From bugzilla at redhat.com Wed Feb 3 15:04:33 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 3 Feb 2016 10:04:33 -0500 Subject: [RHSA-2016:0118-01] Critical: Red Hat JBoss Operations Network 3.3.5 update Message-ID: <201602031504.u13F4Xx2027103@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss Operations Network 3.3.5 update Advisory ID: RHSA-2016:0118-01 Product: Red Hat JBoss Operations Network Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0118.html Issue date: 2016-02-03 CVE Names: CVE-2015-3253 CVE-2015-7501 ===================================================================== 1. Summary: Red Hat JBoss Operations Network 3.3 update 5, which fixes two security issues and several bugs, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Red Hat JBoss Operations Network is a Middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services. This JBoss Operations Network 3.3.5 release serves as a replacement for JBoss Operations Network 3.3.4, and includes several bug fixes. Refer to the Customer Portal page linked in the References section for information on the most significant of these changes. The following security issues are also fixed with this release: It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons- collections library. (CVE-2015-7501) A flaw was discovered in the way applications using Groovy used the standard Java serialization mechanism. A remote attacker could use a specially crafted serialized object that would execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2015-3253) All users of JBoss Operations Network 3.3.4 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Operations Network 3.3.5. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Operations Network installation (including its databases, applications, configuration files, the JBoss Operations Network server's file system directory, and so on). Refer to the JBoss Operations Network 3.3.5 Release Notes for installation information. 4. Bugs fixed (https://bugzilla.redhat.com/): 1158947 - Operations, configuration, monitoring are broken on rhq.ear/rhq-core-domain-ejb3.jar#rhqpu resource 1187680 - Error recalculating DynaGroups due to ResourceGroupAlreadyExistsException continues to be reported every 11 minutes 1203799 - Ant Contrib tasks not recognized in Bundle Deployer Tool 1206084 - Resource group cannot be deleted if more then one bundle version is deployed on it 1231199 - Upgrade on windows failed with "Could not verify that the node is up and running" 1234991 - Expose replication factor as a read-only value on the storage node topology cluster settings page 1243934 - CVE-2015-3253 groovy: remote execution of untrusted code in class MethodClosure 1255196 - Event data purge job results in OutOfMemoryError when there are over 10 million events to be purged 1261907 - Metric chart in JON UI is not redrawn after it is first open 1269420 - Uninformative SQL error on insert on RHQ_CONFIG_DEF table when agent plug-in has a property name defined that exceeds 100 characters in length 1277389 - Default values for secure-socket-protocol parameters in rhq-server.properties and standalone-full.xml need updated to a valid protocol 1278215 - cassandra-jvm.properties.new includes Windows specific carriage return character "^M" 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 1293350 - Data Calc Job fails to complete when JBoss ON Server is set to DEBUG mode 1293368 - Some MeasurementData may not be processed by alerting 5. References: https://access.redhat.com/security/cve/CVE-2015-3253 https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em&downloadType=securityPatches&version=3.3 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWshb/XlSAg2UNWIIRAokRAJ9IPT7zIY9JjFo8+kZqnSPiMBywpgCgwYxf 3Mc0HgaOfXiXQ2M8coKM4/Q= =5UQg -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Feb 4 21:47:11 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 4 Feb 2016 16:47:11 -0500 Subject: [RHSA-2016:0121-01] Important: Red Hat JBoss Enterprise Application Platform 6.4.6 update on RHEL 5 Message-ID: <201602042147.u14LlBhr006700@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.6 update on RHEL 5 Advisory ID: RHSA-2016:0121-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0121.html Issue date: 2016-02-04 CVE Names: CVE-2015-0254 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.6, fix several bugs, add various enhancements, and resolve one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 6.4 for RHEL 5 - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. The following security issue is addressed with this release: It was found that the Java Standard Tag Library (JSTL) allowed the processing of untrusted XML documents to utilize external entity references, which could access resources on the host system and, potentially, allowing arbitrary code execution. (CVE-2015-0254) Note: Tag Library users may need to take additional steps after applying this update. Detailed instructions on the additional steps can be found here: https://access.redhat.com/solutions/1584363 Red Hat would like to thank David Jorm of IIX, and the Apache Software Foundation for reporting the CVE-2015-0254 flaw. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.5, and includes bug fixes and enhancements. Documentation for these changes will be available shortly from the Red Hat JBoss Enterprise Application Platform 6.4.6 Release Notes, linked to in the References. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 5 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1198606 - CVE-2015-0254 jakarta-taglibs-standard: XXE and RCE via XSL extension in JSTL XML tags 1275693 - RHEL5 RPMs: Upgrade httpserver to 1.0.6.Final-redhat-1 1286739 - RHEL5 RPMs: Upgrade hornetq to 2.3.25.SP7 1286837 - RHEL5 RPMs: Upgrade jboss-remote-naming to 1.0.12.Final-redhat-1 1289296 - RHEL5 RPMs: Upgrade infinispan to 5.2.17.Final-redhat-1 1289299 - RHEL5 RPMs: Upgrade jboss-remoting3 to 3.3.7.Final 1289305 - RHEL5 RPMs: Upgrade jgroups to 3.2.15.Final-redhat-1 1289625 - RHEL5 RPMs: Upgrade hibernate4-eap6 to 4.2.22.Final-redhat-1 1289749 - RHEL5 RPMs: Upgrade wss4j to 1.6.19.redhat-2 1290034 - RHEL5 RPMs: Upgrade jboss-jstl-api_1.2_spec to 1.0.9.Final-redhat-1 1290060 - RHEL5 RPMs: Upgrade apache-cxf to 2.7.18.redhat-1 1290813 - RHEL5 RPMs: Upgrade jbossws-cxf to 4.3.6.Final-redhat-1 1290818 - RHEL5 RPMs: Upgrade xml-security to 1.5.8.redhat-1 1298277 - RHEL5 RPMs: Upgrade ironjacamar-eap6 to 1.0.35.Final-redhat-1 6. Package List: Red Hat JBoss EAP 6.4 for RHEL 5: Source: apache-cxf-2.7.18-1.redhat_1.1.ep6.el5.src.rpm hibernate4-eap6-4.2.22-1.Final_redhat_1.1.ep6.el5.src.rpm hibernate4-validator-4.3.2-3.Final_redhat_3.1.ep6.el5.src.rpm hornetq-2.3.25-10.SP8_redhat_1.1.ep6.el5.src.rpm httpserver-1.0.6-1.Final_redhat_1.1.ep6.el5.src.rpm infinispan-5.2.17-1.Final_redhat_1.1.ep6.el5.src.rpm ironjacamar-eap6-1.0.35-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-appclient-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-cli-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-client-all-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-clustering-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-cmp-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-configadmin-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-connector-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-controller-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-controller-client-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-core-security-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-deployment-repository-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-deployment-scanner-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-domain-http-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-domain-management-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-ee-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-ee-deployment-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-ejb3-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-embedded-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-host-controller-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jacorb-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jaxr-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jaxrs-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jdr-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jmx-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jpa-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jsf-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jsr77-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-logging-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-mail-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-management-client-content-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-messaging-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-modcluster-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-naming-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-network-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-osgi-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-osgi-configadmin-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-osgi-service-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-picketlink-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-platform-mbean-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-pojo-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-process-controller-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-protocol-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-remoting-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-sar-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-security-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-server-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-system-jmx-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-threads-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-transactions-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-version-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-web-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-webservices-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-weld-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-xts-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-jstl-api_1.2_spec-1.0.9-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-remote-naming-1.0.12-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-remoting3-3.3.7-1.Final_redhat_1.1.ep6.el5.src.rpm jbossas-appclient-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jbossas-bundles-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jbossas-core-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jbossas-domain-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jbossas-javadocs-7.5.6-2.Final_redhat_2.1.ep6.el5.src.rpm jbossas-modules-eap-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jbossas-product-eap-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jbossas-standalone-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jbossas-welcome-content-eap-7.5.6-1.Final_redhat_2.1.ep6.el5.src.rpm jbossws-cxf-4.3.6-1.Final_redhat_1.1.ep6.el5.src.rpm jgroups-3.2.15-1.Final_redhat_1.1.ep6.el5.src.rpm wss4j-1.6.19-3.redhat_2.1.ep6.el5.src.rpm xml-security-1.5.8-1.redhat_1.1.ep6.el5.src.rpm noarch: apache-cxf-2.7.18-1.redhat_1.1.ep6.el5.noarch.rpm hibernate4-core-eap6-4.2.22-1.Final_redhat_1.1.ep6.el5.noarch.rpm hibernate4-eap6-4.2.22-1.Final_redhat_1.1.ep6.el5.noarch.rpm hibernate4-entitymanager-eap6-4.2.22-1.Final_redhat_1.1.ep6.el5.noarch.rpm hibernate4-envers-eap6-4.2.22-1.Final_redhat_1.1.ep6.el5.noarch.rpm hibernate4-infinispan-eap6-4.2.22-1.Final_redhat_1.1.ep6.el5.noarch.rpm hibernate4-validator-4.3.2-3.Final_redhat_3.1.ep6.el5.noarch.rpm hornetq-2.3.25-10.SP8_redhat_1.1.ep6.el5.noarch.rpm httpserver-1.0.6-1.Final_redhat_1.1.ep6.el5.noarch.rpm infinispan-5.2.17-1.Final_redhat_1.1.ep6.el5.noarch.rpm infinispan-cachestore-jdbc-5.2.17-1.Final_redhat_1.1.ep6.el5.noarch.rpm infinispan-cachestore-remote-5.2.17-1.Final_redhat_1.1.ep6.el5.noarch.rpm infinispan-client-hotrod-5.2.17-1.Final_redhat_1.1.ep6.el5.noarch.rpm infinispan-core-5.2.17-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-common-api-eap6-1.0.35-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-common-impl-eap6-1.0.35-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-common-spi-eap6-1.0.35-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-core-api-eap6-1.0.35-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-core-impl-eap6-1.0.35-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-deployers-common-eap6-1.0.35-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-eap6-1.0.35-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-jdbc-eap6-1.0.35-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-spec-api-eap6-1.0.35-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-validator-eap6-1.0.35-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-appclient-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-cli-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-client-all-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-clustering-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-cmp-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-configadmin-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-connector-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-controller-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-controller-client-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-core-security-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-deployment-repository-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-deployment-scanner-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-domain-http-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-domain-management-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-ee-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-ee-deployment-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-ejb3-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-embedded-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-host-controller-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jacorb-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jaxr-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jaxrs-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jdr-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jmx-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jpa-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jsf-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jsr77-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-logging-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-mail-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-management-client-content-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-messaging-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-modcluster-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-naming-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-network-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-osgi-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-osgi-configadmin-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-osgi-service-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-picketlink-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-platform-mbean-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-pojo-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-process-controller-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-protocol-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-remoting-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-sar-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-security-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-server-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-system-jmx-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-threads-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-transactions-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-version-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-web-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-webservices-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-weld-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-xts-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-jstl-api_1.2_spec-1.0.9-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-remote-naming-1.0.12-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-remoting3-3.3.7-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-appclient-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-bundles-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-core-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-domain-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-javadocs-7.5.6-2.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-modules-eap-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-product-eap-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-standalone-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-welcome-content-eap-7.5.6-1.Final_redhat_2.1.ep6.el5.noarch.rpm jbossws-cxf-4.3.6-1.Final_redhat_1.1.ep6.el5.noarch.rpm jgroups-3.2.15-1.Final_redhat_1.1.ep6.el5.noarch.rpm wss4j-1.6.19-3.redhat_2.1.ep6.el5.noarch.rpm xml-security-1.5.8-1.redhat_1.1.ep6.el5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-0254 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html https://access.redhat.com/solutions/1584363 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWs8bcXlSAg2UNWIIRAopKAJ4vn5CQL0WRrJnwoq6rA6ggX4y83ACgqwBU hj1ySi2MB4KVeef/fvx/MTQ= =322m -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Feb 4 21:47:51 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 4 Feb 2016 16:47:51 -0500 Subject: [RHSA-2016:0122-01] Important: Red Hat JBoss Enterprise Application Platform 6.4.6 update on RHEL 6 Message-ID: <201602042147.u14LlpV4009044@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.6 update on RHEL 6 Advisory ID: RHSA-2016:0122-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0122.html Issue date: 2016-02-04 CVE Names: CVE-2015-0254 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.6, fix several bugs, add various enhancements, and resolve one security issue are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 6.4 for RHEL 6 - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. The following security issue is addressed with this release: It was found that the Java Standard Tag Library (JSTL) allowed the processing of untrusted XML documents to utilize external entity references, which could access resources on the host system and, potentially, allowing arbitrary code execution. (CVE-2015-0254) Note: Tag Library users may need to take additional steps after applying this update. Detailed instructions on the additional steps can be found here: https://access.redhat.com/solutions/1584363 Red Hat would like to thank David Jorm of IIX, and the Apache Software Foundation for reporting the CVE-2015-0254 flaw. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.5, and includes bug fixes and enhancements. Documentation for these changes will be available shortly from the Red Hat JBoss Enterprise Application Platform 6.4.6 Release Notes, linked to in the References. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1198606 - CVE-2015-0254 jakarta-taglibs-standard: XXE and RCE via XSL extension in JSTL XML tags 1275692 - RHEL6 RPMs: Upgrade httpserver to 1.0.6.Final-redhat-1 1286738 - RHEL6 RPMs: Upgrade hornetq to 2.3.25.SP7 1286836 - RHEL6 RPMs: Upgrade jboss-remote-naming to 1.0.12.Final-redhat-1 1289295 - RHEL6 RPMs: Upgrade infinispan to 5.2.17.Final-redhat-1 1289298 - RHEL6 RPMs: Upgrade jboss-remoting3 to 3.3.7.Final 1289304 - RHEL6 RPMs: Upgrade jgroups to 3.2.15.Final-redhat-1 1289624 - RHEL6 RPMs: Upgrade hibernate4-eap6 to 4.2.22.Final-redhat-1 1289748 - RHEL6 RPMs: Upgrade wss4j to 1.6.19.redhat-2 1290033 - RHEL6 RPMs: Upgrade jboss-jstl-api_1.2_spec to 1.0.9.Final-redhat-1 1290059 - RHEL6 RPMs: Upgrade apache-cxf to 2.7.18.redhat-1 1290812 - RHEL6 RPMs: Upgrade jbossws-cxf to 4.3.6.Final-redhat-1 1290817 - RHEL6 RPMs: Upgrade xml-security to 1.5.8.redhat-1 1298276 - RHEL6 RPMs: Upgrade ironjacamar-eap6 to 1.0.35.Final-redhat-1 6. Package List: Red Hat JBoss EAP 6.4 for RHEL 6: Source: apache-cxf-2.7.18-1.redhat_1.1.ep6.el6.src.rpm hibernate4-eap6-4.2.22-1.Final_redhat_1.1.ep6.el6.src.rpm hibernate4-validator-4.3.2-3.Final_redhat_3.1.ep6.el6.src.rpm hornetq-2.3.25-10.SP8_redhat_1.1.ep6.el6.src.rpm httpserver-1.0.6-1.Final_redhat_1.1.ep6.el6.src.rpm infinispan-5.2.17-1.Final_redhat_1.1.ep6.el6.src.rpm ironjacamar-eap6-1.0.35-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-appclient-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-cli-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-client-all-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-clustering-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-cmp-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-configadmin-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-connector-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-controller-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-controller-client-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-core-security-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-deployment-repository-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-deployment-scanner-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-domain-http-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-domain-management-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-ee-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-ee-deployment-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-ejb3-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-embedded-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-host-controller-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jacorb-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jaxr-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jaxrs-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jdr-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jmx-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jpa-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jsf-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jsr77-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-logging-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-mail-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-management-client-content-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-messaging-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-modcluster-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-naming-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-network-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-osgi-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-osgi-configadmin-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-osgi-service-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-picketlink-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-platform-mbean-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-pojo-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-process-controller-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-protocol-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-remoting-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-sar-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-security-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-server-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-system-jmx-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-threads-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-transactions-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-version-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-web-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-webservices-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-weld-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-xts-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-jstl-api_1.2_spec-1.0.9-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-remote-naming-1.0.12-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-remoting3-3.3.7-1.Final_redhat_1.1.ep6.el6.src.rpm jbossas-appclient-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jbossas-bundles-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jbossas-core-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jbossas-domain-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jbossas-javadocs-7.5.6-2.Final_redhat_2.1.ep6.el6.src.rpm jbossas-modules-eap-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jbossas-product-eap-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jbossas-standalone-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jbossas-welcome-content-eap-7.5.6-1.Final_redhat_2.1.ep6.el6.src.rpm jbossws-cxf-4.3.6-1.Final_redhat_1.1.ep6.el6.src.rpm jgroups-3.2.15-1.Final_redhat_1.1.ep6.el6.src.rpm wss4j-1.6.19-3.redhat_2.1.ep6.el6.src.rpm xml-security-1.5.8-1.redhat_1.1.ep6.el6.src.rpm noarch: apache-cxf-2.7.18-1.redhat_1.1.ep6.el6.noarch.rpm hibernate4-core-eap6-4.2.22-1.Final_redhat_1.1.ep6.el6.noarch.rpm hibernate4-eap6-4.2.22-1.Final_redhat_1.1.ep6.el6.noarch.rpm hibernate4-entitymanager-eap6-4.2.22-1.Final_redhat_1.1.ep6.el6.noarch.rpm hibernate4-envers-eap6-4.2.22-1.Final_redhat_1.1.ep6.el6.noarch.rpm hibernate4-infinispan-eap6-4.2.22-1.Final_redhat_1.1.ep6.el6.noarch.rpm hibernate4-validator-4.3.2-3.Final_redhat_3.1.ep6.el6.noarch.rpm hornetq-2.3.25-10.SP8_redhat_1.1.ep6.el6.noarch.rpm httpserver-1.0.6-1.Final_redhat_1.1.ep6.el6.noarch.rpm infinispan-5.2.17-1.Final_redhat_1.1.ep6.el6.noarch.rpm infinispan-cachestore-jdbc-5.2.17-1.Final_redhat_1.1.ep6.el6.noarch.rpm infinispan-cachestore-remote-5.2.17-1.Final_redhat_1.1.ep6.el6.noarch.rpm infinispan-client-hotrod-5.2.17-1.Final_redhat_1.1.ep6.el6.noarch.rpm infinispan-core-5.2.17-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-common-api-eap6-1.0.35-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-common-impl-eap6-1.0.35-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-common-spi-eap6-1.0.35-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-core-api-eap6-1.0.35-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-core-impl-eap6-1.0.35-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-deployers-common-eap6-1.0.35-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-eap6-1.0.35-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-jdbc-eap6-1.0.35-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-spec-api-eap6-1.0.35-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-validator-eap6-1.0.35-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-appclient-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-cli-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-client-all-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-clustering-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-cmp-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-configadmin-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-connector-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-controller-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-controller-client-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-core-security-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-deployment-repository-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-deployment-scanner-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-domain-http-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-domain-management-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-ee-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-ee-deployment-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-ejb3-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-embedded-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-host-controller-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jacorb-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jaxr-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jaxrs-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jdr-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jmx-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jpa-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jsf-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jsr77-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-logging-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-mail-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-management-client-content-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-messaging-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-modcluster-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-naming-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-network-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-osgi-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-osgi-configadmin-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-osgi-service-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-picketlink-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-platform-mbean-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-pojo-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-process-controller-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-protocol-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-remoting-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-sar-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-security-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-server-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-system-jmx-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-threads-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-transactions-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-version-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-web-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-webservices-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-weld-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-xts-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-jstl-api_1.2_spec-1.0.9-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-remote-naming-1.0.12-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-remoting3-3.3.7-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossas-appclient-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-bundles-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-core-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-domain-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-javadocs-7.5.6-2.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-modules-eap-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-product-eap-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-standalone-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-welcome-content-eap-7.5.6-1.Final_redhat_2.1.ep6.el6.noarch.rpm jbossws-cxf-4.3.6-1.Final_redhat_1.1.ep6.el6.noarch.rpm jgroups-3.2.15-1.Final_redhat_1.1.ep6.el6.noarch.rpm wss4j-1.6.19-3.redhat_2.1.ep6.el6.noarch.rpm xml-security-1.5.8-1.redhat_1.1.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-0254 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html https://access.redhat.com/solutions/1584363 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWs8cFXlSAg2UNWIIRAqIWAJ95hT+BkOuYL9wBPe+nURbHeeH32wCgjUYa p48HimU8cK7UddnBlZDwMWo= =p0uD -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Feb 4 21:48:25 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 4 Feb 2016 16:48:25 -0500 Subject: [RHSA-2016:0123-01] Important: Red Hat JBoss Enterprise Application Platform 6.4.6 update on RHEL 7 Message-ID: <201602042148.u14LmPAJ007263@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.6 update on RHEL 7 Advisory ID: RHSA-2016:0123-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0123.html Issue date: 2016-02-04 CVE Names: CVE-2015-0254 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.6, fix several bugs, add various enhancements, and resolve one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6 for RHEL 7 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. The following security issue is addressed with this release: It was found that the Java Standard Tag Library (JSTL) allowed the processing of untrusted XML documents to utilize external entity references, which could access resources on the host system and, potentially, allowing arbitrary code execution. (CVE-2015-0254) Note: Tag Library users may need to take additional steps after applying this update. Detailed instructions on the additional steps can be found here: https://access.redhat.com/solutions/1584363 Red Hat would like to thank David Jorm of IIX, and the Apache Software Foundation for reporting the CVE-2015-0254 flaw. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.5, and includes bug fixes and enhancements. Documentation for these changes will be available shortly from the Red Hat JBoss Enterprise Application Platform 6.4.6 Release Notes, linked to in the References. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 7 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1198606 - CVE-2015-0254 jakarta-taglibs-standard: XXE and RCE via XSL extension in JSTL XML tags 1275694 - RHEL7 RPMs: Upgrade httpserver to 1.0.6.Final-redhat-1 1286740 - RHEL7 RPMs: Upgrade hornetq to 2.3.25.SP7 1286838 - RHEL7 RPMs: Upgrade jboss-remote-naming to 1.0.12.Final-redhat-1 1289297 - RHEL7 RPMs: Upgrade infinispan to 5.2.16 1289300 - RHEL7 RPMs: Upgrade jboss-remoting3 to 3.3.7.Final 1289306 - RHEL7 RPMs: Upgrade jgroups to 3.2.15.Final-redhat-1 1289626 - RHEL7 RPMs: Upgrade hibernate4-eap6 to 4.2.22.Final-redhat-1 1289750 - RHEL7 RPMs: Upgrade wss4j to 1.6.19.redhat-2 1290035 - RHEL7 RPMs: Upgrade jboss-jstl-api_1.2_spec to 1.0.9.Final-redhat-1 1290061 - RHEL7 RPMs: Upgrade apache-cxf to 2.7.18.redhat-1 1290814 - RHEL7 RPMs: Upgrade jbossws-cxf to 4.3.6.Final-redhat-1 1290819 - RHEL7 RPMs: Upgrade xml-security to 1.5.8.redhat-1 1298278 - RHEL7 RPMs: Upgrade ironjacamar-eap6 to 1.0.35.Final-redhat-1 6. Package List: Red Hat JBoss Enterprise Application Platform 6 for RHEL 7 Server: Source: apache-cxf-2.7.18-1.redhat_1.1.ep6.el7.src.rpm hibernate4-eap6-4.2.22-1.Final_redhat_1.1.ep6.el7.src.rpm hibernate4-validator-4.3.2-3.Final_redhat_3.1.ep6.el7.src.rpm hornetq-2.3.25-10.SP8_redhat_1.1.ep6.el7.src.rpm httpserver-1.0.6-1.Final_redhat_1.1.ep6.el7.src.rpm infinispan-5.2.17-1.Final_redhat_1.1.ep6.el7.src.rpm ironjacamar-eap6-1.0.35-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-appclient-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-cli-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-client-all-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-clustering-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-cmp-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-configadmin-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-connector-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-controller-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-controller-client-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-core-security-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-deployment-repository-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-deployment-scanner-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-domain-http-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-domain-management-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-ee-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-ee-deployment-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-ejb3-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-embedded-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-host-controller-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jacorb-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jaxr-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jaxrs-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jdr-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jmx-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jpa-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jsf-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jsr77-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-logging-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-mail-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-management-client-content-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-messaging-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-modcluster-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-naming-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-network-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-osgi-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-osgi-configadmin-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-osgi-service-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-picketlink-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-platform-mbean-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-pojo-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-process-controller-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-protocol-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-remoting-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-sar-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-security-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-server-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-system-jmx-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-threads-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-transactions-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-version-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-web-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-webservices-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-weld-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-xts-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-jstl-api_1.2_spec-1.0.9-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-remote-naming-1.0.12-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-remoting3-3.3.7-1.Final_redhat_1.1.ep6.el7.src.rpm jbossas-appclient-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jbossas-bundles-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jbossas-core-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jbossas-domain-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jbossas-javadocs-7.5.6-2.Final_redhat_2.1.ep6.el7.src.rpm jbossas-modules-eap-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jbossas-product-eap-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jbossas-standalone-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jbossas-welcome-content-eap-7.5.6-1.Final_redhat_2.1.ep6.el7.src.rpm jbossws-cxf-4.3.6-1.Final_redhat_1.1.ep6.el7.src.rpm jgroups-3.2.15-1.Final_redhat_1.1.ep6.el7.src.rpm wss4j-1.6.19-3.redhat_2.1.ep6.el7.src.rpm xml-security-1.5.8-1.redhat_1.1.ep6.el7.src.rpm noarch: apache-cxf-2.7.18-1.redhat_1.1.ep6.el7.noarch.rpm hibernate4-core-eap6-4.2.22-1.Final_redhat_1.1.ep6.el7.noarch.rpm hibernate4-eap6-4.2.22-1.Final_redhat_1.1.ep6.el7.noarch.rpm hibernate4-entitymanager-eap6-4.2.22-1.Final_redhat_1.1.ep6.el7.noarch.rpm hibernate4-envers-eap6-4.2.22-1.Final_redhat_1.1.ep6.el7.noarch.rpm hibernate4-infinispan-eap6-4.2.22-1.Final_redhat_1.1.ep6.el7.noarch.rpm hibernate4-validator-4.3.2-3.Final_redhat_3.1.ep6.el7.noarch.rpm hornetq-2.3.25-10.SP8_redhat_1.1.ep6.el7.noarch.rpm httpserver-1.0.6-1.Final_redhat_1.1.ep6.el7.noarch.rpm infinispan-5.2.17-1.Final_redhat_1.1.ep6.el7.noarch.rpm infinispan-cachestore-jdbc-5.2.17-1.Final_redhat_1.1.ep6.el7.noarch.rpm infinispan-cachestore-remote-5.2.17-1.Final_redhat_1.1.ep6.el7.noarch.rpm infinispan-client-hotrod-5.2.17-1.Final_redhat_1.1.ep6.el7.noarch.rpm infinispan-core-5.2.17-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-common-api-eap6-1.0.35-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-common-impl-eap6-1.0.35-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-common-spi-eap6-1.0.35-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-core-api-eap6-1.0.35-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-core-impl-eap6-1.0.35-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-deployers-common-eap6-1.0.35-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-eap6-1.0.35-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-jdbc-eap6-1.0.35-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-spec-api-eap6-1.0.35-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-validator-eap6-1.0.35-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-appclient-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-cli-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-client-all-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-clustering-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-cmp-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-configadmin-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-connector-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-controller-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-controller-client-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-core-security-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-deployment-repository-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-deployment-scanner-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-domain-http-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-domain-management-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-ee-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-ee-deployment-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-ejb3-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-embedded-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-host-controller-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jacorb-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jaxr-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jaxrs-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jdr-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jmx-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jpa-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jsf-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jsr77-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-logging-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-mail-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-management-client-content-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-messaging-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-modcluster-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-naming-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-network-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-osgi-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-osgi-configadmin-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-osgi-service-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-picketlink-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-platform-mbean-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-pojo-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-process-controller-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-protocol-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-remoting-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-sar-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-security-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-server-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-system-jmx-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-threads-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-transactions-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-version-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-web-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-webservices-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-weld-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-xts-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-jstl-api_1.2_spec-1.0.9-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-remote-naming-1.0.12-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-remoting3-3.3.7-1.Final_redhat_1.1.ep6.el7.noarch.rpm jbossas-appclient-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-bundles-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-core-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-domain-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-javadocs-7.5.6-2.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-modules-eap-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-product-eap-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-standalone-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-welcome-content-eap-7.5.6-1.Final_redhat_2.1.ep6.el7.noarch.rpm jbossws-cxf-4.3.6-1.Final_redhat_1.1.ep6.el7.noarch.rpm jgroups-3.2.15-1.Final_redhat_1.1.ep6.el7.noarch.rpm wss4j-1.6.19-3.redhat_2.1.ep6.el7.noarch.rpm xml-security-1.5.8-1.redhat_1.1.ep6.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-0254 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html https://access.redhat.com/solutions/1584363 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWs8coXlSAg2UNWIIRAuvKAKDE7fJUBlz6mTsUdfy22WofFbppKwCeIaGo 4k26lJRYsAWuvRd164jZcSU= =yj4Z -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Feb 4 21:48:33 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 4 Feb 2016 16:48:33 -0500 Subject: [RHSA-2016:0124-01] Important: jboss-ec2-eap security and enhancement update for EAP 6.4.6 Message-ID: <201602042148.u14LmXMT014294@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: jboss-ec2-eap security and enhancement update for EAP 6.4.6 Advisory ID: RHSA-2016:0124-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0124.html Issue date: 2016-02-04 CVE Names: CVE-2015-0254 ===================================================================== 1. Summary: Updated jboss-ec2-eap packages that add one enhancement and resolve one security issue are now available for Red Hat JBoss Enterprise Application Platform 6.4.6 on Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 6.4 for RHEL 6 - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java EE applications. It is based on JBoss Application Server 7 and incorporates multiple open-source projects to provide a complete Java EE platform solution. It was found that the Java Standard Tag Library (JSTL) allowed the processing of untrusted XML documents to utilize external entity references, which could access resources on the host system and, potentially, allowing arbitrary code execution. (CVE-2015-0254) Note: Tag Library users may need to take additional steps after applying this update. Detailed instructions on the additional steps can be found here: https://access.redhat.com/solutions/1584363 Red Hat would like to thank David Jorm of IIX, and the Apache Software Foundation for reporting the CVE-2015-0254 flaw. * The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the packages have been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.6. All users of EAP 6.4.5 jboss-ec2-eap are advised to upgrade to these updated packages. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Also, make sure to back up any modified configuration files, deployments, and all user data. After applying the update, restart the instance of Red Hat JBoss Enterprise Application Platform for the changes to take effect. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1198606 - CVE-2015-0254 jakarta-taglibs-standard: XXE and RCE via XSL extension in JSTL XML tags 6. Package List: Red Hat JBoss EAP 6.4 for RHEL 6: Source: jboss-ec2-eap-7.5.6-1.Final_redhat_1.ep6.el6.src.rpm noarch: jboss-ec2-eap-7.5.6-1.Final_redhat_1.ep6.el6.noarch.rpm jboss-ec2-eap-samples-7.5.6-1.Final_redhat_1.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-0254 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html https://access.redhat.com/solutions/1584363 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWs8cwXlSAg2UNWIIRAhCZAJ9NOrBsVc/vQU2BMpPXr+pW81qrzQCeL/8t 4G4QjznZShuKZdLliVWVNMs= =3IbM -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Feb 4 21:48:40 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 4 Feb 2016 16:48:40 -0500 Subject: [RHSA-2016:0125-01] Important: Red Hat JBoss Enterprise Application Platform 6.4.6 update Message-ID: <201602042148.u14Lmepw007359@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.6 update Advisory ID: RHSA-2016:0125-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0125.html Issue date: 2016-02-04 CVE Names: CVE-2015-0254 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.6, fix several bugs, add various enhancements, and resolve one security issue are now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. The following security issue is addressed with this release: It was found that the Java Standard Tag Library (JSTL) allowed the processing of untrusted XML documents to utilize external entity references, which could access resources on the host system and, potentially, allowing arbitrary code execution. (CVE-2015-0254) Note: Tag Library users may need to take additional steps after applying this update. Detailed instructions on the additional steps can be found here: https://access.redhat.com/solutions/1584363 Red Hat would like to thank David Jorm of IIX, and the Apache Software Foundation for reporting the CVE-2015-0254 flaw. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.5, and includes bug fixes and enhancements. Documentation for these changes will be available shortly from the Red Hat JBoss Enterprise Application Platform 6.4.6 Release Notes, linked to in the References. All users of Red Hat JBoss Enterprise Application Platform 6.4 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. 4. Bugs fixed (https://bugzilla.redhat.com/): 1198606 - CVE-2015-0254 jakarta-taglibs-standard: XXE and RCE via XSL extension in JSTL XML tags 5. References: https://access.redhat.com/security/cve/CVE-2015-0254 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.4 https://access.redhat.com/solutions/1584363 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWs8c3XlSAg2UNWIIRAuLNAJ9dwuRRPH6kSdgjuM4kPxX2Eb5IKQCfQl3O cFjU6mMOVfSvZ/dBRbJg1zY= =uVmZ -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Feb 29 19:43:01 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 29 Feb 2016 14:43:01 -0500 Subject: [RHSA-2016:0321-01] Moderate: Red Hat JBoss Fuse 6.2.1 update Message-ID: <201602291943.u1TJh1xZ017232@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Fuse 6.2.1 update Advisory ID: RHSA-2016:0321-01 Product: Red Hat JBoss Fuse Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0321.html Issue date: 2016-02-29 CVE Names: CVE-2015-5253 ===================================================================== 1. Summary: Red Hat JBoss Fuse 6.2.1 Rollup Patch 1, which fixes one security issue and includes several bug fixes and various enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. This patch is an update to Red Hat JBoss Fuse 6.2.1. It includes several bug fixes, which are documented in the readme.txt file included with the patch files. The following security issue is addressed in this release: It was found that Apache CXF permitted wrapping attacks in its support for SAML SSO. A malicious user could construct a SAML response that would bypass the login screen and possibly gain access to restricted information or resources. (CVE-2015-5253) Refer to the readme.txt file included with the patch files for installation instructions. All users of Red Hat JBoss Fuse 6.2.1 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1282411 - CVE-2015-5253 apache-cxf: SAML SSO processing is vulnerable to wrapping attack 5. References: https://access.redhat.com/security/cve/CVE-2015-5253 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.2.1 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFW1J9DXlSAg2UNWIIRAjy1AJ91bYcZ24aOdVQtx/Mx4rg4+LfNTQCdGvlN aESUtYoewCEYdqeE8seKAlc= =RE71 -----END PGP SIGNATURE-----