From bugzilla at redhat.com Thu Jul 7 17:47:41 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 7 Jul 2016 13:47:41 -0400 Subject: [RHSA-2016:1389-01] Critical: Red Hat JBoss Fuse Service Works security update Message-ID: <201607071747.u67Hlfme013688@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss Fuse Service Works security update Advisory ID: RHSA-2016:1389-01 Product: Red Hat JBoss Fuse Service Works Advisory URL: https://access.redhat.com/errata/RHSA-2016:1389 Issue date: 2016-07-07 CVE Names: CVE-2016-2141 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Fuse Service Works. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Fuse Service Works is the next-generation ESB and business process automation infrastructure. Security Fix(es): * It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks. (CVE-2016-2141) This issue was discovered by Dennis Reed (Red Hat). 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1313589 - CVE-2016-2141 Authorization bypass in JGroups 5. References: https://access.redhat.com/security/cve/CVE-2016-2141 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks&downloadType=securityPatches&version=6.0.0 https://access.redhat.com/articles/2360521 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXfpW7XlSAg2UNWIIRAn75AJ9fdGxHjgJIlmOSo2NWVQMAfNbt+wCfZN9P kjlyF1pOo6Rd15MvQylHuzA= =4PZV -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jul 13 19:49:05 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 13 Jul 2016 15:49:05 -0400 Subject: [RHSA-2016:1424-01] Moderate: Red Hat JBoss Fuse/A-MQ 6.2.1 security and bug fix update Message-ID: <201607131949.u6DJn5La026685@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Fuse/A-MQ 6.2.1 security and bug fix update Advisory ID: RHSA-2016:1424-01 Product: Red Hat JBoss Fuse Advisory URL: https://access.redhat.com/errata/RHSA-2016:1424 Issue date: 2016-07-13 CVE Names: CVE-2016-0734 CVE-2016-0782 ===================================================================== 1. Summary: Red Hat JBoss Fuse and A-MQ 6.2.1 Rollup Patch 3, which fixes two security issues and includes several bug fixes and various enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications. This patch is an update to Red Hat JBoss Fuse 6.2.1 and Red Hat JBoss A-MQ 6.2.1. It includes several bug fixes, which are documented in the readme.txt file included with the patch files. Security Fix(es): * It was reported that the web based administration console does not set the X-Frame-Options header in HTTP responses. This allows the console to be embedded in a frame or iframe which could then be used to cause a user to perform an unintended action in the console. (CVE-2016-0734) * It was found that Apache Active MQ administration web console did not validate input correctly when creating a queue. An authenticated attacker could exploit this flaw via cross-site scripting and use it to access sensitive information or further attacks. (CVE-2016-0782) Refer to the readme.txt file included with the patch files for installation instructions. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1317516 - CVE-2016-0782 activemq: Cross-site scripting vulnerabilities in web console 1317520 - CVE-2016-0734 activemq: Clickjacking in Web Console 5. References: https://access.redhat.com/security/cve/CVE-2016-0734 https://access.redhat.com/security/cve/CVE-2016-0782 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.2.1 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=securityPatches&version=6.2.1 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXhpswXlSAg2UNWIIRAisjAJsG9br7eUjvXFeKmU4weY0+ANFyzwCdHnuJ j/k4C4djIpvW6L6Ek+ncAoQ= =7RFX -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 14 17:57:38 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 14 Jul 2016 13:57:38 -0400 Subject: [RHSA-2016:1428-01] Important: Red Hat JBoss BRMS 6.3.1 security and bug fix update Message-ID: <201607141757.u6EHvccV021591@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss BRMS 6.3.1 security and bug fix update Advisory ID: RHSA-2016:1428-01 Product: Red Hat JBoss BRMS Advisory URL: https://access.redhat.com/errata/RHSA-2016:1428 Issue date: 2016-07-14 CVE Names: CVE-2016-4999 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss BRMS. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules. Security Fix(es): * A security flaw was found in the way Dashbuilder performed SQL datasets lookup requests in the Data Set Authoring UI or the Displayer editor UI. A remote attacker could use this flaw to conduct SQL injection attacks via specially-crafted string filter parameter. (CVE-2016-4999) This issue was discovered by David Gutierrez (Red Hat). 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1349990 - CVE-2016-4999 Dashbuilder: SQL Injection on data set lookup filters 5. References: https://access.redhat.com/security/cve/CVE-2016-4999 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.3 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXh9KQXlSAg2UNWIIRAvVaAJ0dfBJSVf3/FbQh7kvrE6O5bPZLpACfft8p FTeslNBTLf49zXZaRT6bPSY= =duE4 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 14 17:57:43 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 14 Jul 2016 13:57:43 -0400 Subject: [RHSA-2016:1429-01] Important: Red Hat JBoss BPM Suite 6.3.1 security and bug fix update Message-ID: <201607141757.u6EHvhAA013360@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss BPM Suite 6.3.1 security and bug fix update Advisory ID: RHSA-2016:1429-01 Product: Red Hat JBoss BPM Suite Advisory URL: https://access.redhat.com/errata/RHSA-2016:1429 Issue date: 2016-07-14 CVE Names: CVE-2016-4999 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss BPM Suite. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes. Security Fix(es): * A security flaw was found in the way Dashbuilder performed SQL datasets lookup requests in the Data Set Authoring UI or the Displayer editor UI. A remote attacker could use this flaw to conduct SQL injection attacks via specially-crafted string filter parameter. (CVE-2016-4999) This issue was discovered by David Gutierrez (Red Hat). 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1349990 - CVE-2016-4999 Dashbuilder: SQL Injection on data set lookup filters 5. References: https://access.redhat.com/security/cve/CVE-2016-4999 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.3 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXh9KVXlSAg2UNWIIRArFRAJ47REEpWCNVrsSflwcK1qJC2gt5CwCgmaxE 2zbbHlRfy+6/ySusOP+7iY4= =LP3Y -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Jul 18 21:32:11 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 18 Jul 2016 17:32:11 -0400 Subject: [RHSA-2016:1433-01] Critical: Red Hat JBoss Enterprise Application Platform 6.4.9 update Message-ID: <201607182132.u6ILWBXq011290@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss Enterprise Application Platform 6.4.9 update Advisory ID: RHSA-2016:1433-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2016:1433 Issue date: 2016-07-18 CVE Names: CVE-2015-5174 CVE-2016-2141 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 6.4 for RHEL 6 - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release of Red Hat JBoss Enterprise Application Platform 6.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.8, and includes bug fixes and enhancements, which are documented in the Release Notes documented linked to in the References. Security Fix(es): * It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks. (CVE-2016-2141) More information about this vulnerability is available at: https://access.redhat.com/articles/2360521 * A directory traversal flaw was found in Tomcat's and JBoss Web's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. (CVE-2015-5174) The CVE-2016-2141 issue was discovered by Dennis Reed (Red Hat). 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The JBoss server process must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1265698 - CVE-2015-5174 tomcat: URL Normalization issue 1313589 - CVE-2016-2141 Authorization bypass in JGroups 1343602 - RHEL6 RPMs: Upgrade jbossts to 4.17.34.Final-redhat-1 1343605 - RHEL6 RPMs: Upgrade jboss-msc to 1.1.6.Final-redhat-1 1343610 - RHEL6 RPMs: Upgrade hibernate4-validator to 4.3.3.Final-redhat-1 1343620 - RHEL6 RPMs: Upgrade jbossweb to 7.5.17.Final-redhat-1 6. Package List: Red Hat JBoss EAP 6.4 for RHEL 6: Source: apache-cxf-2.7.18-2.SP1_redhat_1.1.ep6.el6.src.rpm glassfish-jsf-eap6-2.1.28-11.SP10_redhat_1.1.ep6.el6.src.rpm hibernate4-validator-4.3.3-1.Final_redhat_1.1.ep6.el6.src.rpm hornetq-2.3.25-13.SP11_redhat_1.1.ep6.el6.src.rpm jboss-as-appclient-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-cli-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-client-all-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-clustering-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-cmp-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-configadmin-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-connector-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-controller-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-controller-client-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-core-security-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-deployment-repository-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-deployment-scanner-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-domain-http-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-domain-management-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-ee-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-ee-deployment-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-ejb3-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-embedded-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-host-controller-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jacorb-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jaxr-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jaxrs-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jdr-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jmx-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jpa-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jsf-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jsr77-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-logging-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-mail-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-management-client-content-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-messaging-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-modcluster-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-naming-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-network-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-osgi-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-osgi-configadmin-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-osgi-service-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-picketlink-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-platform-mbean-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-pojo-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-process-controller-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-protocol-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-remoting-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-sar-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-security-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-server-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-system-jmx-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-threads-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-transactions-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-version-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-web-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-webservices-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-weld-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-xts-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-jsf-api_2.1_spec-2.1.28-6.SP2_redhat_1.1.ep6.el6.src.rpm jboss-msc-1.1.6-1.Final_redhat_1.1.ep6.el6.src.rpm jbossas-appclient-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jbossas-bundles-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jbossas-core-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jbossas-domain-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jbossas-javadocs-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jbossas-modules-eap-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jbossas-product-eap-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jbossas-standalone-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jbossas-welcome-content-eap-7.5.9-2.Final_redhat_2.1.ep6.el6.src.rpm jbossts-4.17.34-1.Final_redhat_1.1.ep6.el6.src.rpm jbossweb-7.5.17-1.Final_redhat_1.1.ep6.el6.src.rpm picketlink-bindings-2.5.4-11.SP9_redhat_2.1.ep6.el6.src.rpm picketlink-federation-2.5.4-11.SP9_redhat_2.1.ep6.el6.src.rpm xalan-j2-eap6-2.7.1-11.redhat_11.1.ep6.el6.src.rpm noarch: apache-cxf-2.7.18-2.SP1_redhat_1.1.ep6.el6.noarch.rpm glassfish-jsf-eap6-2.1.28-11.SP10_redhat_1.1.ep6.el6.noarch.rpm hibernate4-validator-4.3.3-1.Final_redhat_1.1.ep6.el6.noarch.rpm hornetq-2.3.25-13.SP11_redhat_1.1.ep6.el6.noarch.rpm jboss-as-appclient-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-cli-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-client-all-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-clustering-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-cmp-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-configadmin-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-connector-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-controller-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-controller-client-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-core-security-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-deployment-repository-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-deployment-scanner-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-domain-http-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-domain-management-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-ee-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-ee-deployment-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-ejb3-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-embedded-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-host-controller-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jacorb-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jaxr-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jaxrs-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jdr-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jmx-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jpa-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jsf-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jsr77-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-logging-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-mail-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-management-client-content-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-messaging-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-modcluster-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-naming-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-network-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-osgi-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-osgi-configadmin-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-osgi-service-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-picketlink-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-platform-mbean-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-pojo-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-process-controller-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-protocol-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-remoting-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-sar-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-security-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-server-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-system-jmx-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-threads-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-transactions-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-version-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-web-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-webservices-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-weld-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-xts-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-jsf-api_2.1_spec-2.1.28-6.SP2_redhat_1.1.ep6.el6.noarch.rpm jboss-msc-1.1.6-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossas-appclient-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-bundles-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-core-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-domain-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-javadocs-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-modules-eap-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-product-eap-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-standalone-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-welcome-content-eap-7.5.9-2.Final_redhat_2.1.ep6.el6.noarch.rpm jbossts-4.17.34-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossweb-7.5.17-1.Final_redhat_1.1.ep6.el6.noarch.rpm picketlink-bindings-2.5.4-11.SP9_redhat_2.1.ep6.el6.noarch.rpm picketlink-federation-2.5.4-11.SP9_redhat_2.1.ep6.el6.noarch.rpm xalan-j2-eap6-2.7.1-11.redhat_11.1.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5174 https://access.redhat.com/security/cve/CVE-2016-2141 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/?version=6.4 https://access.redhat.com/articles/2360521 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXjUraXlSAg2UNWIIRAkU9AJ4jePgrd8uZxe4vvgUuuK5HJhgNxQCgh4SK iZzVWub0xrtDQ9zTHBbPkqY= =/rso -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Jul 18 21:32:46 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 18 Jul 2016 17:32:46 -0400 Subject: [RHSA-2016:1434-01] Critical: Red Hat JBoss Enterprise Application Platform update Message-ID: <201607182132.u6ILWk0q018225@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss Enterprise Application Platform update Advisory ID: RHSA-2016:1434-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2016:1434 Issue date: 2016-07-18 CVE Names: CVE-2015-5174 CVE-2016-2141 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6 for RHEL 7 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release of Red Hat JBoss Enterprise Application Platform 6.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.8, and includes bug fixes and enhancements, which are documented in the Release Notes documented linked to in the References. Security Fix(es): * It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks. (CVE-2016-2141) More information about this vulnerability is available at: https://access.redhat.com/articles/2360521 * A directory traversal flaw was found in Tomcat's and JBoss Web's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. (CVE-2015-5174) The CVE-2016-2141 issue was discovered by Dennis Reed (Red Hat). 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The JBoss server process must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1265698 - CVE-2015-5174 tomcat: URL Normalization issue 1313589 - CVE-2016-2141 Authorization bypass in JGroups 1343604 - RHEL7 RPMs: Upgrade jbossts to 4.17.34.Final-redhat-1 1343607 - RHEL7 RPMs: Upgrade jboss-msc to 1.1.6.Final-redhat-1 1343612 - RHEL7 RPMs: Upgrade hibernate4-validator to 4.3.3.Final-redhat-1 1343622 - RHEL7 RPMs: Upgrade jbossweb to 7.5.17.Final-redhat-1 6. Package List: Red Hat JBoss Enterprise Application Platform 6 for RHEL 7 Server: Source: apache-cxf-2.7.18-2.SP1_redhat_1.1.ep6.el7.src.rpm glassfish-jsf-eap6-2.1.28-11.SP10_redhat_1.1.ep6.el7.src.rpm hibernate4-validator-4.3.3-1.Final_redhat_1.1.ep6.el7.src.rpm hornetq-2.3.25-13.SP11_redhat_1.1.ep6.el7.src.rpm jboss-as-appclient-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-cli-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-client-all-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-clustering-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-cmp-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-configadmin-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-connector-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-controller-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-controller-client-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-core-security-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-deployment-repository-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-deployment-scanner-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-domain-http-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-domain-management-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-ee-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-ee-deployment-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-ejb3-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-embedded-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-host-controller-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jacorb-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jaxr-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jaxrs-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jdr-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jmx-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jpa-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jsf-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jsr77-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-logging-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-mail-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-management-client-content-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-messaging-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-modcluster-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-naming-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-network-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-osgi-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-osgi-configadmin-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-osgi-service-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-picketlink-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-platform-mbean-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-pojo-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-process-controller-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-protocol-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-remoting-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-sar-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-security-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-server-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-system-jmx-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-threads-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-transactions-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-version-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-web-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-webservices-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-weld-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-xts-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-jsf-api_2.1_spec-2.1.28-6.SP2_redhat_1.1.ep6.el7.src.rpm jboss-msc-1.1.6-1.Final_redhat_1.1.ep6.el7.src.rpm jbossas-appclient-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jbossas-bundles-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jbossas-core-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jbossas-domain-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jbossas-javadocs-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jbossas-modules-eap-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jbossas-product-eap-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jbossas-standalone-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jbossas-welcome-content-eap-7.5.9-2.Final_redhat_2.1.ep6.el7.src.rpm jbossts-4.17.34-1.Final_redhat_1.1.ep6.el7.src.rpm jbossweb-7.5.17-1.Final_redhat_1.1.ep6.el7.src.rpm picketlink-bindings-2.5.4-11.SP9_redhat_2.1.ep6.el7.src.rpm picketlink-federation-2.5.4-11.SP9_redhat_2.1.ep6.el7.src.rpm xalan-j2-eap6-2.7.1-11.redhat_11.1.ep6.el7.src.rpm noarch: apache-cxf-2.7.18-2.SP1_redhat_1.1.ep6.el7.noarch.rpm glassfish-jsf-eap6-2.1.28-11.SP10_redhat_1.1.ep6.el7.noarch.rpm hibernate4-validator-4.3.3-1.Final_redhat_1.1.ep6.el7.noarch.rpm hornetq-2.3.25-13.SP11_redhat_1.1.ep6.el7.noarch.rpm jboss-as-appclient-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-cli-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-client-all-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-clustering-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-cmp-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-configadmin-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-connector-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-controller-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-controller-client-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-core-security-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-deployment-repository-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-deployment-scanner-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-domain-http-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-domain-management-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-ee-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-ee-deployment-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-ejb3-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-embedded-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-host-controller-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jacorb-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jaxr-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jaxrs-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jdr-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jmx-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jpa-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jsf-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jsr77-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-logging-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-mail-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-management-client-content-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-messaging-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-modcluster-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-naming-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-network-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-osgi-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-osgi-configadmin-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-osgi-service-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-picketlink-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-platform-mbean-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-pojo-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-process-controller-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-protocol-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-remoting-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-sar-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-security-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-server-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-system-jmx-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-threads-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-transactions-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-version-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-web-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-webservices-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-weld-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-xts-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-jsf-api_2.1_spec-2.1.28-6.SP2_redhat_1.1.ep6.el7.noarch.rpm jboss-msc-1.1.6-1.Final_redhat_1.1.ep6.el7.noarch.rpm jbossas-appclient-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-bundles-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-core-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-domain-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-javadocs-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-modules-eap-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-product-eap-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-standalone-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-welcome-content-eap-7.5.9-2.Final_redhat_2.1.ep6.el7.noarch.rpm jbossts-4.17.34-1.Final_redhat_1.1.ep6.el7.noarch.rpm jbossweb-7.5.17-1.Final_redhat_1.1.ep6.el7.noarch.rpm picketlink-bindings-2.5.4-11.SP9_redhat_2.1.ep6.el7.noarch.rpm picketlink-federation-2.5.4-11.SP9_redhat_2.1.ep6.el7.noarch.rpm xalan-j2-eap6-2.7.1-11.redhat_11.1.ep6.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5174 https://access.redhat.com/security/cve/CVE-2016-2141 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/?version=6.4 https://access.redhat.com/articles/2360521 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXjUr8XlSAg2UNWIIRAvRRAJ4lh23AcNrsJBFPiHuEUE/8x3iULwCePzg6 hl9S4T7sGfg5pibOWF1amS8= =h3Ww -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Jul 18 21:32:54 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 18 Jul 2016 17:32:54 -0400 Subject: [RHSA-2016:1432-01] Critical: jboss-ec2-eap security, bug fix, and enhancement update Message-ID: <201607182132.u6ILWs8c000846@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: jboss-ec2-eap security, bug fix, and enhancement update Advisory ID: RHSA-2016:1432-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2016:1432 Issue date: 2016-07-18 CVE Names: CVE-2015-5174 CVE-2016-2141 ===================================================================== 1. Summary: A jboss-ec2-eap update is now available for Red Hat JBoss Enterprise Application Platform 6.4.0 on Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 6.4 for RHEL 6 - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the packages have been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.9. Security Fix(es): * It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks. (CVE-2016-2141) More information about this vulnerability is available at: https://access.redhat.com/articles/2360521 * A directory traversal flaw was found in Tomcat's and JBoss Web's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. (CVE-2015-5174) The CVE-2016-2141 issue was discovered by Dennis Reed (Red Hat). 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The JBoss server process must be restarted for the update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1265698 - CVE-2015-5174 tomcat: URL Normalization issue 1313589 - CVE-2016-2141 Authorization bypass in JGroups 6. Package List: Red Hat JBoss EAP 6.4 for RHEL 6: Source: jboss-ec2-eap-7.5.9-2.Final_redhat_2.ep6.el6.src.rpm noarch: jboss-ec2-eap-7.5.9-2.Final_redhat_2.ep6.el6.noarch.rpm jboss-ec2-eap-samples-7.5.9-2.Final_redhat_2.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5174 https://access.redhat.com/security/cve/CVE-2016-2141 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html https://access.redhat.com/articles/2360521 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXjUsFXlSAg2UNWIIRApG8AKDAs5T/pr/3PBLMg+PYa39F5lYcsACdGQSh VTihKbZxCIopE2qnix084lg= =tHbP -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Jul 18 22:33:05 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 18 Jul 2016 22:33:05 +0000 Subject: [RHSA-2016:1435-01] Critical: Red Hat JBoss Enterprise Application Platform 6.4.9 update Message-ID: <201607182233.u6IMX6nl026797@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss Enterprise Application Platform 6.4.9 update Advisory ID: RHSA-2016:1435-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1435.html Issue date: 2016-07-18 CVE Names: CVE-2015-5174 CVE-2016-2141 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release of Red Hat JBoss Enterprise Application Platform 6.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.8, and includes bug fixes and enhancements. Documentation for these changes will be available shortly from the Red Hat JBoss Enterprise Application Platform 6.4.9 Release Notes, linked to in the References. Security Fix(es): * It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks. (CVE-2016-2141) More information about this vulnerability is available at: https://access.redhat.com/articles/2360521 * A directory traversal flaw was found in Tomcat's and JBoss Web's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. (CVE-2015-5174) The CVE-2016-2141 issue was discovered by Dennis Reed (Red Hat). 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. The JBoss server process must be restarted for the update to take effect. 4. Bugs fixed (https://bugzilla.redhat.com/): 1265698 - CVE-2015-5174 tomcat: URL Normalization issue 1313589 - CVE-2016-2141 Authorization bypass in JGroups 5. References: https://access.redhat.com/security/cve/CVE-2015-5174 https://access.redhat.com/security/cve/CVE-2016-2141 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/documentation/en/jboss-enterprise-application-platform/ https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.4 https://access.redhat.com/articles/2360521 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXjVkFXlSAg2UNWIIRAjoGAJ4oPcTSnrDqyG9hJ103V6r5AaQdnwCeLPv3 0Wok/8ScJaodm+EC6SHJCuI= =0XIC -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Jul 27 15:30:00 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 27 Jul 2016 11:30:00 -0400 Subject: [RHSA-2016:1519-01] Critical: Red Hat JBoss Operations Network 3.3.6 update Message-ID: <201607271530.u6RFU0IS004288@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss Operations Network 3.3.6 update Advisory ID: RHSA-2016:1519-01 Product: Red Hat JBoss Operations Network Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1519.html Issue date: 2016-07-27 CVE Names: CVE-2015-5220 CVE-2016-0800 CVE-2016-3737 ===================================================================== 1. Summary: Red Hat JBoss Operations Network 3.3 update 6, which fixes two security issues and several bugs, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Red Hat JBoss Operations Network is a Middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services. This JBoss Operations Network 3.3.6 release serves as a replacement for JBoss Operations Network 3.3.5, and includes several bug fixes. Refer to the Customer Portal page linked in the References section for information on the most significant of these changes. The following security issues are also fixed with this release: It was discovered that sending specially crafted HTTP request to the JON server would allow deserialization of that message without authentication. An attacker could use this flaw to cause remote code execution. (CVE-2016-3737) It was discovered that sending requests containing large headers to the Web Console produced a Java OutOfMemoryError in the HTTP management interface. An attacker could use this flaw to cause a denial of service. (CVE-2015-5220) A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker could potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN. (CVE-2016-0800) All users of JBoss Operations Network 3.3.5, as provided from the Red Hat Customer Portal, are advised to upgrade to JBoss Operations Network 3.3.6. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Operations Network installation (including its databases, applications, configuration files, the JBoss Operations Network server's file system directory, and so on). Refer to the JBoss Operations Network 3.3.6 Release Notes for installation information. 4. Bugs fixed (https://bugzilla.redhat.com/): 1184000 - Bundles missing from the left list / bundle navigation tree 1186300 - java.lang.IllegalArgumentException:Invalid column widths (more widths than columns) [58%, *] error thrown in JBoss ON UI 1205429 - Platform's file system resources are blacklisted and all other child resources take 5 minutes to discover if NFS mount exists to host that is blocking RPC port 1206485 - JON favicon is not used 1207232 - Search bar placed over the main menu on navigating to Dashboards 1211341 - Browser session timeouts on pages where autorefresh is enabled 1212495 - Solaris10-Error in server log after Generate JDR Report operation 1213812 - After upgrade from JBoss ON 3.2 to 3.3, some rhq column families are unavailable and compaction operations fail 1218129 - Calltime metrics sort does not work properly 1232836 - NoResultException in server.log when deploying from resource content for war type != File (Deployment:AS7) 1253647 - jboss-on-agent-init-ec2 requires old package 1255597 - CVE-2015-5220 OOME from EAP 6 http management console 1257741 - First attempt of saving SNMP alert configurations is failed if UDP transport protocol is used 1261890 - Metrics are not properly updated/refreshed in JON UI 1264001 - JON UI fails to load metrics with the message "Cannot load metrics" while plugin container is restarting 1266356 - Commons HttpClient can hang during SSLHandshake 1268329 - The same user is able to upload bundle via 'Upload' but not via 'URL' 1272358 - When creating a big bundle via UI the wizard shows errors if user clicks Next button multiple times 1272473 - Confusing error shown in UI wizard when creating big bundle on oracle and hitting ORA-01691: unable to extend lob segment 1288455 - The data aggregation job in JBoss ON stopped due to unreachable storage node 1290436 - Invalid properties PARTITION_EVENT_PURGE and RESOURCE_CONFIG_HISTORY_PURGE appear on system setting page and prevent config from being saved 1295863 - The number of resources in All Groups/Compatible Groups page is not correct all the time 1297702 - Deletion of partition events in JBoss ON results in OutOfMemoryError when there is a million or more partition events to be deleted 1298144 - Missing "Event Detection" option from the drop down list when trying to create an alert using alert template 1299448 - Storage node heap size cannot be changed using JBoss ON UI 1301575 - apply-updates.bat in jon-server-3.3-update-04.zip only works reliably in the USA 1302322 - Secure server-agent communication using sslsocket incorrectly requires a truststore password 1306231 - Method SystemManager.setSystemSettings(settings) does not propagate LDAP changes into the RHQ Server's JAAS login modules 1306602 - Uninventory of resource leaves orphaned content data in the database 1308947 - Group Operation sequential execution list limited to 50 members 1309481 - Remote API is missing ability to retrieve and revert historic plug-in and resource configuration 1310593 - CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN) 1311140 - EAP7 - missing rt filter modules for eap7 1312847 - Report "Suspect Metrics" is empty for user in "All Resources" role 1317993 - Application fails to deploy on EAP7 when the rt filter is installed 1320478 - NPE in server.log Error persisting trait data 1323325 - rhqctl status can report storage node as ?running or ?down if locale does not support extended character sets 1324828 - pretty.print(null) fails 1328316 - Required fields in map-property does not prevent finishing the Resource Create Wizard 1333618 - CVE-2016-3737 JON: The agent/server communication deserializes data, and does not require authentication 1339301 - REST fetch of groups doesn't scale 5. References: https://access.redhat.com/security/cve/CVE-2015-5220 https://access.redhat.com/security/cve/CVE-2016-0800 https://access.redhat.com/security/cve/CVE-2016-3737 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em&downloadType=securityPatches&version=3.3 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXmNN3XlSAg2UNWIIRAgTIAJ4l+jjDlbp3HJRkfP84ZKgSptPR4QCguAnn Dq9UQGPLwe2Pp2G8pyn28P4= =5qRr -----END PGP SIGNATURE-----