3510 openssl: DTLS anonymous (EC)DH denial of service

5. References:

https://www.redhat.com/security/data/cve/CVE-2014-3505.html
https://www.redhat.com/security/data/cve/CVE-2014-3506.html
https://www.redhat.com/security/data/cve/CVE-2014-3508.html
https://www.redhat.com/security/data/cve/CVE-2014-3510.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=2.1.0

6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUGbuXXlSAg2UNWIIRAlOtAKChkOz+8z5lYXidsnEIXrxWNSogEgCfahyd
U9tLfNSazIT44HiS/71olJo=
=dGMc
-----END PGP SIGNATURE-----




From bugzilla at redhat.com  Tue Sep 23 20:25:32 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Tue, 23 Sep 2014 20:25:32 +0000
Subject: [RHSA-2014:1284-01] Moderate: Red Hat JBoss Data Virtualization 6.0.0
	security update
Message-ID: <201409232025.s8NKPWg1030850@int-mx11.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Data Virtualization 6.0.0 security update
Advisory ID:       RHSA-2014:1284-01
Product:           Red Hat JBoss Data Virtualization
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1284.html
Issue date:        2014-09-23
CVE Names:         CVE-2014-0170 
=====================================================================

1. Summary:

Red Hat JBoss Data Virtualization 6.0.0 roll up patch 3, which fixes one
security issue and various bugs, is now available from the Red Hat
Customer Portal.

Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

2. Description:

Red Hat JBoss Data Virtualization is a lean data integration solution that
provides easy, real-time, and unified data access across disparate sources
to multiple applications and users. JBoss Data Virtualization makes data
spread across physically distinct systems?such as multiple databases, XML
files, and even Hadoop systems?appear as a set of tables in a local
database.

This roll up patch serves as a cumulative upgrade for Red Hat JBoss Data
Virtualization 6.0.0. It includes various bug fixes, which are listed in
the README file included with the patch files.

The following security issue is also fixed with this release:

It was found that Teiid SQL/XML permitted XML eXternal Entity (XXE)
attacks. If a REST endpoint was deployed, a remote attacker could submit a
request containing an external XML entity that, when resolved, allowed that
attacker to read files on the application server in the context of the user
running that server. (CVE-2014-0170)

This issue was discovered by David Jorm of Red Hat Product Security.

All users of Red Hat JBoss Data Virtualization 6.0.0 as provided from the
Red Hat Customer Portal are advised to apply this roll up patch.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing Red Hat JBoss Data Virtualization installation (including its
databases, applications, configuration files, and so on).

Note that it is recommended to halt the Red Hat JBoss Data Virtualization
server by stopping the JBoss Application Server process before installing
this update, and then after installing the update, restart the Red Hat
JBoss Data Virtualization server by starting the JBoss Application Server
process.

4. Bugs fixed (https://bugzilla.redhat.com/):

1085554 - CVE-2014-0170 Teiid: XML eXternal Entity (XXE) flaw in SQL/XML parsing

5. References:

https://www.redhat.com/security/data/cve/CVE-2014-0170.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform&downloadType=securityPatches&version=6.0.0

6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUIdcAXlSAg2UNWIIRAlUvAJ9iT2JCZxPSrl+iRpvKiEcZH/ChdgCfbqE4
AZD9M3LLi+bachQVOaoCqyY=
=hjQ+
-----END PGP SIGNATURE-----




From bugzilla at redhat.com  Tue Sep 23 20:27:07 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Tue, 23 Sep 2014 20:27:07 +0000
Subject: [RHSA-2014:1285-01] Low: Red Hat JBoss Enterprise Application
	Platform 6.3.1 update
Message-ID: <201409232027.s8NKR7FY007465@int-mx10.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: Red Hat JBoss Enterprise Application Platform 6.3.1 update
Advisory ID:       RHSA-2014:1285-01
Product:           Red Hat JBoss Enterprise Application Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1285.html
Issue date:        2014-09-23
CVE Names:         CVE-2014-3558 
=====================================================================

1. Summary:

Updated packages that provide Red Hat JBoss Enterprise Application Platform
6.3.1 and fix one security issue, several bugs, and add various
enhancements are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Low security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

2. Relevant releases/architectures:

Red Hat JBoss EAP 6.3 for RHEL 6 - noarch

3. Description:

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.

It was discovered that the implementation of
org.hibernate.validator.util.ReflectionHelper together with the permissions
required to run Hibernate Validator under the Java Security Manager could
allow a malicious application deployed in the same application container to
execute several actions with escalated privileges, which might otherwise
not be possible. This flaw could be used to perform various attacks,
including but not restricted to, arbitrary code execution in systems that
are otherwise secured by the Java Security Manager. (CVE-2014-3558)

This release of JBoss Enterprise Application Platform also includes bug
fixes and enhancements. A list of these changes is available
from the JBoss Enterprise Application Platform 6.3.1 Downloads page on
the Customer Portal.

All users of Red Hat JBoss Enterprise Application Platform 6.3 on Red Hat
Enterprise Linux 6 are advised to upgrade to these updated packages.
The JBoss server process must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied. Also, back up any customized Red
Hat JBoss Enterprise Application Platform 6 configuration files. On update,
the configuration files that have been locally modified will not be
updated. The updated version of such files will be stored as the rpmnew
files. Make sure to locate any such files after the update and merge any
changes manually.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1120495 - CVE-2014-3558 Hibernate Validator: JSM bypass via ReflectionHelper
1128666 - RHEL6 RPMs: Upgrade apache-cxf to 2.7.11.redhat-9
1128712 - RHEL6 RPMs: Upgrade hibernate4-validator to 4.3.2.Final-redhat-1
1129663 - RHEL6 RPMs: Upgrade jboss-hal to 2.2.10.Final-redhat-1
1129680 - RHEL6 RPMs: Upgrade jbossts to 4.17.22.Final-redhat-2
1131100 - RHEL6 RPMs: Upgrade hibernate4-eap6 to 4.2.14.SP3-redhat-1
1131835 - RHEL6 RPMs: Upgrade jboss-as-console to 2.2.10.Final-redhat-1
1131981 - RHEL6 RPMs: Upgrade jboss-marshalling to 1.4.8.Final-redhat-1
1131986 - RHEL6 RPMs: Upgrade jboss-ejb-client to 1.0.26.Final-redhat-1
1132009 - RHEL6 RPMs: Upgrade jboss-modules to 1.3.4.Final-redhat-1
1132032 - RHEL6 RPMs: Upgrade jboss-remoting3 to 3.3.3.Final-redhat-1
1132039 - RHEL6 RPMs: Upgrade jboss-security-negotiation to 2.3.4.Final-redhat-1
1132811 - RHEL6 RPMs: Upgrade jboss-remote-naming to 1.0.9.Final-redhat-1
1134667 - RHEL6 RPMs: Upgrade wss4j to 1.6.15.redhat-1
1136932 - RHEL6 RPMs: Upgrade hornetq to 2.3.21.Final-redhat-1
1136935 - RHEL6 RPMs: Upgrade jbossweb to 7.4.9.Final-redhat-1

6. Package List:

Red Hat JBoss EAP 6.3 for RHEL 6:

Source:
glassfish-jaxb-eap6-2.2.5-22.redhat_9.1.ep6.el6.src.rpm
glassfish-jsf-eap6-2.1.28-5.redhat_6.1.ep6.el6.src.rpm
hibernate4-eap6-4.2.14-8.SP3_redhat_1.1.ep6.el6.src.rpm
hibernate4-validator-4.3.2-1.Final_redhat_1.2.ep6.el6.src.rpm
hornetq-2.3.21-1.Final_redhat_1.1.ep6.el6.src.rpm
httpcomponents-eap6-7-4.redhat_3.1.ep6.el6.src.rpm
ironjacamar-eap6-1.0.27-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-annotations-api_1.1_spec-1.0.1-4.Final_redhat_2.2.ep6.el6.src.rpm
jboss-as-appclient-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-cli-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-client-all-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-clustering-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-cmp-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-configadmin-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-connector-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-console-2.2.10-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-controller-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-controller-client-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-core-security-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-deployment-repository-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-deployment-scanner-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-domain-http-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-domain-management-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-ee-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-ee-deployment-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-ejb3-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-embedded-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-host-controller-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-jacorb-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-jaxr-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-jaxrs-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-jdr-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-jmx-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-jpa-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-jsf-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-jsr77-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-logging-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-mail-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-management-client-content-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-messaging-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-modcluster-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-naming-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-network-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-osgi-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-osgi-configadmin-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-osgi-service-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-picketlink-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-platform-mbean-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-pojo-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-process-controller-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-protocol-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-remoting-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-sar-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-security-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-server-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-system-jmx-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-threads-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-transactions-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-version-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-web-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-webservices-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-weld-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-as-xts-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jboss-connector-api_1.6_spec-1.0.1-4.Final_redhat_2.2.ep6.el6.src.rpm
jboss-ejb-client-1.0.26-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-hal-2.2.10-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-interceptors-api_1.1_spec-1.0.1-5.Final_redhat_2.2.ep6.el6.src.rpm
jboss-jaxr-api_1.0_spec-1.0.2-5.Final_redhat_2.2.ep6.el6.src.rpm
jboss-jaxrs-api_1.1_spec-1.0.1-9.Final_redhat_2.2.ep6.el6.src.rpm
jboss-jaxws-api_2.2_spec-2.0.2-6.Final_redhat_1.1.ep6.el6.src.rpm
jboss-jms-api_1.1_spec-1.0.1-12.Final_redhat_2.2.ep6.el6.src.rpm
jboss-jsp-api_2.2_spec-1.0.1-7.Final_redhat_2.2.ep6.el6.src.rpm
jboss-marshalling-1.4.8-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-modules-1.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-remote-naming-1.0.9-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-remoting3-3.3.3-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-saaj-api_1.3_spec-1.0.3-6.Final_redhat_1.1.ep6.el6.src.rpm
jboss-security-negotiation-2.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-transaction-api_1.1_spec-1.0.1-12.Final_redhat_2.2.ep6.el6.src.rpm
jbossas-appclient-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jbossas-bundles-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jbossas-core-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jbossas-domain-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jbossas-javadocs-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jbossas-modules-eap-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jbossas-product-eap-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jbossas-standalone-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jbossas-welcome-content-eap-7.4.1-2.Final_redhat_3.1.ep6.el6.src.rpm
jbossts-4.17.22-2.Final_redhat_2.1.ep6.el6.src.rpm
jbossweb-7.4.9-1.Final_redhat_1.1.ep6.el6.src.rpm
jbossxb2-2.0.3-14.GA_redhat_2.2.ep6.el6.src.rpm
netty-3.6.9-2.Final_redhat_1.1.ep6.el6.src.rpm
picketlink-bindings-2.5.3-9.SP10_redhat_1.1.ep6.el6.src.rpm
picketlink-federation-2.5.3-10.SP10_redhat_1.1.ep6.el6.src.rpm
resteasy-2.3.8-8.SP2_redhat_3.1.ep6.el6.src.rpm
wss4j-1.6.15-2.redhat_1.1.ep6.el6.src.rpm
xml-security-1.5.6-2.redhat_1.1.ep6.el6.src.rpm

noarch:
glassfish-jaxb-eap6-2.2.5-22.redhat_9.1.ep6.el6.noarch.rpm
glassfish-jsf-eap6-2.1.28-5.redhat_6.1.ep6.el6.noarch.rpm
hibernate4-core-eap6-4.2.14-8.SP3_redhat_1.1.ep6.el6.noarch.rpm
hibernate4-eap6-4.2.14-8.SP3_redhat_1.1.ep6.el6.noarch.rpm
hibernate4-entitymanager-eap6-4.2.14-8.SP3_redhat_1.1.ep6.el6.noarch.rpm
hibernate4-envers-eap6-4.2.14-8.SP3_redhat_1.1.ep6.el6.noarch.rpm
hibernate4-infinispan-eap6-4.2.14-8.SP3_redhat_1.1.ep6.el6.noarch.rpm
hibernate4-validator-4.3.2-1.Final_redhat_1.2.ep6.el6.noarch.rpm
hornetq-2.3.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
httpclient-eap6-4.2.6-4.redhat_3.1.ep6.el6.noarch.rpm
httpcomponents-client-eap6-4.2.6-4.redhat_3.1.ep6.el6.noarch.rpm
httpcomponents-core-eap6-4.2.5-4.redhat_3.1.ep6.el6.noarch.rpm
httpcomponents-project-eap6-7-4.redhat_3.1.ep6.el6.noarch.rpm
httpcore-eap6-4.2.5-4.redhat_3.1.ep6.el6.noarch.rpm
httpmime-eap6-4.2.6-4.redhat_3.1.ep6.el6.noarch.rpm
ironjacamar-common-api-eap6-1.0.27-1.Final_redhat_1.1.ep6.el6.noarch.rpm
ironjacamar-common-impl-eap6-1.0.27-1.Final_redhat_1.1.ep6.el6.noarch.rpm
ironjacamar-common-spi-eap6-1.0.27-1.Final_redhat_1.1.ep6.el6.noarch.rpm
ironjacamar-core-api-eap6-1.0.27-1.Final_redhat_1.1.ep6.el6.noarch.rpm
ironjacamar-core-impl-eap6-1.0.27-1.Final_redhat_1.1.ep6.el6.noarch.rpm
ironjacamar-deployers-common-eap6-1.0.27-1.Final_redhat_1.1.ep6.el6.noarch.rpm
ironjacamar-eap6-1.0.27-1.Final_redhat_1.1.ep6.el6.noarch.rpm
ironjacamar-jdbc-eap6-1.0.27-1.Final_redhat_1.1.ep6.el6.noarch.rpm
ironjacamar-spec-api-eap6-1.0.27-1.Final_redhat_1.1.ep6.el6.noarch.rpm
ironjacamar-validator-eap6-1.0.27-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-annotations-api_1.1_spec-1.0.1-4.Final_redhat_2.2.ep6.el6.noarch.rpm
jboss-as-appclient-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-cli-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-client-all-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-clustering-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-cmp-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-configadmin-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-connector-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-console-2.2.10-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-controller-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-controller-client-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-core-security-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-deployment-repository-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-deployment-scanner-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-domain-http-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-domain-management-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-ee-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-ee-deployment-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-ejb3-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-embedded-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-host-controller-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-jacorb-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-jaxr-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-jaxrs-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-jdr-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-jmx-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-jpa-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-jsf-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-jsr77-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-logging-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-mail-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-management-client-content-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-messaging-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-modcluster-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-naming-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-network-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-osgi-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-osgi-configadmin-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-osgi-service-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-picketlink-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-platform-mbean-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-pojo-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-process-controller-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-protocol-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-remoting-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-sar-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-security-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-server-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-system-jmx-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-threads-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-transactions-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-version-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-web-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-webservices-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-weld-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-as-xts-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jboss-connector-api_1.6_spec-1.0.1-4.Final_redhat_2.2.ep6.el6.noarch.rpm
jboss-ejb-client-1.0.26-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-hal-2.2.10-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-interceptors-api_1.1_spec-1.0.1-5.Final_redhat_2.2.ep6.el6.noarch.rpm
jboss-jaxr-api_1.0_spec-1.0.2-5.Final_redhat_2.2.ep6.el6.noarch.rpm
jboss-jaxrs-api_1.1_spec-1.0.1-9.Final_redhat_2.2.ep6.el6.noarch.rpm
jboss-jaxws-api_2.2_spec-2.0.2-6.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-jms-api_1.1_spec-1.0.1-12.Final_redhat_2.2.ep6.el6.noarch.rpm
jboss-jsp-api_2.2_spec-1.0.1-7.Final_redhat_2.2.ep6.el6.noarch.rpm
jboss-marshalling-1.4.8-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-modules-1.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-remote-naming-1.0.9-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-remoting3-3.3.3-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-saaj-api_1.3_spec-1.0.3-6.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-security-negotiation-2.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-transaction-api_1.1_spec-1.0.1-12.Final_redhat_2.2.ep6.el6.noarch.rpm
jbossas-appclient-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jbossas-bundles-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jbossas-core-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jbossas-domain-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jbossas-javadocs-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jbossas-modules-eap-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jbossas-product-eap-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jbossas-standalone-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jbossas-welcome-content-eap-7.4.1-2.Final_redhat_3.1.ep6.el6.noarch.rpm
jbossts-4.17.22-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jbossweb-7.4.9-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jbossxb2-2.0.3-14.GA_redhat_2.2.ep6.el6.noarch.rpm
netty-3.6.9-2.Final_redhat_1.1.ep6.el6.noarch.rpm
picketlink-bindings-2.5.3-9.SP10_redhat_1.1.ep6.el6.noarch.rpm
picketlink-federation-2.5.3-10.SP10_redhat_1.1.ep6.el6.noarch.rpm
resteasy-2.3.8-8.SP2_redhat_3.1.ep6.el6.noarch.rpm
wss4j-1.6.15-2.redhat_1.1.ep6.el6.noarch.rpm
xml-security-1.5.6-2.redhat_1.1.ep6.el6.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2014-3558.html
https://access.redhat.com/security/updates/classification/#low

8. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUIdeXXlSAg2UNWIIRAsebAJ9UFEcXtGZNgPYOX5fzdHl6+Wm1UwCfVteO
+mfkej5kk6viTyURewSUAic=
=uoOk
-----END PGP SIGNATURE-----




From bugzilla at redhat.com  Tue Sep 23 20:28:09 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Tue, 23 Sep 2014 20:28:09 +0000
Subject: [RHSA-2014:1286-01] Low: Red Hat JBoss Enterprise Application
	Platform 6.3.1 update
Message-ID: <201409232028.s8NKS9lO024059@int-mx14.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: Red Hat JBoss Enterprise Application Platform 6.3.1 update
Advisory ID:       RHSA-2014:1286-01
Product:           Red Hat JBoss Enterprise Application Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1286.html
Issue date:        2014-09-23
CVE Names:         CVE-2014-3558 
=====================================================================

1. Summary:

Updated packages that provide Red Hat JBoss Enterprise Application Platform
6.3.1 and fix one security issue, several bugs, and add various
enhancements are now available for Red Hat Enterprise Linux 5.

Red Hat Product Security has rated this update as having Low security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

2. Relevant releases/architectures:

Red Hat JBoss EAP 6.3 for RHEL 5 - noarch

3. Description:

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.

It was discovered that the implementation of
org.hibernate.validator.util.ReflectionHelper together with the permissions
required to run Hibernate Validator under the Java Security Manager could
allow a malicious application deployed in the same application container to
execute several actions with escalated privileges, which might otherwise
not be possible. This flaw could be used to perform various attacks,
including but not restricted to, arbitrary code execution in systems that
are otherwise secured by the Java Security Manager. (CVE-2014-3558)

This release of JBoss Enterprise Application Platform also includes bug
fixes and enhancements. A list of these changes is available
from the JBoss Enterprise Application Platform 6.3.1 Downloads page on
the Customer Portal.

All users of Red Hat JBoss Enterprise Application Platform 6.3 on Red Hat
Enterprise Linux 5 are advised to upgrade to these updated packages.
The JBoss server process must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied. Also, back up any customized Red
Hat JBoss Enterprise Application Platform 6 configuration files. On update,
the configuration files that have been locally modified will not be
updated. The updated version of such files will be stored as the rpmnew
files. Make sure to locate any such files after the update and merge any
changes manually.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1120495 - CVE-2014-3558 Hibernate Validator: JSM bypass via ReflectionHelper
1128667 - RHEL5 RPMs: Upgrade apache-cxf to 2.7.11.redhat-9
1128713 - RHEL5 RPMs: Upgrade hibernate4-validator to 4.3.2.Final-redhat-1
1129664 - RHEL5 RPMs: Upgrade jboss-hal to 2.2.10.Final-redhat-1
1129681 - RHEL5 RPMs: Upgrade jbossts to 4.17.22.Final-redhat-2
1131101 - RHEL5 RPMs: Upgrade hibernate4-eap6 to 4.2.14.SP3-redhat-1
1131836 - RHEL5 RPMs: Upgrade jboss-as-console to 2.2.10.Final-redhat-1
1131982 - RHEL5 RPMs: Upgrade jboss-marshalling to 1.4.8.Final-redhat-1
1131987 - RHEL5 RPMs: Upgrade jboss-ejb-client to 1.0.26.Final-redhat-1
1132010 - RHEL5 RPMs: Upgrade jboss-modules to 1.3.4.Final-redhat-1
1132034 - RHEL5 RPMs: Upgrade jboss-remoting3 to 3.3.3.Final-redhat-1
1132040 - RHEL5 RPMs: Upgrade jboss-security-negotiation to 2.3.4.Final-redhat-1
1132812 - RHEL5 RPMs: Upgrade jboss-remote-naming to 1.0.9.Final-redhat-1
1134668 - RHEL5 RPMs: Upgrade wss4j to 1.6.15.redhat-1
1136933 - RHEL5 RPMs: Upgrade hornetq to 2.3.21.Final-redhat-1
1136936 - RHEL5 RPMs: Upgrade jbossweb to 7.4.9.Final-redhat-1

6. Package List:

Red Hat JBoss EAP 6.3 for RHEL 5:

Source:
glassfish-jaxb-eap6-2.2.5-22.redhat_9.1.ep6.el5.src.rpm
glassfish-jsf-eap6-2.1.28-5.redhat_6.1.ep6.el5.src.rpm
hibernate4-eap6-4.2.14-8.SP3_redhat_1.1.ep6.el5.src.rpm
hibernate4-validator-4.3.2-1.Final_redhat_1.2.ep6.el5.src.rpm
hornetq-2.3.21-1.Final_redhat_1.1.ep6.el5.src.rpm
httpcomponents-eap6-7-4.redhat_3.1.ep6.el5.src.rpm
ironjacamar-eap6-1.0.27-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-annotations-api_1.1_spec-1.0.1-4.Final_redhat_2.2.ep6.el5.src.rpm
jboss-as-appclient-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-cli-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-client-all-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-clustering-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-cmp-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-configadmin-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-connector-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-console-2.2.10-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-controller-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-controller-client-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-core-security-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-deployment-repository-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-deployment-scanner-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-domain-http-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-domain-management-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-ee-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-ee-deployment-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-ejb3-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-embedded-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-host-controller-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-jacorb-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-jaxr-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-jaxrs-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-jdr-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-jmx-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-jpa-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-jsf-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-jsr77-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-logging-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-mail-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-management-client-content-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-messaging-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-modcluster-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-naming-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-network-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-osgi-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-osgi-configadmin-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-osgi-service-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-picketlink-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-platform-mbean-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-pojo-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-process-controller-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-protocol-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-remoting-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-sar-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-security-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-server-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-system-jmx-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-threads-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-transactions-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-version-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-web-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-webservices-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-weld-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-as-xts-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jboss-connector-api_1.6_spec-1.0.1-4.Final_redhat_2.2.ep6.el5.src.rpm
jboss-ejb-client-1.0.26-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-hal-2.2.10-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-interceptors-api_1.1_spec-1.0.1-5.Final_redhat_2.2.ep6.el5.src.rpm
jboss-jaxr-api_1.0_spec-1.0.2-5.Final_redhat_2.2.ep6.el5.src.rpm
jboss-jaxrs-api_1.1_spec-1.0.1-9.Final_redhat_2.2.ep6.el5.src.rpm
jboss-jaxws-api_2.2_spec-2.0.2-6.Final_redhat_1.1.ep6.el5.src.rpm
jboss-jms-api_1.1_spec-1.0.1-12.Final_redhat_2.2.ep6.el5.src.rpm
jboss-jsp-api_2.2_spec-1.0.1-7.Final_redhat_2.2.ep6.el5.src.rpm
jboss-marshalling-1.4.8-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-modules-1.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-remote-naming-1.0.9-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-remoting3-3.3.3-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-saaj-api_1.3_spec-1.0.3-6.Final_redhat_1.1.ep6.el5.src.rpm
jboss-security-negotiation-2.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-transaction-api_1.1_spec-1.0.1-12.Final_redhat_2.2.ep6.el5.src.rpm
jbossas-appclient-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jbossas-bundles-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jbossas-core-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jbossas-domain-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jbossas-javadocs-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jbossas-modules-eap-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jbossas-product-eap-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jbossas-standalone-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jbossas-welcome-content-eap-7.4.1-2.Final_redhat_3.1.ep6.el5.src.rpm
jbossts-4.17.22-2.Final_redhat_2.1.ep6.el5.src.rpm
jbossweb-7.4.9-1.Final_redhat_1.1.ep6.el5.src.rpm
jbossxb2-2.0.3-14.GA_redhat_2.2.ep6.el5.src.rpm
netty-3.6.9-2.Final_redhat_1.1.ep6.el5.src.rpm
picketlink-bindings-2.5.3-9.SP10_redhat_1.1.ep6.el5.src.rpm
picketlink-federation-2.5.3-10.SP10_redhat_1.1.ep6.el5.src.rpm
resteasy-2.3.8-8.SP2_redhat_3.1.ep6.el5.src.rpm
wss4j-1.6.15-2.redhat_1.1.ep6.el5.src.rpm
xml-security-1.5.6-2.redhat_1.1.ep6.el5.src.rpm

noarch:
glassfish-jaxb-eap6-2.2.5-22.redhat_9.1.ep6.el5.noarch.rpm
glassfish-jsf-eap6-2.1.28-5.redhat_6.1.ep6.el5.noarch.rpm
hibernate4-core-eap6-4.2.14-8.SP3_redhat_1.1.ep6.el5.noarch.rpm
hibernate4-eap6-4.2.14-8.SP3_redhat_1.1.ep6.el5.noarch.rpm
hibernate4-entitymanager-eap6-4.2.14-8.SP3_redhat_1.1.ep6.el5.noarch.rpm
hibernate4-envers-eap6-4.2.14-8.SP3_redhat_1.1.ep6.el5.noarch.rpm
hibernate4-infinispan-eap6-4.2.14-8.SP3_redhat_1.1.ep6.el5.noarch.rpm
hibernate4-validator-4.3.2-1.Final_redhat_1.2.ep6.el5.noarch.rpm
hornetq-2.3.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
httpclient-eap6-4.2.6-4.redhat_3.1.ep6.el5.noarch.rpm
httpcomponents-client-eap6-4.2.6-4.redhat_3.1.ep6.el5.noarch.rpm
httpcomponents-core-eap6-4.2.5-4.redhat_3.1.ep6.el5.noarch.rpm
httpcomponents-project-eap6-7-4.redhat_3.1.ep6.el5.noarch.rpm
httpcore-eap6-4.2.5-4.redhat_3.1.ep6.el5.noarch.rpm
httpmime-eap6-4.2.6-4.redhat_3.1.ep6.el5.noarch.rpm
ironjacamar-common-api-eap6-1.0.27-1.Final_redhat_1.1.ep6.el5.noarch.rpm
ironjacamar-common-impl-eap6-1.0.27-1.Final_redhat_1.1.ep6.el5.noarch.rpm
ironjacamar-common-spi-eap6-1.0.27-1.Final_redhat_1.1.ep6.el5.noarch.rpm
ironjacamar-core-api-eap6-1.0.27-1.Final_redhat_1.1.ep6.el5.noarch.rpm
ironjacamar-core-impl-eap6-1.0.27-1.Final_redhat_1.1.ep6.el5.noarch.rpm
ironjacamar-deployers-common-eap6-1.0.27-1.Final_redhat_1.1.ep6.el5.noarch.rpm
ironjacamar-eap6-1.0.27-1.Final_redhat_1.1.ep6.el5.noarch.rpm
ironjacamar-jdbc-eap6-1.0.27-1.Final_redhat_1.1.ep6.el5.noarch.rpm
ironjacamar-spec-api-eap6-1.0.27-1.Final_redhat_1.1.ep6.el5.noarch.rpm
ironjacamar-validator-eap6-1.0.27-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-annotations-api_1.1_spec-1.0.1-4.Final_redhat_2.2.ep6.el5.noarch.rpm
jboss-as-appclient-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-cli-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-client-all-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-clustering-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-cmp-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-configadmin-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-connector-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-console-2.2.10-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-controller-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-controller-client-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-core-security-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-deployment-repository-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-deployment-scanner-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-domain-http-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-domain-management-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-ee-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-ee-deployment-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-ejb3-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-embedded-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-host-controller-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-jacorb-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-jaxr-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-jaxrs-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-jdr-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-jmx-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-jpa-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-jsf-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-jsr77-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-logging-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-mail-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-management-client-content-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-messaging-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-modcluster-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-naming-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-network-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-osgi-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-osgi-configadmin-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-osgi-service-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-picketlink-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-platform-mbean-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-pojo-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-process-controller-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-protocol-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-remoting-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-sar-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-security-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-server-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-system-jmx-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-threads-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-transactions-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-version-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-web-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-webservices-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-weld-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-as-xts-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jboss-connector-api_1.6_spec-1.0.1-4.Final_redhat_2.2.ep6.el5.noarch.rpm
jboss-ejb-client-1.0.26-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-hal-2.2.10-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-interceptors-api_1.1_spec-1.0.1-5.Final_redhat_2.2.ep6.el5.noarch.rpm
jboss-jaxr-api_1.0_spec-1.0.2-5.Final_redhat_2.2.ep6.el5.noarch.rpm
jboss-jaxrs-api_1.1_spec-1.0.1-9.Final_redhat_2.2.ep6.el5.noarch.rpm
jboss-jaxws-api_2.2_spec-2.0.2-6.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-jms-api_1.1_spec-1.0.1-12.Final_redhat_2.2.ep6.el5.noarch.rpm
jboss-jsp-api_2.2_spec-1.0.1-7.Final_redhat_2.2.ep6.el5.noarch.rpm
jboss-marshalling-1.4.8-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-modules-1.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-remote-naming-1.0.9-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-remoting3-3.3.3-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-saaj-api_1.3_spec-1.0.3-6.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-security-negotiation-2.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-transaction-api_1.1_spec-1.0.1-12.Final_redhat_2.2.ep6.el5.noarch.rpm
jbossas-appclient-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jbossas-bundles-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jbossas-core-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jbossas-domain-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jbossas-javadocs-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jbossas-modules-eap-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jbossas-product-eap-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jbossas-standalone-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jbossas-welcome-content-eap-7.4.1-2.Final_redhat_3.1.ep6.el5.noarch.rpm
jbossts-4.17.22-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jbossweb-7.4.9-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jbossxb2-2.0.3-14.GA_redhat_2.2.ep6.el5.noarch.rpm
netty-3.6.9-2.Final_redhat_1.1.ep6.el5.noarch.rpm
picketlink-bindings-2.5.3-9.SP10_redhat_1.1.ep6.el5.noarch.rpm
picketlink-federation-2.5.3-10.SP10_redhat_1.1.ep6.el5.noarch.rpm
resteasy-2.3.8-8.SP2_redhat_3.1.ep6.el5.noarch.rpm
wss4j-1.6.15-2.redhat_1.1.ep6.el5.noarch.rpm
xml-security-1.5.6-2.redhat_1.1.ep6.el5.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2014-3558.html
https://access.redhat.com/security/updates/classification/#low

8. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUIdfEXlSAg2UNWIIRAswWAKCy5Gyvyw1upM49h7Q8R3WkHkt6IQCeJuct
9eFzpkn2WPjf2lr0h/Zku1c=
=RcGM
-----END PGP SIGNATURE-----




From bugzilla at redhat.com  Tue Sep 23 20:29:13 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Tue, 23 Sep 2014 20:29:13 +0000
Subject: [RHSA-2014:1287-01] Low: Red Hat JBoss Enterprise Application
	Platform 6.3.1 update
Message-ID: <201409232029.s8NKTD1h024450@int-mx14.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: Red Hat JBoss Enterprise Application Platform 6.3.1 update
Advisory ID:       RHSA-2014:1287-01
Product:           Red Hat JBoss Enterprise Application Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1287.html
Issue date:        2014-09-23
CVE Names:         CVE-2014-3558 
=====================================================================

1. Summary:

Updated packages that provide Red Hat JBoss Enterprise Application Platform
6.3.1 and fix one security issue, several bugs, and add various
enhancements are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Low security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

2. Relevant releases/architectures:

Red Hat JBoss EAP 6.3 for RHEL 7 - noarch

3. Description:

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.

It was discovered that the implementation of
org.hibernate.validator.util.ReflectionHelper together with the permissions
required to run Hibernate Validator under the Java Security Manager could
allow a malicious application deployed in the same application container to
execute several actions with escalated privileges, which might otherwise
not be possible. This flaw could be used to perform various attacks,
including but not restricted to, arbitrary code execution in systems that
are otherwise secured by the Java Security Manager. (CVE-2014-3558)

This release of JBoss Enterprise Application Platform also includes bug
fixes and enhancements. A list of these changes is available
from the JBoss Enterprise Application Platform 6.3.1 Downloads page on
the Customer Portal.

All users of Red Hat JBoss Enterprise Application Platform 6.3 on Red Hat
Enterprise Linux 7 are advised to upgrade to these updated packages.
The JBoss server process must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied. Also, back up any customized Red
Hat JBoss Enterprise Application Platform 6 configuration files. On update,
the configuration files that have been locally modified will not be
updated. The updated version of such files will be stored as the rpmnew
files. Make sure to locate any such files after the update and merge any
changes manually.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1120495 - CVE-2014-3558 Hibernate Validator: JSM bypass via ReflectionHelper
1128668 - RHEL7 RPMs: Upgrade apache-cxf to 2.7.11.redhat-9
1128714 - RHEL7 RPMs: Upgrade hibernate4-validator to 4.3.2.Final-redhat-1
1129665 - RHEL7 RPMs: Upgrade jboss-hal to 2.2.10.Final-redhat-1
1129682 - RHEL7 RPMs: Upgrade jbossts to 4.17.22.Final-redhat-2
1131102 - RHEL7 RPMs: Upgrade hibernate4-eap6 to 4.2.14.SP3-redhat-1
1131837 - RHEL7 RPMs: Upgrade jboss-as-console to 2.2.10.Final-redhat-1
1131983 - RHEL7 RPMs: Upgrade jboss-marshalling to 1.4.8.Final-redhat-1
1131988 - RHEL7 RPMs: Upgrade jboss-ejb-client to 1.0.26.Final-redhat-1
1132011 - RHEL7 RPMs: Upgrade jboss-modules to 1.3.4.Final-redhat-1
1132035 - RHEL7 RPMs: Upgrade jboss-remoting3 to 3.3.3.Final-redhat-1
1132041 - RHEL7 RPMs: Upgrade jboss-security-negotiation to 2.3.4.Final-redhat-1
1132813 - RHEL7 RPMs: Upgrade jboss-remote-naming to 1.0.9.Final-redhat-1
1134669 - RHEL7 RPMs: Upgrade wss4j to 1.6.15.redhat-1
1136934 - RHEL7 RPMs: Upgrade hornetq to 2.3.21.Final-redhat-1
1136937 - RHEL7 RPMs: Upgrade jbossweb to 7.4.9.Final-redhat-1

6. Package List:

Red Hat JBoss EAP 6.3 for RHEL 7:

Source:
glassfish-jaxb-eap6-2.2.5-22.redhat_9.1.ep6.el7.src.rpm
glassfish-jsf-eap6-2.1.28-5.redhat_6.1.ep6.el7.src.rpm
hibernate4-eap6-4.2.14-8.SP3_redhat_1.1.ep6.el7.src.rpm
hibernate4-validator-4.3.2-1.Final_redhat_1.2.ep6.el7.src.rpm
hornetq-2.3.21-1.Final_redhat_1.1.ep6.el7.src.rpm
httpcomponents-eap6-7-4.redhat_3.1.ep6.el7.src.rpm
ironjacamar-eap6-1.0.27-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-appclient-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-cli-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-client-all-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-clustering-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-cmp-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-configadmin-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-connector-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-console-2.2.10-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-controller-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-controller-client-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-core-security-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-deployment-repository-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-deployment-scanner-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-domain-http-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-domain-management-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-ee-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-ee-deployment-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-ejb3-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-embedded-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-host-controller-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-jacorb-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-jaxr-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-jaxrs-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-jdr-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-jmx-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-jpa-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-jsf-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-jsr77-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-logging-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-mail-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-management-client-content-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-messaging-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-modcluster-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-naming-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-network-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-osgi-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-osgi-configadmin-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-osgi-service-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-picketlink-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-platform-mbean-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-pojo-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-process-controller-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-protocol-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-remoting-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-sar-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-security-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-server-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-system-jmx-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-threads-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-transactions-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-version-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-web-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-webservices-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-weld-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-as-xts-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jboss-ejb-client-1.0.26-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-hal-2.2.10-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-jaxws-api_2.2_spec-2.0.2-6.Final_redhat_1.1.ep6.el7.src.rpm
jboss-jms-api_1.1_spec-1.0.1-12.Final_redhat_2.2.ep6.el7.src.rpm
jboss-marshalling-1.4.8-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-modules-1.3.4-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-remote-naming-1.0.9-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-remoting3-3.3.3-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-saaj-api_1.3_spec-1.0.3-6.Final_redhat_1.1.ep6.el7.src.rpm
jboss-security-negotiation-2.3.4-1.Final_redhat_1.1.ep6.el7.src.rpm
jbossas-appclient-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jbossas-bundles-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jbossas-core-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jbossas-domain-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jbossas-javadocs-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jbossas-modules-eap-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jbossas-product-eap-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jbossas-standalone-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jbossas-welcome-content-eap-7.4.1-2.Final_redhat_3.1.ep6.el7.src.rpm
jbossts-4.17.22-2.Final_redhat_2.1.ep6.el7.src.rpm
jbossweb-7.4.9-1.Final_redhat_1.1.ep6.el7.src.rpm
jbossxb2-2.0.3-14.GA_redhat_2.2.ep6.el7.src.rpm
resteasy-2.3.8-8.SP2_redhat_3.1.ep6.el7.src.rpm
wss4j-1.6.15-2.redhat_1.1.ep6.el7.src.rpm
xml-security-1.5.6-2.redhat_1.1.ep6.el7.src.rpm

noarch:
glassfish-jaxb-eap6-2.2.5-22.redhat_9.1.ep6.el7.noarch.rpm
glassfish-jsf-eap6-2.1.28-5.redhat_6.1.ep6.el7.noarch.rpm
hibernate4-core-eap6-4.2.14-8.SP3_redhat_1.1.ep6.el7.noarch.rpm
hibernate4-eap6-4.2.14-8.SP3_redhat_1.1.ep6.el7.noarch.rpm
hibernate4-entitymanager-eap6-4.2.14-8.SP3_redhat_1.1.ep6.el7.noarch.rpm
hibernate4-envers-eap6-4.2.14-8.SP3_redhat_1.1.ep6.el7.noarch.rpm
hibernate4-infinispan-eap6-4.2.14-8.SP3_redhat_1.1.ep6.el7.noarch.rpm
hibernate4-validator-4.3.2-1.Final_redhat_1.2.ep6.el7.noarch.rpm
hornetq-2.3.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
httpclient-eap6-4.2.6-4.redhat_3.1.ep6.el7.noarch.rpm
httpcomponents-client-eap6-4.2.6-4.redhat_3.1.ep6.el7.noarch.rpm
httpcomponents-core-eap6-4.2.5-4.redhat_3.1.ep6.el7.noarch.rpm
httpcomponents-project-eap6-7-4.redhat_3.1.ep6.el7.noarch.rpm
httpcore-eap6-4.2.5-4.redhat_3.1.ep6.el7.noarch.rpm
httpmime-eap6-4.2.6-4.redhat_3.1.ep6.el7.noarch.rpm
ironjacamar-common-api-eap6-1.0.27-1.Final_redhat_1.1.ep6.el7.noarch.rpm
ironjacamar-common-impl-eap6-1.0.27-1.Final_redhat_1.1.ep6.el7.noarch.rpm
ironjacamar-common-spi-eap6-1.0.27-1.Final_redhat_1.1.ep6.el7.noarch.rpm
ironjacamar-core-api-eap6-1.0.27-1.Final_redhat_1.1.ep6.el7.noarch.rpm
ironjacamar-core-impl-eap6-1.0.27-1.Final_redhat_1.1.ep6.el7.noarch.rpm
ironjacamar-deployers-common-eap6-1.0.27-1.Final_redhat_1.1.ep6.el7.noarch.rpm
ironjacamar-eap6-1.0.27-1.Final_redhat_1.1.ep6.el7.noarch.rpm
ironjacamar-jdbc-eap6-1.0.27-1.Final_redhat_1.1.ep6.el7.noarch.rpm
ironjacamar-spec-api-eap6-1.0.27-1.Final_redhat_1.1.ep6.el7.noarch.rpm
ironjacamar-validator-eap6-1.0.27-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-appclient-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-cli-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-client-all-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-clustering-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-cmp-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-configadmin-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-connector-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-console-2.2.10-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-controller-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-controller-client-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-core-security-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-deployment-repository-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-deployment-scanner-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-domain-http-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-domain-management-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-ee-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-ee-deployment-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-ejb3-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-embedded-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-host-controller-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-jacorb-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-jaxr-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-jaxrs-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-jdr-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-jmx-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-jpa-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-jsf-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-jsr77-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-logging-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-mail-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-management-client-content-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-messaging-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-modcluster-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-naming-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-network-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-osgi-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-osgi-configadmin-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-osgi-service-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-picketlink-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-platform-mbean-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-pojo-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-process-controller-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-protocol-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-remoting-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-sar-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-security-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-server-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-system-jmx-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-threads-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-transactions-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-version-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-web-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-webservices-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-weld-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-as-xts-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jboss-ejb-client-1.0.26-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-hal-2.2.10-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-jaxws-api_2.2_spec-2.0.2-6.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-jms-api_1.1_spec-1.0.1-12.Final_redhat_2.2.ep6.el7.noarch.rpm
jboss-marshalling-1.4.8-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-modules-1.3.4-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-remote-naming-1.0.9-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-remoting3-3.3.3-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-saaj-api_1.3_spec-1.0.3-6.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-security-negotiation-2.3.4-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jbossas-appclient-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jbossas-bundles-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jbossas-core-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jbossas-domain-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jbossas-javadocs-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jbossas-modules-eap-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jbossas-product-eap-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jbossas-standalone-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jbossas-welcome-content-eap-7.4.1-2.Final_redhat_3.1.ep6.el7.noarch.rpm
jbossts-4.17.22-2.Final_redhat_2.1.ep6.el7.noarch.rpm
jbossweb-7.4.9-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jbossxb2-2.0.3-14.GA_redhat_2.2.ep6.el7.noarch.rpm
resteasy-2.3.8-8.SP2_redhat_3.1.ep6.el7.noarch.rpm
wss4j-1.6.15-2.redhat_1.1.ep6.el7.noarch.rpm
xml-security-1.5.6-2.redhat_1.1.ep6.el7.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2014-3558.html
https://access.redhat.com/security/updates/classification/#low

8. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUIdf3XlSAg2UNWIIRAmlBAKC4lyA28/hR5ufGCAgu+0ZyP9qWUwCdHPay
YZV6zClahI1R5p1avEivTwE=
=jLnf
-----END PGP SIGNATURE-----




From bugzilla at redhat.com  Tue Sep 23 20:29:31 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Tue, 23 Sep 2014 20:29:31 +0000
Subject: [RHSA-2014:1288-01] Low: Red Hat JBoss Enterprise Application
	Platform 6.3.1 update
Message-ID: <201409232029.s8NKTV4R008396@int-mx10.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: Red Hat JBoss Enterprise Application Platform 6.3.1 update
Advisory ID:       RHSA-2014:1288-01
Product:           Red Hat JBoss Enterprise Application Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1288.html
Issue date:        2014-09-23
CVE Names:         CVE-2014-3558 
=====================================================================

1. Summary:

Updated packages that provide Red Hat JBoss Enterprise Application Platform
6.3.1 and fix one security issue, several bugs, and add various
enhancements are now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having Low security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

2. Description:

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.

It was discovered that the implementation of
org.hibernate.validator.util.ReflectionHelper together with the permissions
required to run Hibernate Validator under the Java Security Manager could
allow a malicious application deployed in the same application container to
execute several actions with escalated privileges, which might otherwise
not be possible. This flaw could be used to perform various attacks,
including but not restricted to, arbitrary code execution in systems that
are otherwise secured by the Java Security Manager. (CVE-2014-3558)

This release of JBoss Enterprise Application Platform also includes bug
fixes and enhancements. A list of these changes is available
from the JBoss Enterprise Application Platform 6.3.1 Downloads page on
the Customer Portal.

All users of Red Hat JBoss Enterprise Application Platform 6.3 as provided
from the Red Hat Customer Portal are advised to apply this update.
The JBoss server process must be restarted for the update to take effect.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing Red Hat JBoss Enterprise Application Platform installation and
deployed applications.

4. Bugs fixed (https://bugzilla.redhat.com/):

1120495 - CVE-2014-3558 Hibernate Validator: JSM bypass via ReflectionHelper

5. References:

https://www.redhat.com/security/data/cve/CVE-2014-3558.html
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=distributions&version=6.3

6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUIdglXlSAg2UNWIIRAphKAJ9uhZaGm09SMO22OdAhM0KxLzTebwCZAR0t
xzkyait+Rr9QJGdph5e6ZhA=
=e5xu
-----END PGP SIGNATURE-----




From bugzilla at redhat.com  Tue Sep 23 20:29:50 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Tue, 23 Sep 2014 20:29:50 +0000
Subject: [RHSA-2014:1290-01] Important: Red Hat JBoss BRMS 6.0.3 update
Message-ID: <201409232029.s8NKToaP008534@int-mx10.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss BRMS 6.0.3 update
Advisory ID:       RHSA-2014:1290-01
Product:           Red Hat JBoss BRMS
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1290.html
Issue date:        2014-09-23
CVE Names:         CVE-2013-2035 CVE-2013-6440 CVE-2014-0018 
                   CVE-2014-0058 CVE-2014-0093 CVE-2014-0107 
=====================================================================

1. Summary:

Red Hat JBoss BRMS 6.0.3, which fixes multiple security issues, several
bugs, and adds various enhancements, is now available from the Red Hat
Customer Portal.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Description:

Red Hat JBoss BRMS is a business rules management system for the
management, storage, creation, modification, and deployment of JBoss Rules.

This release of Red Hat JBoss BRMS 6.0.3 serves as a replacement for Red
Hat JBoss BRMS 6.0.2, and includes bug fixes and enhancements. Refer to the
Red Hat JBoss BRMS 6.0.3 Release Notes for information on the most
significant of these changes. The Release Notes are available at
https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_BRMS/

The following security issues are fixed with this release:

It was found that the secure processing feature of Xalan-Java had
insufficient restrictions defined for certain properties and features.
A remote attacker able to provide Extensible Stylesheet Language
Transformations (XSLT) content to be processed by an application using
Xalan-Java could use this flaw to bypass the intended constraints of the
secure processing feature. Depending on the components available in the
classpath, this could lead to arbitrary remote code execution in the
context of the application server running the application that uses
Xalan-Java. (CVE-2014-0107)

It was found that the ParserPool and Decrypter classes in the OpenSAML
Java implementation resolved external entities, permitting XML External
Entity (XXE) attacks. A remote attacker could use this flaw to read files
accessible to the user running the application server, and potentially
perform other more advanced XXE attacks. (CVE-2013-6440)

It was found that Java Security Manager permissions configured via a policy
file were not properly applied, causing all deployed applications to be
granted the java.security.AllPermission permission. In certain cases, an
attacker could use this flaw to circumvent expected security measures to
perform actions which would otherwise be restricted. (CVE-2014-0093)

The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp/ when the native libraries were bundled in a JAR file, and no
custom library path was specified. A local attacker could overwrite these
native libraries with malicious versions during the window between when
HawtJNI writes them and when they are executed. (CVE-2013-2035)

In Red Hat JBoss Enterprise Application Platform, when running under a
security manager, it was possible for deployed code to get access to the
Modular Service Container (MSC) service registry without any permission
checks. This could allow malicious deployments to modify the internal state
of the server in various ways. (CVE-2014-0018)

It was found that the security audit functionality logged request
parameters in plain text. This may have caused passwords to be included in
the audit log files when using BASIC or FORM-based authentication. A local
attacker with access to audit log files could possibly use this flaw to
obtain application or server authentication credentials. (CVE-2014-0058)

The CVE-2013-6440 issue was discovered by David Illsley, Ron Gutierrez of
Gotham Digital Science, and David Jorm of Red Hat Product Security; the
CVE-2014-0093 issue was discovered by Josef Cacek of the Red Hat JBoss EAP
Quality Engineering team; the CVE-2013-2035 issue was discovered by Florian
Weimer of Red Hat Product Security; and the CVE-2014-0018 issue was
discovered by Stuart Douglas of Red Hat.

All users of Red Hat JBoss BRMS 6.0.2 as provided from the Red Hat Customer
Portal are advised to upgrade to Red Hat JBoss BRMS 6.0.3.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing installation, including all applications, configuration files,
databases and database settings, and so on.

It is recommended to halt the server by stopping the JBoss Application
Server process before installing this update, and then after installing the
update, restart the server by starting the JBoss Application Server
process.

4. Bugs fixed (https://bugzilla.redhat.com/):

958618 - CVE-2013-2035 HawtJNI: predictable temporary file name leading to local arbitrary code execution
1043332 - CVE-2013-6440 XMLTooling-J/OpenSAML Java: XML eXternal Entity (XXE) flaw in ParserPool and Decrypter
1052783 - CVE-2014-0018 jboss-as-server: Unchecked access to MSC Service Registry under JSM
1063641 - CVE-2014-0058 Red Hat JBoss EAP6: Plain text password logging during security audit
1070046 - CVE-2014-0093 JBoss EAP 6: JSM policy not respected by deployed applications
1080248 - CVE-2014-0107 Xalan-Java: insufficient constraints in secure processing feature

5. References:

https://www.redhat.com/security/data/cve/CVE-2013-2035.html
https://www.redhat.com/security/data/cve/CVE-2013-6440.html
https://www.redhat.com/security/data/cve/CVE-2014-0018.html
https://www.redhat.com/security/data/cve/CVE-2014-0058.html
https://www.redhat.com/security/data/cve/CVE-2014-0093.html
https://www.redhat.com/security/data/cve/CVE-2014-0107.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions&version=6.0.3
https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_BRMS/

6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUIdg2XlSAg2UNWIIRAq5KAJ4oTl9IP6qS6qZjVc8CiRTEoPGwngCggGTU
hGhUF5yws1FGscZl91jVgbM=
=HoD4
-----END PGP SIGNATURE-----




From bugzilla at redhat.com  Tue Sep 23 20:30:05 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Tue, 23 Sep 2014 20:30:05 +0000
Subject: [RHSA-2014:1291-01] Important: Red Hat JBoss BPM Suite 6.0.3 update
Message-ID: <201409232030.s8NKU6pw001363@int-mx11.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss BPM Suite 6.0.3 update
Advisory ID:       RHSA-2014:1291-01
Product:           Red Hat JBoss BPM Suite
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1291.html
Issue date:        2014-09-23
CVE Names:         CVE-2013-2035 CVE-2013-6440 CVE-2014-0018 
                   CVE-2014-0058 CVE-2014-0093 CVE-2014-0107 
=====================================================================

1. Summary:

Red Hat JBoss BPM Suite 6.0.3, which fixes multiple security issues,
several bugs, and adds various enhancements, is now available from the Red
Hat Customer Portal.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Description:

Red Hat JBoss BPM Suite is a business rules and processes management system
for the management, storage, creation, modification, and deployment of
JBoss rules and BPMN2-compliant business processes.

This release of Red Hat JBoss BPM Suite 6.0.3 serves as a replacement for
Red Hat JBoss BPM Suite 6.0.2, and includes bug fixes and enhancements.
Refer to the Red Hat JBoss BPM Suite 6.0.3 Release Notes for information on
the most significant of these changes. The Release Notes are available at
https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_BPM_Suite/

The following security issues are fixed with this release:

It was found that the secure processing feature of Xalan-Java had
insufficient restrictions defined for certain properties and features.
A remote attacker able to provide Extensible Stylesheet Language
Transformations (XSLT) content to be processed by an application using
Xalan-Java could use this flaw to bypass the intended constraints of the
secure processing feature. Depending on the components available in the
classpath, this could lead to arbitrary remote code execution in the
context of the application server running the application that uses
Xalan-Java. (CVE-2014-0107)

It was found that the ParserPool and Decrypter classes in the OpenSAML
Java implementation resolved external entities, permitting XML External
Entity (XXE) attacks. A remote attacker could use this flaw to read files
accessible to the user running the application server, and potentially
perform other more advanced XXE attacks. (CVE-2013-6440)

It was found that Java Security Manager permissions configured via a policy
file were not properly applied, causing all deployed applications to be
granted the java.security.AllPermission permission. In certain cases, an
attacker could use this flaw to circumvent expected security measures to
perform actions which would otherwise be restricted. (CVE-2014-0093)

The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp/ when the native libraries were bundled in a JAR file, and no
custom library path was specified. A local attacker could overwrite these
native libraries with malicious versions during the window between when
HawtJNI writes them and when they are executed. (CVE-2013-2035)

In Red Hat JBoss Enterprise Application Platform, when running under a
security manager, it was possible for deployed code to get access to the
Modular Service Container (MSC) service registry without any permission
checks. This could allow malicious deployments to modify the internal state
of the server in various ways. (CVE-2014-0018)

It was found that the security audit functionality logged request
parameters in plain text. This may have caused passwords to be included in
the audit log files when using BASIC or FORM-based authentication. A local
attacker with access to audit log files could possibly use this flaw to
obtain application or server authentication credentials. (CVE-2014-0058)

The CVE-2013-6440 issue was discovered by David Illsley, Ron Gutierrez of
Gotham Digital Science, and David Jorm of Red Hat Product Security; the
CVE-2014-0093 issue was discovered by Josef Cacek of the Red Hat JBoss EAP
Quality Engineering team; the CVE-2013-2035 issue was discovered by Florian
Weimer of Red Hat Product Security; and the CVE-2014-0018 issue was
discovered by Stuart Douglas of Red Hat.

All users of Red Hat JBoss BPM Suite 6.0.3 as provided from the Red Hat
Customer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.0.3.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing installation, including all applications, configuration files,
databases and database settings, and so on.

It is recommended to halt the server by stopping the JBoss Application
Server process before installing this update, and then after installing
the update, restart the server by starting the JBoss Application Server
process.

4. Bugs fixed (https://bugzilla.redhat.com/):

958618 - CVE-2013-2035 HawtJNI: predictable temporary file name leading to local arbitrary code execution
1043332 - CVE-2013-6440 XMLTooling-J/OpenSAML Java: XML eXternal Entity (XXE) flaw in ParserPool and Decrypter
1052783 - CVE-2014-0018 jboss-as-server: Unchecked access to MSC Service Registry under JSM
1063641 - CVE-2014-0058 Red Hat JBoss EAP6: Plain text password logging during security audit
1070046 - CVE-2014-0093 JBoss EAP 6: JSM policy not respected by deployed applications
1080248 - CVE-2014-0107 Xalan-Java: insufficient constraints in secure processing feature

5. References:

https://www.redhat.com/security/data/cve/CVE-2013-2035.html
https://www.redhat.com/security/data/cve/CVE-2013-6440.html
https://www.redhat.com/security/data/cve/CVE-2014-0018.html
https://www.redhat.com/security/data/cve/CVE-2014-0058.html
https://www.redhat.com/security/data/cve/CVE-2014-0093.html
https://www.redhat.com/security/data/cve/CVE-2014-0107.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=distributions&version=6.0.3
https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_BPM_Suite/

6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUIdhIXlSAg2UNWIIRAtXAAKCf/qAkjtvFicR/4/UcqRZ/r25GpgCfVHNP
XShmePJH99ZaxIuK2Iqt0jI=
=sXdy
-----END PGP SIGNATURE-----




From bugzilla at redhat.com  Wed Sep 24 16:59:08 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Wed, 24 Sep 2014 16:59:08 +0000
Subject: [RHSA-2014:1297-01] Moderate: Red Hat JBoss Enterprise Application
	Platform 6.3 openssl security update
Message-ID: <201409241659.s8OGx8M7019454@int-mx11.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Enterprise Application Platform 6.3 openssl security update
Advisory ID:       RHSA-2014:1297-01
Product:           Red Hat JBoss Enterprise Application Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1297.html
Issue date:        2014-09-24
CVE Names:         CVE-2014-3505 CVE-2014-3506 CVE-2014-3508 
                   CVE-2014-3510 
=====================================================================

1. Summary:

An update for the OpenSSL packages for Red Hat JBoss Enterprise Application
Platform 6.3 that fixes multiple security issues is now available from the
Red Hat Customer Portal.

Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Description:

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL),
Transport Layer Security (TLS), and Datagram Transport Layer Security
(DTLS) protocols, as well as a full-strength, general purpose cryptography
library.

It was discovered that the OBJ_obj2txt() function could fail to properly
NUL-terminate its output. This could possibly cause an application using
OpenSSL functions to format fields of X.509 certificates to disclose
portions of its memory. (CVE-2014-3508)

Two flaws were discovered in the way OpenSSL handled DTLS packets. A remote
attacker could use these flaws to cause a DTLS server or client using
OpenSSL to crash or use excessive amounts of memory. (CVE-2014-3505,
CVE-2014-3506)

A NULL pointer dereference flaw was found in the way OpenSSL performed a
handshake when using the anonymous Diffie-Hellman (DH) key exchange. A
malicious server could cause a DTLS client using OpenSSL to crash if that
client had anonymous DH cipher suites enabled. (CVE-2014-3510)

All users of Red Hat JBoss Enterprise Application Platform 6.3.0 as
provided from the Red Hat Customer Portal are advised to apply this update.
The JBoss server process must be restarted for the update to take effect.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing Red Hat JBoss Enterprise Application Platform installation and
deployed applications.

4. Bugs fixed (https://bugzilla.redhat.com/):

1127490 - CVE-2014-3508 openssl: information leak in pretty printing functions
1127499 - CVE-2014-3505 openssl: DTLS packet processing double free
1127500 - CVE-2014-3506 openssl: DTLS memory exhaustion
1127503 - CVE-2014-3510 openssl: DTLS anonymous (EC)DH denial of service

5. References:

https://www.redhat.com/security/data/cve/CVE-2014-3505.html
https://www.redhat.com/security/data/cve/CVE-2014-3506.html
https://www.redhat.com/security/data/cve/CVE-2014-3508.html
https://www.redhat.com/security/data/cve/CVE-2014-3510.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.3

6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUIvg8XlSAg2UNWIIRAs0zAJ9QyXiyAissuTIRiek1ctgMye9PlQCfbT7n
ukDftREdzf34uprOJq9gJnA=
=+lHX
-----END PGP SIGNATURE-----




From bugzilla at redhat.com  Wed Sep 24 17:01:52 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Wed, 24 Sep 2014 17:01:52 +0000
Subject: [RHSA-2014:1298-01] Moderate: Red Hat JBoss Data Grid 6.3.1 update
Message-ID: <201409241701.s8OH1qxF021605@int-mx11.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Data Grid 6.3.1 update
Advisory ID:       RHSA-2014:1298-01
Product:           Red Hat JBoss Data Grid
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1298.html
Issue date:        2014-09-24
CVE Names:         CVE-2014-3490 
=====================================================================

1. Summary:

Red Hat JBoss Data Grid 6.3.1, which fixes one security issue and multiple
bugs, is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

2. Description:

Red Hat JBoss Data Grid is a distributed in-memory data grid, based on
Infinispan.

This release of Red Hat JBoss Data Grid 6.3.1 serves as a replacement for
Red Hat JBoss Data Grid 6.3.0. It includes various bug fixes which are
detailed in the Red Hat JBoss Data Grid 6.3.1 Release Notes. The Release
Notes are available at:
https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/

This update also fixes the following security issue:

It was found that the external parameter entities were not disabled when
the resteasy.document.expand.entity.references parameter was set to false.
A remote attacker able to send XML requests to a RESTEasy endpoint could
use this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2014-3490)

The CVE-2014-3490 issue was discovered by David Jorm of Red Hat Product
Security.

All users of Red Hat JBoss Data Grid 6.3.0 as provided from the Red Hat
Customer Portal are advised to upgrade to Red Hat JBoss Data Grid 6.3.1.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing JBoss Data Grid installation.

4. Bugs fixed (https://bugzilla.redhat.com/):

1107901 - CVE-2014-3490 RESTEasy: XXE via parameter entities

5. References:

https://www.redhat.com/security/data/cve/CVE-2014-3490.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=data.grid&version=6.3.1
https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/

6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUIvhmXlSAg2UNWIIRAsrDAKCo0BQdmo7ohT8Fe74ha7Z1zzmKZACfYNZW
aQ04NZ9L6pRpEEIOVBK1D4U=
=WX0S
-----END PGP SIGNATURE-----




From bugzilla at redhat.com  Mon Sep 29 20:36:23 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Mon, 29 Sep 2014 20:36:23 +0000
Subject: [RHSA-2014:1320-01] Important: Red Hat JBoss Enterprise Web Platform
	5.2.0 security update
Message-ID: <201409292036.s8TKaNMn022134@int-mx09.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Enterprise Web Platform 5.2.0 security update
Advisory ID:       RHSA-2014:1320-01
Product:           Red Hat JBoss Web Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1320.html
Issue date:        2014-09-29
CVE Names:         CVE-2012-6153 CVE-2014-3577 
=====================================================================

1. Summary:

Updated packages for Red Hat JBoss Enterprise Web Platform 5.2.0 that fix
two security issues are now available for Red Hat Enterprise Linux 4, 5,
and 6.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat JBoss Web Platform 5 for RHEL 4 AS - noarch
Red Hat JBoss Web Platform 5 for RHEL 4 ES - noarch
Red Hat JBoss Web Platform 5 for RHEL 5 Server - noarch
Red Hat JBoss Web Platform 5 for RHEL 6 Server - noarch

3. Description:

Red Hat JBoss Enterprise Web Platform is a platform for Java applications,
which integrates the JBoss Web Server with JBoss Hibernate and JBoss Seam.

It was found that the fix for CVE-2012-5783 was incomplete: the code added
to check that the server host name matches the domain name in a subject's
Common Name (CN) field in X.509 certificates was flawed.
A man-in-the-middle attacker could use this flaw to spoof an SSL server
using a specially crafted X.509 certificate. (CVE-2012-6153)

It was discovered that the HttpClient incorrectly extracted host name from
an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle
attacker could use this flaw to spoof an SSL server using a specially
crafted X.509 certificate. (CVE-2014-3577)

The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat
Product Security.

For additional information on these flaws, refer to the Knowledgebase
article in the References section.

All users of Red Hat JBoss Enterprise Web Platform 5.2.0 on Red Hat
Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated
packages. The JBoss server process must be restarted for the update to take
effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied. Also, back up your existing Red
Hat JBoss Enterprise Web Platform 5 installation (including all
applications and configuration files).

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1129074 - CVE-2014-3577 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-6153 fix
1129916 - CVE-2012-6153 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-5783 fix

6. Package List:

Red Hat JBoss Web Platform 5 for RHEL 4 AS:

Source:
jakarta-commons-httpclient-3.1-4_patch_02.ep5.el4.src.rpm
jboss-seam2-2.2.6.EAP5-22_patch_01.ep5.el4.src.rpm

noarch:
jakarta-commons-httpclient-3.1-4_patch_02.ep5.el4.noarch.rpm
jboss-seam2-2.2.6.EAP5-22_patch_01.ep5.el4.noarch.rpm
jboss-seam2-docs-2.2.6.EAP5-22_patch_01.ep5.el4.noarch.rpm
jboss-seam2-examples-2.2.6.EAP5-22_patch_01.ep5.el4.noarch.rpm
jboss-seam2-runtime-2.2.6.EAP5-22_patch_01.ep5.el4.noarch.rpm

Red Hat JBoss Web Platform 5 for RHEL 4 ES:

Source:
jakarta-commons-httpclient-3.1-4_patch_02.ep5.el4.src.rpm
jboss-seam2-2.2.6.EAP5-22_patch_01.ep5.el4.src.rpm

noarch:
jakarta-commons-httpclient-3.1-4_patch_02.ep5.el4.noarch.rpm
jboss-seam2-2.2.6.EAP5-22_patch_01.ep5.el4.noarch.rpm
jboss-seam2-docs-2.2.6.EAP5-22_patch_01.ep5.el4.noarch.rpm
jboss-seam2-examples-2.2.6.EAP5-22_patch_01.ep5.el4.noarch.rpm
jboss-seam2-runtime-2.2.6.EAP5-22_patch_01.ep5.el4.noarch.rpm

Red Hat JBoss Web Platform 5 for RHEL 5 Server:

Source:
jakarta-commons-httpclient-3.1-4_patch_02.ep5.el5.src.rpm
jboss-seam2-2.2.6.EAP5-22_patch_01.ep5.el5.src.rpm

noarch:
jakarta-commons-httpclient-3.1-4_patch_02.ep5.el5.noarch.rpm
jboss-seam2-2.2.6.EAP5-22_patch_01.ep5.el5.noarch.rpm
jboss-seam2-docs-2.2.6.EAP5-22_patch_01.ep5.el5.noarch.rpm
jboss-seam2-examples-2.2.6.EAP5-22_patch_01.ep5.el5.noarch.rpm
jboss-seam2-runtime-2.2.6.EAP5-22_patch_01.ep5.el5.noarch.rpm

Red Hat JBoss Web Platform 5 for RHEL 6 Server:

Source:
jakarta-commons-httpclient-3.1-4_patch_02.el6_5.src.rpm
jboss-seam2-2.2.6.EAP5-22_patch_01.el6.src.rpm

noarch:
jakarta-commons-httpclient-3.1-4_patch_02.el6_5.noarch.rpm
jboss-seam2-2.2.6.EAP5-22_patch_01.el6.noarch.rpm
jboss-seam2-docs-2.2.6.EAP5-22_patch_01.el6.noarch.rpm
jboss-seam2-examples-2.2.6.EAP5-22_patch_01.el6.noarch.rpm
jboss-seam2-runtime-2.2.6.EAP5-22_patch_01.el6.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2012-6153.html
https://www.redhat.com/security/data/cve/CVE-2014-3577.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/solutions/1165533

8. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUKcGbXlSAg2UNWIIRAtzOAJ9llLcQvfT6ldToaWi73lLQHjH4+ACgosh5
/vxAb9LkH5fmXAl6V5wfCZw=
=icdH
-----END PGP SIGNATURE-----




From bugzilla at redhat.com  Mon Sep 29 20:36:47 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Mon, 29 Sep 2014 20:36:47 +0000
Subject: [RHSA-2014:1321-01] Important: Red Hat JBoss Enterprise Application
	Platform 5.2.0 security update
Message-ID: <201409292036.s8TKalwZ009925@int-mx13.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update
Advisory ID:       RHSA-2014:1321-01
Product:           Red Hat JBoss Enterprise Application Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1321.html
Issue date:        2014-09-29
CVE Names:         CVE-2012-6153 CVE-2014-3577 
=====================================================================

1. Summary:

Updated packages for Red Hat JBoss Enterprise Application Platform 5.2.0
that fix two security issues are now available for Red Hat Enterprise Linux
4, 5, and 6.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS - noarch
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES - noarch
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server - noarch
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server - noarch

3. Description:

Red Hat JBoss Enterprise Application Platform is a platform for Java
applications, which integrates the JBoss Application Server with JBoss
Hibernate and JBoss Seam.

It was found that the fix for CVE-2012-5783 was incomplete: the code added
to check that the server host name matches the domain name in a subject's
Common Name (CN) field in X.509 certificates was flawed.
A man-in-the-middle attacker could use this flaw to spoof an SSL server
using a specially crafted X.509 certificate. (CVE-2012-6153)

It was discovered that the HttpClient incorrectly extracted host name from
an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle
attacker could use this flaw to spoof an SSL server using a specially
crafted X.509 certificate. (CVE-2014-3577)

The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat
Product Security.

For additional information on these flaws, refer to the Knowledgebase
article in the References section.

All users of Red Hat JBoss Enterprise Application Platform 5.2.0 on Red Hat
Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated
packages. The JBoss server process must be restarted for the update to take
effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied. Also, back up your existing Red
Hat JBoss Enterprise Application Platform 5 installation (including all
applications and configuration files).

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1129074 - CVE-2014-3577 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-6153 fix
1129916 - CVE-2012-6153 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-5783 fix

6. Package List:

Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS:

Source:
jakarta-commons-httpclient-3.1-4_patch_02.ep5.el4.src.rpm
jboss-seam2-2.2.6.EAP5-22_patch_01.ep5.el4.src.rpm

noarch:
jakarta-commons-httpclient-3.1-4_patch_02.ep5.el4.noarch.rpm
jboss-seam2-2.2.6.EAP5-22_patch_01.ep5.el4.noarch.rpm
jboss-seam2-docs-2.2.6.EAP5-22_patch_01.ep5.el4.noarch.rpm
jboss-seam2-examples-2.2.6.EAP5-22_patch_01.ep5.el4.noarch.rpm
jboss-seam2-runtime-2.2.6.EAP5-22_patch_01.ep5.el4.noarch.rpm

Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES:

Source:
jakarta-commons-httpclient-3.1-4_patch_02.ep5.el4.src.rpm
jboss-seam2-2.2.6.EAP5-22_patch_01.ep5.el4.src.rpm

noarch:
jakarta-commons-httpclient-3.1-4_patch_02.ep5.el4.noarch.rpm
jboss-seam2-2.2.6.EAP5-22_patch_01.ep5.el4.noarch.rpm
jboss-seam2-docs-2.2.6.EAP5-22_patch_01.ep5.el4.noarch.rpm
jboss-seam2-examples-2.2.6.EAP5-22_patch_01.ep5.el4.noarch.rpm
jboss-seam2-runtime-2.2.6.EAP5-22_patch_01.ep5.el4.noarch.rpm

Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server:

Source:
jakarta-commons-httpclient-3.1-4_patch_02.ep5.el5.src.rpm
jboss-seam2-2.2.6.EAP5-22_patch_01.ep5.el5.src.rpm

noarch:
jakarta-commons-httpclient-3.1-4_patch_02.ep5.el5.noarch.rpm
jboss-seam2-2.2.6.EAP5-22_patch_01.ep5.el5.noarch.rpm
jboss-seam2-docs-2.2.6.EAP5-22_patch_01.ep5.el5.noarch.rpm
jboss-seam2-examples-2.2.6.EAP5-22_patch_01.ep5.el5.noarch.rpm
jboss-seam2-runtime-2.2.6.EAP5-22_patch_01.ep5.el5.noarch.rpm

Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server:

Source:
jakarta-commons-httpclient-3.1-4_patch_02.el6_5.src.rpm
jboss-seam2-2.2.6.EAP5-22_patch_01.el6.src.rpm

noarch:
jakarta-commons-httpclient-3.1-4_patch_02.el6_5.noarch.rpm
jboss-seam2-2.2.6.EAP5-22_patch_01.el6.noarch.rpm
jboss-seam2-docs-2.2.6.EAP5-22_patch_01.el6.noarch.rpm
jboss-seam2-examples-2.2.6.EAP5-22_patch_01.el6.noarch.rpm
jboss-seam2-runtime-2.2.6.EAP5-22_patch_01.el6.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2012-6153.html
https://www.redhat.com/security/data/cve/CVE-2014-3577.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/solutions/1165533

8. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUKcLXXlSAg2UNWIIRAgL9AJ0bvjTn7KxnjwAwC4Fchqkug/pO+ACggvhs
PKkFWukwkh4QEkZ9t1PUC8M=
=rzyc
-----END PGP SIGNATURE-----




From bugzilla at redhat.com  Mon Sep 29 20:37:01 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Mon, 29 Sep 2014 20:37:01 +0000
Subject: [RHSA-2014:1322-01] Important: Red Hat JBoss Enterprise Web Platform
	5.2.0 security update
Message-ID: <201409292037.s8TKb10Z007518@int-mx10.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Enterprise Web Platform 5.2.0 security update
Advisory ID:       RHSA-2014:1322-01
Product:           Red Hat JBoss Web Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1322.html
Issue date:        2014-09-29
CVE Names:         CVE-2012-6153 CVE-2014-3577 
=====================================================================

1. Summary:

An update for Red Hat JBoss Enterprise Web Platform 5.2.0 that fixes two
security issues is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Description:

Red Hat JBoss Enterprise Web Platform is a platform for Java applications,
which integrates the JBoss Web Server with JBoss Hibernate and JBoss Seam.

It was found that the fix for CVE-2012-5783 was incomplete: the code added
to check that the server host name matches the domain name in a subject's
Common Name (CN) field in X.509 certificates was flawed.
A man-in-the-middle attacker could use this flaw to spoof an SSL server
using a specially crafted X.509 certificate. (CVE-2012-6153)

It was discovered that the HttpClient incorrectly extracted host name from
an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle
attacker could use this flaw to spoof an SSL server using a specially
crafted X.509 certificate. (CVE-2014-3577)

The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat
Product Security.

For additional information on these flaws, refer to the Knowledgebase
article in the References section.

All users of Red Hat JBoss Enterprise Web Platform 5.2.0 as provided from
the Red Hat Customer Portal are advised to apply this update. The JBoss
server process must be restarted for this update to take effect.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing JBoss Enterprise Web Platform installation (including all
applications and configuration files).

4. Bugs fixed (https://bugzilla.redhat.com/):

1129074 - CVE-2014-3577 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-6153 fix
1129916 - CVE-2012-6153 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-5783 fix

5. References:

https://www.redhat.com/security/data/cve/CVE-2012-6153.html
https://www.redhat.com/security/data/cve/CVE-2014-3577.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=enterpriseweb.platform&downloadType=securityPatches&version=5.2.0
https://access.redhat.com/solutions/1165533

6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUKcLoXlSAg2UNWIIRAnWHAJ9mf/DtdFm0hb7f7WUI0G7scJTBHQCfQbpa
3EK3RFORSXpoRk6hvxMnbhc=
=LhW+
-----END PGP SIGNATURE-----




From bugzilla at redhat.com  Mon Sep 29 20:37:16 2014
From: bugzilla at redhat.com (bugzilla at redhat.com)
Date: Mon, 29 Sep 2014 20:37:16 +0000
Subject: [RHSA-2014:1323-01] Important: Red Hat JBoss Enterprise Application
	Platform 5.2.0 security update
Message-ID: <201409292037.s8TKbGIc007623@int-mx10.intmail.prod.int.phx2.redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update
Advisory ID:       RHSA-2014:1323-01
Product:           Red Hat JBoss Enterprise Application Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1323.html
Issue date:        2014-09-29
CVE Names:         CVE-2012-6153 CVE-2014-3577 
=====================================================================

1. Summary:

An update for Red Hat JBoss Enterprise Application Platform 5.2.0 that
fixes two security issues is now available from the Red Hat Customer
Portal.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Description:

Red Hat JBoss Enterprise Application Platform is a platform for Java
applications, which integrates the JBoss Application Server with JBoss
Hibernate and JBoss Seam.

It was found that the fix for CVE-2012-5783 was incomplete: the code added
to check that the server host name matches the domain name in a subject's
Common Name (CN) field in X.509 certificates was flawed.
A man-in-the-middle attacker could use this flaw to spoof an SSL server
using a specially crafted X.509 certificate. (CVE-2012-6153)

It was discovered that the HttpClient incorrectly extracted host name from
an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle
attacker could use this flaw to spoof an SSL server using a specially
crafted X.509 certificate. (CVE-2014-3577)

The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat
Product Security.

For additional information on these flaws, refer to the Knowledgebase
article in the References section.

All users of Red Hat JBoss Enterprise Application Platform 5.2.0 as
provided from the Red Hat Customer Portal are advised to apply this update.
The JBoss server process must be restarted for this update to take effect.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing JBoss Enterprise Application Platform installation (including all
applications and configuration files).

4. Bugs fixed (https://bugzilla.redhat.com/):

1129074 - CVE-2014-3577 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-6153 fix
1129916 - CVE-2012-6153 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-5783 fix

5. References:

https://www.redhat.com/security/data/cve/CVE-2012-6153.html
https://www.redhat.com/security/data/cve/CVE-2014-3577.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=appplatform&version=5.2.0
https://access.redhat.com/solutions/1165533

6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUKcL3XlSAg2UNWIIRAsk9AJ0V8NaqEV/ZztJT9mXda0d3L+zWDgCdG3xH
4quyc8UTeK8ozM4pLQQsAgY=
=ZRjx
-----END PGP SIGNATURE-----