From bugzilla at redhat.com Thu Nov 3 17:54:22 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 3 Nov 2016 13:54:22 -0400 Subject: [RHSA-2016:2640-01] Important: JBoss Enterprise Application Platform 7.0.3 on RHEL 6 Message-ID: <201611031754.uA3HsM7v006013@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Application Platform 7.0.3 on RHEL 6 Advisory ID: RHSA-2016:2640-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2640.html Issue date: 2016-11-03 CVE Names: CVE-2016-7046 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 7.0.3 that fix several bugs and add various enhancements that are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 7 is an application server that serves as a middleware platform and is built on open standards and compliant with the Java EE 7 specification. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.2. It includes bug fixes and enhancements. Refer to the JBoss Enterprise Application Platform 7.0.3 Release Notes linked to in the References section for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * It was discovered that a long URL sent to EAP 7 Server operating as a reverse proxy with default buffer sizes causes a Denial of Service. (CVE-2016-7046) 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1376646 - CVE-2016-7046 undertow: Long URL proxy request lead to java.nio.BufferOverflowException and DoS 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-5590 - Tracker bug for the EAP 7.0.3 release for RHEL-6 7. Package List: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server: Source: eap7-hibernate-5.0.11-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-jboss-remoting-4.0.21-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-jboss-xnio-base-3.4.0-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-undertow-1.3.25-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-wildfly-7.0.3-4.GA_redhat_2.1.ep7.el6.src.rpm eap7-wildfly-javadocs-7.0.3-2.GA_redhat_3.1.ep7.el6.src.rpm eap7-xerces-j2-2.11.0-24.SP5_redhat_1.1.ep7.el6.src.rpm noarch: eap7-hibernate-5.0.11-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-hibernate-core-5.0.11-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-hibernate-entitymanager-5.0.11-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-hibernate-envers-5.0.11-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-hibernate-infinispan-5.0.11-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-hibernate-java8-5.0.11-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-jboss-remoting-4.0.21-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-jboss-xnio-base-3.4.0-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-undertow-1.3.25-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-wildfly-7.0.3-4.GA_redhat_2.1.ep7.el6.noarch.rpm eap7-wildfly-javadocs-7.0.3-2.GA_redhat_3.1.ep7.el6.noarch.rpm eap7-wildfly-modules-7.0.3-4.GA_redhat_2.1.ep7.el6.noarch.rpm eap7-xerces-j2-2.11.0-24.SP5_redhat_1.1.ep7.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2016-7046 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/703-release-notes/ https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/?version=7.0/ 9. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYG3nMXlSAg2UNWIIRAlFDAKCDKPxGrc+j1b6oyfN13mNWfrb+7gCdEiId vocvfHdBdEx8BHyq9Kf8PqY= =7R69 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 3 17:54:37 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 3 Nov 2016 13:54:37 -0400 Subject: [RHSA-2016:2641-01] Important: JBoss Enterprise Application Platform 7.0.3 for RHEL 7 Message-ID: <201611031754.uA3Hsb4x006306@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Application Platform 7.0.3 for RHEL 7 Advisory ID: RHSA-2016:2641-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2641.html Issue date: 2016-11-03 CVE Names: CVE-2016-7046 ===================================================================== 1. Summary: Updated packages that provides Red Hat JBoss Enterprise Application Platform 7.0.3, fixes several bugs, and adds various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 7 is an application server that serves as a middleware platform and is built on open standards and compliant with the Java EE 7 specification. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.2. It includes bug fixes and enhancements. Refer to the JBoss Enterprise Application Platform 7.0.3 Release Notes linked to in the References section for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * It was discovered that a long URL sent to EAP 7 Server operating as a reverse proxy with default buffer sizes causes a Denial of Service. (CVE-2016-7046) 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1376646 - CVE-2016-7046 undertow: Long URL proxy request lead to java.nio.BufferOverflowException and DoS 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-5591 - Tracker bug for the EAP 7.0.3 release for RHEL-7 7. Package List: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server: Source: eap7-hibernate-5.0.11-1.Final_redhat_1.1.ep7.el7.src.rpm eap7-jboss-remoting-4.0.21-1.Final_redhat_1.1.ep7.el7.src.rpm eap7-jboss-xnio-base-3.4.0-1.Final_redhat_1.1.ep7.el7.src.rpm eap7-undertow-1.3.25-1.Final_redhat_1.1.ep7.el7.src.rpm eap7-wildfly-7.0.3-4.GA_redhat_2.1.ep7.el7.src.rpm eap7-wildfly-javadocs-7.0.3-2.GA_redhat_3.1.ep7.el7.src.rpm eap7-xerces-j2-2.11.0-24.SP5_redhat_1.1.ep7.el7.src.rpm noarch: eap7-hibernate-5.0.11-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-hibernate-core-5.0.11-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-hibernate-entitymanager-5.0.11-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-hibernate-envers-5.0.11-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-hibernate-infinispan-5.0.11-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-hibernate-java8-5.0.11-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-jboss-remoting-4.0.21-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-jboss-xnio-base-3.4.0-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-undertow-1.3.25-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-wildfly-7.0.3-4.GA_redhat_2.1.ep7.el7.noarch.rpm eap7-wildfly-javadocs-7.0.3-2.GA_redhat_3.1.ep7.el7.noarch.rpm eap7-wildfly-modules-7.0.3-4.GA_redhat_2.1.ep7.el7.noarch.rpm eap7-xerces-j2-2.11.0-24.SP5_redhat_1.1.ep7.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2016-7046 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/703-release-notes/ https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0 9. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYG3nbXlSAg2UNWIIRAlxAAJwLylu7THCunNcSwQiZAV4gGEt7ZwCgpijZ Bd0sEWIjP2RoDmcMRxX/XtE= =F7Hd -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 3 17:54:52 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 3 Nov 2016 13:54:52 -0400 Subject: [RHSA-2016:2642-01] Important: jboss-ec2-eap package for EAP 7.0.3 Message-ID: <201611031754.uA3HsqQs032034@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: jboss-ec2-eap package for EAP 7.0.3 Advisory ID: RHSA-2016:2642-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2642.html Issue date: 2016-11-03 CVE Names: CVE-2016-7046 ===================================================================== 1. Summary: The jboss-ec2-eap package that adds an enhancement is now available for Red Hat JBoss Enterprise Application Platform 7.0.3 on Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server - noarch Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server - noarch 3. Description: The eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the eap7-jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 7.0.3. Refer to the JBoss Enterprise Application Platform 7.0.3 Release Notes, linked to in the References section, for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * It was discovered that a long URL sent to EAP 7 Server operating as a reverse proxy with default buffer sizes causes a Denial of Service. (CVE-2016-7046) 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1376646 - CVE-2016-7046 undertow: Long URL proxy request lead to java.nio.BufferOverflowException and DoS 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-5593 - jboss-ec2-eap for EAP 7.0.3 7. Package List: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server: Source: eap7-jboss-ec2-eap-7.0.3-3.GA_redhat_2.ep7.el6.src.rpm noarch: eap7-jboss-ec2-eap-7.0.3-3.GA_redhat_2.ep7.el6.noarch.rpm eap7-jboss-ec2-eap-samples-7.0.3-3.GA_redhat_2.ep7.el6.noarch.rpm Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server: Source: eap7-jboss-ec2-eap-7.0.3-3.GA_redhat_2.ep7.el7.src.rpm noarch: eap7-jboss-ec2-eap-7.0.3-3.GA_redhat_2.ep7.el7.noarch.rpm eap7-jboss-ec2-eap-samples-7.0.3-3.GA_redhat_2.ep7.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2016-7046 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/703-release-notes/ https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0 9. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYG3nrXlSAg2UNWIIRAsW3AJ9MsvrXGLViuBYGnT7kbw8JGJlj+ACfSxeL svIZ8up3PaaXXuPnb1uBkGs= =nMQU -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Nov 4 15:38:38 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 4 Nov 2016 11:38:38 -0400 Subject: [RHSA-2016:2657-01] Important: JBoss Enterprise Application Platform 7.0.3 Message-ID: <201611041538.uA4FccTp000369@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Application Platform 7.0.3 Advisory ID: RHSA-2016:2657-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2657.html Issue date: 2016-11-04 CVE Names: CVE-2016-7046 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 7.0.3, fixed several bugs, and added various enhancements that are now available from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform 7 is an application server that serves as a middleware platform and is built on open standards and compliant with the Java EE 7 specification. This release serves as an update for Red Hat JBoss Enterprise Application Platform 7.0.2. It includes bug fixes and enhancements. Refer to the JBoss Enterprise Application Platform 7.0.3 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * It was discovered that a long URL sent to EAP 7 Server operating as a reverse proxy with default buffer sizes causes a Denial of Service. (CVE-2016-7046) 3. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. The References section of this erratum contains a download link (you must log in to download the update). The JBoss server process must be restarted for the update to take effect. 4. Bugs fixed (https://bugzilla.redhat.com/): 1376646 - CVE-2016-7046 undertow: Long URL proxy request lead to java.nio.BufferOverflowException and DoS 5. References: https://access.redhat.com/security/cve/CVE-2016-7046 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en/jboss-enterprise-application-platform/ https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=7.0 https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/703-release-notes/ 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYHKt9XlSAg2UNWIIRAkGuAJ0QOGlgA6cl4iaEnZaQW0bMsuW/RgCaAzWb Am9GDqij/DsymBok4wbXKk8= =zb2X -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 17 20:34:29 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 17 Nov 2016 15:34:29 -0500 Subject: [RHSA-2016:2807-01] Important: Red Hat JBoss Web Server 2.1.2 security update for Tomcat 7 Message-ID: <201611172034.uAHKYTRc008477@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 2.1.2 security update for Tomcat 7 Advisory ID: RHSA-2016:2807-01 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2807.html Issue date: 2016-11-17 CVE Names: CVE-2015-5346 CVE-2015-5351 CVE-2016-0706 CVE-2016-0714 CVE-2016-0763 CVE-2016-3092 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Web Server 2 for RHEL 6 and Red Hat JBoss Enterprise Web Server 2 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server - noarch Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Server - noarch 3. Description: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. This release of Red Hat JBoss Web Server 2.1.2 serves as a replacement for Red Hat JBoss Web Server 2.1.1. It contains security fixes for the Tomcat 7 component. Only users of the Tomcat 7 component in JBoss Web Server need to apply the fixes delivered in this release. Security Fix(es): * A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to perform a CSRF attack. (CVE-2015-5351) * It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714) * A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service. (CVE-2016-0763) * A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092) * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346) * It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706) 4. Solution: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1311076 - CVE-2015-5351 tomcat: CSRF token leak 1311082 - CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms 1311085 - CVE-2015-5346 tomcat: Session fixation 1311087 - CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet 1311093 - CVE-2016-0763 tomcat: security manager bypass via setGlobalContext() 1349468 - CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service 6. Package List: Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server: Source: tomcat7-7.0.54-23_patch_05.ep6.el6.src.rpm noarch: tomcat7-7.0.54-23_patch_05.ep6.el6.noarch.rpm tomcat7-admin-webapps-7.0.54-23_patch_05.ep6.el6.noarch.rpm tomcat7-docs-webapp-7.0.54-23_patch_05.ep6.el6.noarch.rpm tomcat7-el-2.2-api-7.0.54-23_patch_05.ep6.el6.noarch.rpm tomcat7-javadoc-7.0.54-23_patch_05.ep6.el6.noarch.rpm tomcat7-jsp-2.2-api-7.0.54-23_patch_05.ep6.el6.noarch.rpm tomcat7-lib-7.0.54-23_patch_05.ep6.el6.noarch.rpm tomcat7-log4j-7.0.54-23_patch_05.ep6.el6.noarch.rpm tomcat7-maven-devel-7.0.54-23_patch_05.ep6.el6.noarch.rpm tomcat7-servlet-3.0-api-7.0.54-23_patch_05.ep6.el6.noarch.rpm tomcat7-webapps-7.0.54-23_patch_05.ep6.el6.noarch.rpm Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Server: Source: tomcat7-7.0.54-23_patch_05.ep6.el7.src.rpm noarch: tomcat7-7.0.54-23_patch_05.ep6.el7.noarch.rpm tomcat7-admin-webapps-7.0.54-23_patch_05.ep6.el7.noarch.rpm tomcat7-docs-webapp-7.0.54-23_patch_05.ep6.el7.noarch.rpm tomcat7-el-2.2-api-7.0.54-23_patch_05.ep6.el7.noarch.rpm tomcat7-javadoc-7.0.54-23_patch_05.ep6.el7.noarch.rpm tomcat7-jsp-2.2-api-7.0.54-23_patch_05.ep6.el7.noarch.rpm tomcat7-lib-7.0.54-23_patch_05.ep6.el7.noarch.rpm tomcat7-log4j-7.0.54-23_patch_05.ep6.el7.noarch.rpm tomcat7-maven-devel-7.0.54-23_patch_05.ep6.el7.noarch.rpm tomcat7-servlet-3.0-api-7.0.54-23_patch_05.ep6.el7.noarch.rpm tomcat7-webapps-7.0.54-23_patch_05.ep6.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-5346 https://access.redhat.com/security/cve/CVE-2015-5351 https://access.redhat.com/security/cve/CVE-2016-0706 https://access.redhat.com/security/cve/CVE-2016-0714 https://access.redhat.com/security/cve/CVE-2016-0763 https://access.redhat.com/security/cve/CVE-2016-3092 Security Impact: https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYLhRTXlSAg2UNWIIRAvcaAJ9ml7KcBXqvmlS2lx0cHS2qaoU0LQCeNeNV JwKwO+xmVCmz7OeB9WAdtEQ= =S+mN -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Nov 17 20:34:36 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 17 Nov 2016 15:34:36 -0500 Subject: [RHSA-2016:2808-01] Important: Red Hat JBoss Web Server 2.1.2 security update for Tomcat 7 Message-ID: <201611172034.uAHKYavX029282@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 2.1.2 security update for Tomcat 7 Advisory ID: RHSA-2016:2808-01 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2808.html Issue date: 2016-11-17 CVE Names: CVE-2015-5346 CVE-2015-5351 CVE-2016-0706 CVE-2016-0714 CVE-2016-0763 CVE-2016-3092 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Web Server. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: This release of Red Hat JBoss Web Server 2.1.2 serves as a replacement for Red Hat JBoss Web Server 2.1.1. It contains security fixes for the Tomcat 7 component. Only users of the Tomcat 7 component in JBoss Web Server need to apply the fixes delivered in this release. Security Fix(es): * A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to perform a CSRF attack. (CVE-2015-5351) * It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714) * A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service. (CVE-2016-0763) * A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092) * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346) * It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706) 3. Solution: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1311076 - CVE-2015-5351 tomcat: CSRF token leak 1311082 - CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms 1311085 - CVE-2015-5346 tomcat: Session fixation 1311087 - CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet 1311093 - CVE-2016-0763 tomcat: security manager bypass via setGlobalContext() 1349468 - CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service 5. References: https://access.redhat.com/security/cve/CVE-2015-5346 https://access.redhat.com/security/cve/CVE-2015-5351 https://access.redhat.com/security/cve/CVE-2016-0706 https://access.redhat.com/security/cve/CVE-2016-0714 https://access.redhat.com/security/cve/CVE-2016-0763 https://access.redhat.com/security/cve/CVE-2016-3092 Security Impact: https://access.redhat.com/security/updates/classification/#important Download: https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=distributions&version=2.1.2 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYLhRbXlSAg2UNWIIRAuZoAJ92QOEcH2r+d+mUPOuYo2dVoPXdbgCbBPMj XC47HQfnTBvFHjwJaJTA/+o= =ADFp -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Nov 28 17:56:11 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 28 Nov 2016 12:56:11 -0500 Subject: [RHSA-2016:2822-01] Moderate: Red Hat JBoss BPM Suite security update Message-ID: <201611281756.uASHuBw3014099@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss BPM Suite security update Advisory ID: RHSA-2016:2822-01 Product: Red Hat JBoss BPM Suite Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2822.html Issue date: 2016-11-28 CVE Names: CVE-2016-3674 CVE-2016-7041 CVE-2016-8608 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss BPM Suite. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: This release of Red Hat JBoss BPM Suite 6.4.0 serves as a replacement for Red Hat JBoss BPM Suite 6.3.4, and includes bug fixes and enhancements, which are documented in the Release Notes of the patch linked to in the References section. Security Fix(es): * It was found that several XML parsers used by XStream had default settings that would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2016-3674) * Drools Workbench contains the path traversal vulnerability. The vulnerability allows a remote, authenticated attacker to bypass the directory restrictions and retrieve arbitrary files from the affected host. (CVE-2016-7041) * JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via business process editor. The flaw is due to an incomplete fix for CVE-2016-5398. Remote, authenticated attackers that have privileges to create business processes can store scripts in them, which are not properly sanitized before showing to other users, including admins. (CVE-2016-8608) Red Hat would like to thank Jonas Bauters (NVISO) for reporting CVE-2016-7041. The CVE-2016-8608 issue was discovered by Kirill Gaevskii (Red Hat). 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1321789 - CVE-2016-3674 XStream: enabled processing of external entities 1375757 - CVE-2016-7041 Drools Workbench: Path traversal vulnerability 1386806 - CVE-2016-8608 Stored XSS in business process editor 5. References: https://access.redhat.com/security/cve/CVE-2016-3674 https://access.redhat.com/security/cve/CVE-2016-7041 https://access.redhat.com/security/cve/CVE-2016-8608 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=distributions&version=6.4 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYPG+5XlSAg2UNWIIRAiOsAJ97ojg4ASxZN5WgX45fsCzCCEheiACfdSu6 RphJ8nLfommTsWoMaPl0vMQ= =DYrH -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Nov 28 17:56:16 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 28 Nov 2016 12:56:16 -0500 Subject: [RHSA-2016:2823-01] Moderate: Red Hat JBoss BRMS security update Message-ID: <201611281756.uASHuGBD001231@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss BRMS security update Advisory ID: RHSA-2016:2823-01 Product: Red Hat JBoss BRMS Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2823.html Issue date: 2016-11-28 CVE Names: CVE-2016-3674 CVE-2016-7041 CVE-2016-8608 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss BRMS. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: This release of Red Hat JBoss BRMS 6.4.0 serves as a replacement for Red Hat JBoss BRMS 6.3.4, and includes bug fixes and enhancements, which are documented in the Release Notes of the patch linked to in the References section. Security Fix(es): * It was found that several XML parsers used by XStream had default settings that would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2016-3674) * Drools Workbench contains the path traversal vulnerability. The vulnerability allows a remote, authenticated attacker to bypass the directory restrictions and retrieve arbitrary files from the affected host. (CVE-2016-7041) * JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via business process editor. The flaw is due to an incomplete fix for CVE-2016-5398. Remote, authenticated attackers that have privileges to create business processes can store scripts in them, which are not properly sanitized before showing to other users, including admins. (CVE-2016-8608) Red Hat would like to thank Jonas Bauters (NVISO) for reporting CVE-2016-7041. The CVE-2016-8608 issue was discovered by Kirill Gaevskii (Red Hat). 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1321789 - CVE-2016-3674 XStream: enabled processing of external entities 1375757 - CVE-2016-7041 Drools Workbench: Path traversal vulnerability 1386806 - CVE-2016-8608 Stored XSS in business process editor 5. References: https://access.redhat.com/security/cve/CVE-2016-3674 https://access.redhat.com/security/cve/CVE-2016-7041 https://access.redhat.com/security/cve/CVE-2016-8608 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions&version=6.4 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYPG++XlSAg2UNWIIRAukRAJ9qOIYjIoSJRYncAVd5I3msh6nmQQCfcfgx +A2+Y52Roj4KCzpTdFuW4S0= =qV/f -----END PGP SIGNATURE-----