From bugzilla at redhat.com Tue Mar 7 19:39:00 2017 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 7 Mar 2017 19:39:00 +0000 Subject: [RHSA-2017:0455-01] Important: Red Hat JBoss Web Server 3.1.0 security and enhancement update Message-ID: <201703071939.v27Jd1Dv032505@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 3.1.0 security and enhancement update Advisory ID: RHSA-2017:0455-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2017:0455 Issue date: 2015-11-12 Updated on: 2017-03-07 CVE Names: CVE-2016-0762 CVE-2016-1240 CVE-2016-3092 CVE-2016-5018 CVE-2016-6325 CVE-2016-6794 CVE-2016-6796 CVE-2016-6797 CVE-2016-6816 CVE-2016-8735 CVE-2016-8745 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Web Server 3 for RHEL 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 3.1 for RHEL 6 - i386, noarch, ppc64, x86_64 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements. Security Fix(es): * It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240) * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance. (CVE-2016-8735) * A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092) * It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816) * A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745) * The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762) * It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018) * It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794) * It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796) * It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797) The CVE-2016-6325 issue was discovered by Red Hat Product Security. Enhancement(s): This enhancement update adds the Red Hat JBoss Web Server 3.1.0 packages to Red Hat Enterprise Linux 6. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. (JIRA#JWS-267) Users of Red Hat JBoss Web Server are advised to upgrade to these updated packages, which add this enhancement. 4. Solution: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the updated packages, the httpd daemon will be restarted automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 1349468 - CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service 1367447 - CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation 1376712 - CVE-2016-1240 tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation 1390493 - CVE-2016-6797 tomcat: unrestricted access to global resources 1390515 - CVE-2016-6796 tomcat: security manager bypass via JSP Servlet config parameters 1390520 - CVE-2016-6794 tomcat: system property disclosure 1390525 - CVE-2016-5018 tomcat: security manager bypass via IntrospectHelper utility function 1390526 - CVE-2016-0762 tomcat: timing attack in Realm implementation 1397484 - CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests 1397485 - CVE-2016-8735 tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener 1403824 - CVE-2016-8745 tomcat: information disclosure due to incorrect Processor sharing 6. JIRA issues fixed (https://issues.jboss.org/): JWS-267 - RHEL 6 Errata JIRA 7. Package List: Red Hat JBoss Web Server 3.1 for RHEL 6: Source: hibernate4-eap6-4.2.23-1.Final_redhat_1.1.ep6.el6.src.rpm jbcs-httpd24-apache-commons-daemon-1.0.15-1.redhat_2.1.jbcs.el6.src.rpm jbcs-httpd24-apache-commons-daemon-jsvc-1.0.15-17.redhat_2.jbcs.el6.src.rpm mod_cluster-1.3.5-2.Final_redhat_2.1.ep7.el6.src.rpm tomcat-native-1.2.8-9.redhat_9.ep7.el6.src.rpm tomcat-vault-1.0.8-9.Final_redhat_2.1.ep7.el6.src.rpm tomcat7-7.0.70-16.ep7.el6.src.rpm tomcat8-8.0.36-17.ep7.el6.src.rpm i386: jbcs-httpd24-apache-commons-daemon-jsvc-1.0.15-17.redhat_2.jbcs.el6.i686.rpm jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1.0.15-17.redhat_2.jbcs.el6.i686.rpm tomcat-native-1.2.8-9.redhat_9.ep7.el6.i686.rpm tomcat-native-debuginfo-1.2.8-9.redhat_9.ep7.el6.i686.rpm noarch: hibernate4-c3p0-eap6-4.2.23-1.Final_redhat_1.1.ep6.el6.noarch.rpm hibernate4-core-eap6-4.2.23-1.Final_redhat_1.1.ep6.el6.noarch.rpm hibernate4-eap6-4.2.23-1.Final_redhat_1.1.ep6.el6.noarch.rpm hibernate4-entitymanager-eap6-4.2.23-1.Final_redhat_1.1.ep6.el6.noarch.rpm hibernate4-envers-eap6-4.2.23-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbcs-httpd24-apache-commons-daemon-1.0.15-1.redhat_2.1.jbcs.el6.noarch.rpm jbcs-httpd24-runtime-1-3.jbcs.el6.noarch.rpm mod_cluster-1.3.5-2.Final_redhat_2.1.ep7.el6.noarch.rpm mod_cluster-tomcat7-1.3.5-2.Final_redhat_2.1.ep7.el6.noarch.rpm mod_cluster-tomcat8-1.3.5-2.Final_redhat_2.1.ep7.el6.noarch.rpm tomcat-vault-1.0.8-9.Final_redhat_2.1.ep7.el6.noarch.rpm tomcat7-7.0.70-16.ep7.el6.noarch.rpm tomcat7-admin-webapps-7.0.70-16.ep7.el6.noarch.rpm tomcat7-docs-webapp-7.0.70-16.ep7.el6.noarch.rpm tomcat7-el-2.2-api-7.0.70-16.ep7.el6.noarch.rpm tomcat7-javadoc-7.0.70-16.ep7.el6.noarch.rpm tomcat7-jsp-2.2-api-7.0.70-16.ep7.el6.noarch.rpm tomcat7-jsvc-7.0.70-16.ep7.el6.noarch.rpm tomcat7-lib-7.0.70-16.ep7.el6.noarch.rpm tomcat7-log4j-7.0.70-16.ep7.el6.noarch.rpm tomcat7-selinux-7.0.70-16.ep7.el6.noarch.rpm tomcat7-servlet-3.0-api-7.0.70-16.ep7.el6.noarch.rpm tomcat7-webapps-7.0.70-16.ep7.el6.noarch.rpm tomcat8-8.0.36-17.ep7.el6.noarch.rpm tomcat8-admin-webapps-8.0.36-17.ep7.el6.noarch.rpm tomcat8-docs-webapp-8.0.36-17.ep7.el6.noarch.rpm tomcat8-el-2.2-api-8.0.36-17.ep7.el6.noarch.rpm tomcat8-javadoc-8.0.36-17.ep7.el6.noarch.rpm tomcat8-jsp-2.3-api-8.0.36-17.ep7.el6.noarch.rpm tomcat8-jsvc-8.0.36-17.ep7.el6.noarch.rpm tomcat8-lib-8.0.36-17.ep7.el6.noarch.rpm tomcat8-log4j-8.0.36-17.ep7.el6.noarch.rpm tomcat8-selinux-8.0.36-17.ep7.el6.noarch.rpm tomcat8-servlet-3.1-api-8.0.36-17.ep7.el6.noarch.rpm tomcat8-webapps-8.0.36-17.ep7.el6.noarch.rpm ppc64: jbcs-httpd24-apache-commons-daemon-jsvc-1.0.15-17.redhat_2.jbcs.el6.ppc64.rpm jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1.0.15-17.redhat_2.jbcs.el6.ppc64.rpm x86_64: jbcs-httpd24-apache-commons-daemon-jsvc-1.0.15-17.redhat_2.jbcs.el6.x86_64.rpm jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1.0.15-17.redhat_2.jbcs.el6.x86_64.rpm tomcat-native-1.2.8-9.redhat_9.ep7.el6.x86_64.rpm tomcat-native-debuginfo-1.2.8-9.redhat_9.ep7.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2016-0762 https://access.redhat.com/security/cve/CVE-2016-1240 https://access.redhat.com/security/cve/CVE-2016-3092 https://access.redhat.com/security/cve/CVE-2016-5018 https://access.redhat.com/security/cve/CVE-2016-6325 https://access.redhat.com/security/cve/CVE-2016-6794 https://access.redhat.com/security/cve/CVE-2016-6796 https://access.redhat.com/security/cve/CVE-2016-6797 https://access.redhat.com/security/cve/CVE-2016-6816 https://access.redhat.com/security/cve/CVE-2016-8735 https://access.redhat.com/security/cve/CVE-2016-8745 https://access.redhat.com/security/updates/classification/#important 9. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYvww0XlSAg2UNWIIRAnJlAJ9c1cyDXP1/dI30fGjC0wJVDGbw3QCfbnXw /PBR7pUGLbNA0xtWDwAi0Xk= =Y+gP -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 7 19:39:54 2017 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 7 Mar 2017 19:39:54 +0000 Subject: [RHSA-2017:0456-01] Important: Red Hat JBoss Web Server 3.1.0 security and enhancement update Message-ID: <201703071939.v27JdtSP024379@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 3.1.0 security and enhancement update Advisory ID: RHSA-2017:0456-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2017:0456 Issue date: 2015-11-12 Updated on: 2017-03-07 CVE Names: CVE-2016-0762 CVE-2016-1240 CVE-2016-3092 CVE-2016-5018 CVE-2016-6325 CVE-2016-6794 CVE-2016-6796 CVE-2016-6797 CVE-2016-6816 CVE-2016-8735 CVE-2016-8745 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Web Server 3 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 3.1 for RHEL 7 - noarch, ppc64, x86_64 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements. Security Fix(es): * It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240) * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance. (CVE-2016-8735) * A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092) * It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816) * A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745) * The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762) * It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018) * It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794) * It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796) * It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797) The CVE-2016-6325 issue was discovered by Red Hat Product Security. Enhancement(s): * This enhancement update adds the Red Hat JBoss Web Server 3.1.0 packages to Red Hat Enterprise Linux 7. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. (JIRA#JWS-268) 4. Solution: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the updated packages, the httpd daemon will be restarted automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 1349468 - CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service 1367447 - CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation 1376712 - CVE-2016-1240 tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation 1390493 - CVE-2016-6797 tomcat: unrestricted access to global resources 1390515 - CVE-2016-6796 tomcat: security manager bypass via JSP Servlet config parameters 1390520 - CVE-2016-6794 tomcat: system property disclosure 1390525 - CVE-2016-5018 tomcat: security manager bypass via IntrospectHelper utility function 1390526 - CVE-2016-0762 tomcat: timing attack in Realm implementation 1397484 - CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests 1397485 - CVE-2016-8735 tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener 1403824 - CVE-2016-8745 tomcat: information disclosure due to incorrect Processor sharing 6. JIRA issues fixed (https://issues.jboss.org/): JWS-268 - RHEL 7 Errata JIRA 7. Package List: Red Hat JBoss Web Server 3.1 for RHEL 7: Source: hibernate4-eap6-4.2.23-1.Final_redhat_1.1.ep6.el7.src.rpm jbcs-httpd24-apache-commons-daemon-1.0.15-1.redhat_2.1.jbcs.el7.src.rpm jbcs-httpd24-apache-commons-daemon-jsvc-1.0.15-17.redhat_2.jbcs.el7.src.rpm mod_cluster-1.3.5-2.Final_redhat_2.1.ep7.el7.src.rpm tomcat-native-1.2.8-9.redhat_9.ep7.el7.src.rpm tomcat-vault-1.0.8-9.Final_redhat_2.1.ep7.el7.src.rpm tomcat7-7.0.70-16.ep7.el7.src.rpm tomcat8-8.0.36-17.ep7.el7.src.rpm noarch: hibernate4-c3p0-eap6-4.2.23-1.Final_redhat_1.1.ep6.el7.noarch.rpm hibernate4-core-eap6-4.2.23-1.Final_redhat_1.1.ep6.el7.noarch.rpm hibernate4-eap6-4.2.23-1.Final_redhat_1.1.ep6.el7.noarch.rpm hibernate4-entitymanager-eap6-4.2.23-1.Final_redhat_1.1.ep6.el7.noarch.rpm hibernate4-envers-eap6-4.2.23-1.Final_redhat_1.1.ep6.el7.noarch.rpm jbcs-httpd24-apache-commons-daemon-1.0.15-1.redhat_2.1.jbcs.el7.noarch.rpm jbcs-httpd24-runtime-1-3.jbcs.el7.noarch.rpm mod_cluster-1.3.5-2.Final_redhat_2.1.ep7.el7.noarch.rpm mod_cluster-tomcat7-1.3.5-2.Final_redhat_2.1.ep7.el7.noarch.rpm mod_cluster-tomcat8-1.3.5-2.Final_redhat_2.1.ep7.el7.noarch.rpm tomcat-vault-1.0.8-9.Final_redhat_2.1.ep7.el7.noarch.rpm tomcat7-7.0.70-16.ep7.el7.noarch.rpm tomcat7-admin-webapps-7.0.70-16.ep7.el7.noarch.rpm tomcat7-docs-webapp-7.0.70-16.ep7.el7.noarch.rpm tomcat7-el-2.2-api-7.0.70-16.ep7.el7.noarch.rpm tomcat7-javadoc-7.0.70-16.ep7.el7.noarch.rpm tomcat7-jsp-2.2-api-7.0.70-16.ep7.el7.noarch.rpm tomcat7-jsvc-7.0.70-16.ep7.el7.noarch.rpm tomcat7-lib-7.0.70-16.ep7.el7.noarch.rpm tomcat7-log4j-7.0.70-16.ep7.el7.noarch.rpm tomcat7-selinux-7.0.70-16.ep7.el7.noarch.rpm tomcat7-servlet-3.0-api-7.0.70-16.ep7.el7.noarch.rpm tomcat7-webapps-7.0.70-16.ep7.el7.noarch.rpm tomcat8-8.0.36-17.ep7.el7.noarch.rpm tomcat8-admin-webapps-8.0.36-17.ep7.el7.noarch.rpm tomcat8-docs-webapp-8.0.36-17.ep7.el7.noarch.rpm tomcat8-el-2.2-api-8.0.36-17.ep7.el7.noarch.rpm tomcat8-javadoc-8.0.36-17.ep7.el7.noarch.rpm tomcat8-jsp-2.3-api-8.0.36-17.ep7.el7.noarch.rpm tomcat8-jsvc-8.0.36-17.ep7.el7.noarch.rpm tomcat8-lib-8.0.36-17.ep7.el7.noarch.rpm tomcat8-log4j-8.0.36-17.ep7.el7.noarch.rpm tomcat8-selinux-8.0.36-17.ep7.el7.noarch.rpm tomcat8-servlet-3.1-api-8.0.36-17.ep7.el7.noarch.rpm tomcat8-webapps-8.0.36-17.ep7.el7.noarch.rpm ppc64: jbcs-httpd24-apache-commons-daemon-jsvc-1.0.15-17.redhat_2.jbcs.el7.ppc64.rpm jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1.0.15-17.redhat_2.jbcs.el7.ppc64.rpm x86_64: jbcs-httpd24-apache-commons-daemon-jsvc-1.0.15-17.redhat_2.jbcs.el7.x86_64.rpm jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1.0.15-17.redhat_2.jbcs.el7.x86_64.rpm tomcat-native-1.2.8-9.redhat_9.ep7.el7.x86_64.rpm tomcat-native-debuginfo-1.2.8-9.redhat_9.ep7.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2016-0762 https://access.redhat.com/security/cve/CVE-2016-1240 https://access.redhat.com/security/cve/CVE-2016-3092 https://access.redhat.com/security/cve/CVE-2016-5018 https://access.redhat.com/security/cve/CVE-2016-6325 https://access.redhat.com/security/cve/CVE-2016-6794 https://access.redhat.com/security/cve/CVE-2016-6796 https://access.redhat.com/security/cve/CVE-2016-6797 https://access.redhat.com/security/cve/CVE-2016-6816 https://access.redhat.com/security/cve/CVE-2016-8735 https://access.redhat.com/security/cve/CVE-2016-8745 https://access.redhat.com/security/updates/classification/#important 9. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYvwx1XlSAg2UNWIIRAlcaAJ9BAGykX/bGrxjm/OJ4KkTD2Jol4QCfaFhA I1dYmPbbHiEL1qBik1MSZME= =IQj5 -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 7 19:41:15 2017 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 7 Mar 2017 19:41:15 +0000 Subject: [RHSA-2017:0457-01] Important: Red Hat JBoss Web Server security and enhancement update Message-ID: <201703071941.v27JfHB0025638@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server security and enhancement update Advisory ID: RHSA-2017:0457-01 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-0457.html Issue date: 2017-03-07 CVE Names: CVE-2016-0762 CVE-2016-1240 CVE-2016-3092 CVE-2016-5018 CVE-2016-6325 CVE-2016-6794 CVE-2016-6796 CVE-2016-6797 CVE-2016-6816 CVE-2016-8735 CVE-2016-8745 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Web Server. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements. Security Fix(es): * It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240) * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance. (CVE-2016-8735) * A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092) * It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816) * A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745) * The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762) * It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018) * It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794) * It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796) * It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797) The CVE-2016-6325 issue was discovered by Red Hat Product Security. Enhancement(s): * This enhancement update adds the Red Hat JBoss Web Server 3.1.0. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. Users of Red Hat JBoss Web Server are advised to upgrade to these updated packages, which add this enhancement. 3. Solution: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1349468 - CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service 1367447 - CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation 1376712 - CVE-2016-1240 tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation 1390493 - CVE-2016-6797 tomcat: unrestricted access to global resources 1390515 - CVE-2016-6796 tomcat: security manager bypass via JSP Servlet config parameters 1390520 - CVE-2016-6794 tomcat: system property disclosure 1390525 - CVE-2016-5018 tomcat: security manager bypass via IntrospectHelper utility function 1390526 - CVE-2016-0762 tomcat: timing attack in Realm implementation 1397484 - CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests 1397485 - CVE-2016-8735 tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener 1403824 - CVE-2016-8745 tomcat: information disclosure due to incorrect Processor sharing 5. References: https://access.redhat.com/security/cve/CVE-2016-0762 https://access.redhat.com/security/cve/CVE-2016-1240 https://access.redhat.com/security/cve/CVE-2016-3092 https://access.redhat.com/security/cve/CVE-2016-5018 https://access.redhat.com/security/cve/CVE-2016-6325 https://access.redhat.com/security/cve/CVE-2016-6794 https://access.redhat.com/security/cve/CVE-2016-6796 https://access.redhat.com/security/cve/CVE-2016-6797 https://access.redhat.com/security/cve/CVE-2016-6816 https://access.redhat.com/security/cve/CVE-2016-8735 https://access.redhat.com/security/cve/CVE-2016-8745 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=webserver&version=3.1.0 https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Web_Server/3/html-single/3.1_Release_Notes/index.html https://access.redhat.com/security/vulnerabilities/httpoxy https://access.redhat.com/solutions/2435491 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYvwzSXlSAg2UNWIIRAtstAKC5zAokXNBQnXe+hb9GvSKpngKrSQCgqXa2 zb+BJhQtiHDygDSa59EWVvE= =ZskZ -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 14 17:48:04 2017 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 14 Mar 2017 13:48:04 -0400 Subject: [RHSA-2017:0517-01] Important: Red Hat JBoss Enterprise Application Platform security update Message-ID: <201703141748.v2EHm4Or025588@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform security update Advisory ID: RHSA-2017:0517-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-0517.html Issue date: 2017-03-14 CVE Names: CVE-2016-6346 CVE-2016-8657 CVE-2017-6056 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release of Red Hat JBoss Enterprise Application Platform 6.4.14 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.13, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * It was discovered that EAP packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/jbossas configuration files. The file is writable to jboss group (root:jboss, 664). On systems using classic /etc/init.d init scripts (i.e. on Red Hat Enterprise Linux 6 and earlier), the file is sourced by the jboss init script and its content executed with root privileges when jboss service is started, stopped, or restarted. (CVE-2016-8657) * It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. (CVE-2017-6056) * It was found that GZIPInterceptor is enabled when not necessarily required in RESTEasy. An attacker could use this flaw to launch a Denial of Service attack. (CVE-2016-6346) Red Hat would like to thank Mikhail Egorov (Odin) for reporting the CVE-2016-6346 issue. 3. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1372120 - CVE-2016-6346 RESTEasy: Abuse of GZIPInterceptor in RESTEasy can lead to denial of service attack 1400343 - CVE-2016-8657 jboss: jbossas writable config files allow privilege escalation 1422148 - CVE-2017-6056 tomcat: Infinite loop in the processing of https requests 5. References: https://access.redhat.com/security/cve/CVE-2016-6346 https://access.redhat.com/security/cve/CVE-2016-8657 https://access.redhat.com/security/cve/CVE-2017-6056 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en/jboss-enterprise-application-platform/ https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.4 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYyCzQXlSAg2UNWIIRAoFyAKDDGRlp32Y5+JEzpc+Ekcy7QI2/HgCeN2Ib /LSU1zy53keGa79PeXOXPUg= =Hyau -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Mar 16 21:10:24 2017 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 16 Mar 2017 17:10:24 -0400 Subject: [RHSA-2017:0557-01] Moderate: Red Hat JBoss BPM Suite security update Message-ID: <201703162110.v2GLAO7K015876@lists01.pubmisc.prod.ext.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss BPM Suite security update Advisory ID: RHSA-2017:0557-01 Product: Red Hat JBoss BPM Suite Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-0557.html Issue date: 2017-03-16 CVE Names: CVE-2016-6343 CVE-2016-7034 CVE-2017-2658 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss BPM Suite. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes. This release of Red Hat JBoss BPM Suite 6.4.2 serves as a replacement for Red Hat JBoss BPM Suite 6.4.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * JBoss BPM Suite 6 is vulnerable to a reflected XSS via dashbuilder. Remote attackers can entice authenticated users that have privileges to access dashbuilder (usually admins) to click on links to /dashbuilder/Controller containing malicious scripts. Successful exploitation would allow execution of script code within the context of the affected user. (CVE-2016-6343) * It has been reported that CSRF tokens are not properly handled in JBoss BPM suite dashbuilder. Old tokens generated during an active session can be used to bypass CSRF protection. In addition, the tokens are sent in query string so they can be exposed through the browser's history, referrers, web logs, and other sources. Attackers may be able to obtain old tokens from various sources in the network and perform CSRF attacks successfully. (CVE-2016-7034) * It was discovered that the Dashbuilder login page could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking). (CVE-2017-2658) The CVE-2016-6343 and CVE-2016-7034 issues were discovered by Jeremy Choi (Red Hat Product Security Team) and the CVE-2017-2658 issue was discovered by Martin Weiler (Red Hat). 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1371801 - CVE-2016-6343 JBoss bpms 6.3.x reflected XSS in dashbuilder 1373347 - CVE-2016-7034 JBoss bpms: insecure handling CSRF token in dashbuilder 1433087 - CVE-2017-2658 Dashbuilder: Lack of clickjacking protection on the login page 5. References: https://access.redhat.com/security/cve/CVE-2016-6343 https://access.redhat.com/security/cve/CVE-2016-7034 https://access.redhat.com/security/cve/CVE-2017-2658 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.4 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYyv83XlSAg2UNWIIRAugJAJ487WHaJsX+FzSyxeFG1yInlCdlhgCgnInJ 5fHjZf+XyzP950TPuQi4V8s= =9rzp -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Mar 22 17:15:43 2017 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 22 Mar 2017 13:15:43 -0400 Subject: [RHSA-2017:0826-01] Important: Red Hat JBoss Enterprise Application Platform 6.4.14 update on RHEL 5 Message-ID: <201703221715.v2MHFhxM018139@lists01.pubmisc.prod.ext.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.14 update on RHEL 5 Advisory ID: RHSA-2017:0826-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-0826.html Issue date: 2017-03-22 CVE Names: CVE-2016-6346 CVE-2016-8657 CVE-2017-6056 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release of Red Hat JBoss Enterprise Application Platform 6.4.14 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.13, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * It was discovered that EAP packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/jbossas configuration files. The file is writable to jboss group (root:jboss, 664). On systems using classic /etc/init.d init scripts (i.e. on Red Hat Enterprise Linux 6 and earlier), the file is sourced by the jboss init script and its content executed with root privileges when jboss service is started, stopped, or restarted. (CVE-2016-8657) * It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. (CVE-2017-6056) * It was found that GZIPInterceptor is enabled when not necessarily required in RESTEasy. An attacker could use this flaw to launch a Denial of Service attack. (CVE-2016-6346) Red Hat would like to thank Mikhail Egorov (Odin) for reporting the CVE-2016-6346 issue. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1372120 - CVE-2016-6346 RESTEasy: Abuse of GZIPInterceptor in RESTEasy can lead to denial of service attack 1400343 - CVE-2016-8657 jboss: jbossas writable config files allow privilege escalation 1419594 - RHEL5 RPMs: Upgrade jbossweb to 7.5.21.Final-redhat-2 1419647 - RHEL5 RPMs: Upgrade jboss-msc to 1.1.7.SP1-redhat-1 1422148 - CVE-2017-6056 tomcat: Infinite loop in the processing of https requests 6. Package List: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Server: Source: apache-cxf-2.7.18-6.SP5_redhat_1.1.ep6.el5.src.rpm hornetq-2.3.25-19.SP17_redhat_1.1.ep6.el5.src.rpm infinispan-5.2.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-appclient-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-cli-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-client-all-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-clustering-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-cmp-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-configadmin-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-connector-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-controller-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-controller-client-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-core-security-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-deployment-repository-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-deployment-scanner-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-domain-http-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-domain-management-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-ee-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-ee-deployment-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-ejb3-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-embedded-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-host-controller-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jacorb-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jaxr-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jaxrs-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jdr-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jmx-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jpa-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jsf-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jsr77-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-logging-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-mail-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-management-client-content-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-messaging-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-modcluster-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-naming-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-network-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-osgi-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-osgi-configadmin-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-osgi-service-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-picketlink-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-platform-mbean-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-pojo-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-process-controller-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-protocol-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-remoting-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-sar-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-security-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-server-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-system-jmx-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-threads-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-transactions-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-version-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-web-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-webservices-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-weld-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-xts-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-modules-1.3.8-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-msc-1.1.7-1.SP1_redhat_1.1.ep6.el5.src.rpm jboss-remoting3-3.3.9-1.Final_redhat_1.1.ep6.el5.src.rpm jbossas-appclient-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jbossas-bundles-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jbossas-core-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jbossas-domain-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jbossas-javadocs-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jbossas-modules-eap-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jbossas-product-eap-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jbossas-standalone-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jbossas-welcome-content-eap-7.5.14-2.Final_redhat_2.1.ep6.el5.src.rpm jbossts-4.17.39-1.Final_redhat_1.1.ep6.el5.src.rpm jbossweb-7.5.21-2.Final_redhat_2.1.ep6.el5.src.rpm picketbox-4.1.4-1.Final_redhat_1.1.ep6.el5.src.rpm resteasy-2.3.17-1.Final_redhat_1.1.ep6.el5.src.rpm weld-core-1.1.34-1.Final_redhat_1.1.ep6.el5.src.rpm noarch: apache-cxf-2.7.18-6.SP5_redhat_1.1.ep6.el5.noarch.rpm hornetq-2.3.25-19.SP17_redhat_1.1.ep6.el5.noarch.rpm infinispan-5.2.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm infinispan-cachestore-jdbc-5.2.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm infinispan-cachestore-remote-5.2.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm infinispan-client-hotrod-5.2.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm infinispan-core-5.2.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-appclient-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-cli-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-client-all-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-clustering-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-cmp-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-configadmin-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-connector-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-controller-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-controller-client-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-core-security-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-deployment-repository-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-deployment-scanner-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-domain-http-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-domain-management-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-ee-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-ee-deployment-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-ejb3-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-embedded-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-host-controller-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jacorb-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jaxr-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jaxrs-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jdr-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jmx-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jpa-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jsf-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jsr77-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-logging-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-mail-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-management-client-content-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-messaging-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-modcluster-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-naming-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-network-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-osgi-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-osgi-configadmin-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-osgi-service-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-picketlink-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-platform-mbean-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-pojo-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-process-controller-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-protocol-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-remoting-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-sar-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-security-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-server-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-system-jmx-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-threads-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-transactions-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-version-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-web-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-webservices-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-weld-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-xts-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-modules-1.3.8-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-msc-1.1.7-1.SP1_redhat_1.1.ep6.el5.noarch.rpm jboss-remoting3-3.3.9-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-appclient-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-bundles-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-core-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-domain-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-javadocs-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-modules-eap-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-product-eap-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-standalone-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-welcome-content-eap-7.5.14-2.Final_redhat_2.1.ep6.el5.noarch.rpm jbossts-4.17.39-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossweb-7.5.21-2.Final_redhat_2.1.ep6.el5.noarch.rpm picketbox-4.1.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm resteasy-2.3.17-1.Final_redhat_1.1.ep6.el5.noarch.rpm weld-core-1.1.34-1.Final_redhat_1.1.ep6.el5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-6346 https://access.redhat.com/security/cve/CVE-2016-8657 https://access.redhat.com/security/cve/CVE-2017-6056 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/?version=6.4 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFY0rE2XlSAg2UNWIIRAsnyAJwIs1LwwNJqx2eoPs5fZ0sq+DlZJACgoKba Ie0TDl8bO6KUtiq8FU8Bgts= =04Cw -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Mar 22 17:16:01 2017 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 22 Mar 2017 13:16:01 -0400 Subject: [RHSA-2017:0827-01] Important: Red Hat JBoss Enterprise Application Platform 6.4.14 update on RHEL 6 Message-ID: <201703221716.v2MHG1EG018308@lists01.pubmisc.prod.ext.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.14 update on RHEL 6 Advisory ID: RHSA-2017:0827-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-0827.html Issue date: 2017-03-22 CVE Names: CVE-2016-6346 CVE-2016-8657 CVE-2017-6056 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release of Red Hat JBoss Enterprise Application Platform 6.4.14 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.13, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * It was discovered that EAP packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/jbossas configuration files. The file is writable to jboss group (root:jboss, 664). On systems using classic /etc/init.d init scripts (i.e. on Red Hat Enterprise Linux 6 and earlier), the file is sourced by the jboss init script and its content executed with root privileges when jboss service is started, stopped, or restarted. (CVE-2016-8657) * It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. (CVE-2017-6056) * It was found that GZIPInterceptor is enabled when not necessarily required in RESTEasy. An attacker could use this flaw to launch a Denial of Service attack. (CVE-2016-6346) Red Hat would like to thank Mikhail Egorov (Odin) for reporting the CVE-2016-6346 issue. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1372120 - CVE-2016-6346 RESTEasy: Abuse of GZIPInterceptor in RESTEasy can lead to denial of service attack 1400343 - CVE-2016-8657 jboss: jbossas writable config files allow privilege escalation 1419593 - RHEL6 RPMs: Upgrade jbossweb to 7.5.21.Final-redhat-2 1419646 - RHEL6 RPMs: Upgrade jboss-msc to 1.1.7.SP1-redhat-1 1422148 - CVE-2017-6056 tomcat: Infinite loop in the processing of https requests 6. Package List: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server: Source: apache-cxf-2.7.18-6.SP5_redhat_1.1.ep6.el6.src.rpm hornetq-2.3.25-19.SP17_redhat_1.1.ep6.el6.src.rpm infinispan-5.2.21-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-appclient-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-cli-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-client-all-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-clustering-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-cmp-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-configadmin-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-connector-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-controller-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-controller-client-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-core-security-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-deployment-repository-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-deployment-scanner-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-domain-http-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-domain-management-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-ee-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-ee-deployment-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-ejb3-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-embedded-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-host-controller-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jacorb-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jaxr-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jaxrs-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jdr-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jmx-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jpa-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jsf-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jsr77-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-logging-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-mail-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-management-client-content-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-messaging-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-modcluster-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-naming-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-network-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-osgi-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-osgi-configadmin-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-osgi-service-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-picketlink-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-platform-mbean-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-pojo-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-process-controller-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-protocol-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-remoting-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-sar-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-security-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-server-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-system-jmx-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-threads-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-transactions-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-version-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-web-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-webservices-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-weld-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-xts-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-modules-1.3.8-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-msc-1.1.7-1.SP1_redhat_1.1.ep6.el6.src.rpm jboss-remoting3-3.3.9-1.Final_redhat_1.1.ep6.el6.src.rpm jbossas-appclient-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jbossas-bundles-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jbossas-core-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jbossas-domain-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jbossas-javadocs-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jbossas-modules-eap-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jbossas-product-eap-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jbossas-standalone-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jbossas-welcome-content-eap-7.5.14-2.Final_redhat_2.1.ep6.el6.src.rpm jbossts-4.17.39-1.Final_redhat_1.1.ep6.el6.src.rpm jbossweb-7.5.21-2.Final_redhat_2.1.ep6.el6.src.rpm picketbox-4.1.4-1.Final_redhat_1.1.ep6.el6.src.rpm resteasy-2.3.17-1.Final_redhat_1.1.ep6.el6.src.rpm weld-core-1.1.34-1.Final_redhat_1.1.ep6.el6.src.rpm noarch: apache-cxf-2.7.18-6.SP5_redhat_1.1.ep6.el6.noarch.rpm hornetq-2.3.25-19.SP17_redhat_1.1.ep6.el6.noarch.rpm infinispan-5.2.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm infinispan-cachestore-jdbc-5.2.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm infinispan-cachestore-remote-5.2.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm infinispan-client-hotrod-5.2.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm infinispan-core-5.2.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-appclient-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-cli-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-client-all-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-clustering-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-cmp-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-configadmin-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-connector-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-controller-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-controller-client-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-core-security-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-deployment-repository-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-deployment-scanner-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-domain-http-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-domain-management-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-ee-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-ee-deployment-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-ejb3-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-embedded-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-host-controller-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jacorb-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jaxr-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jaxrs-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jdr-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jmx-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jpa-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jsf-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jsr77-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-logging-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-mail-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-management-client-content-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-messaging-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-modcluster-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-naming-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-network-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-osgi-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-osgi-configadmin-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-osgi-service-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-picketlink-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-platform-mbean-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-pojo-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-process-controller-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-protocol-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-remoting-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-sar-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-security-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-server-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-system-jmx-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-threads-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-transactions-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-version-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-web-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-webservices-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-weld-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-xts-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-modules-1.3.8-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-msc-1.1.7-1.SP1_redhat_1.1.ep6.el6.noarch.rpm jboss-remoting3-3.3.9-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossas-appclient-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-bundles-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-core-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-domain-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-javadocs-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-modules-eap-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-product-eap-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-standalone-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-welcome-content-eap-7.5.14-2.Final_redhat_2.1.ep6.el6.noarch.rpm jbossts-4.17.39-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossweb-7.5.21-2.Final_redhat_2.1.ep6.el6.noarch.rpm picketbox-4.1.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm resteasy-2.3.17-1.Final_redhat_1.1.ep6.el6.noarch.rpm weld-core-1.1.34-1.Final_redhat_1.1.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-6346 https://access.redhat.com/security/cve/CVE-2016-8657 https://access.redhat.com/security/cve/CVE-2017-6056 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/?version=6.4 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFY0rFJXlSAg2UNWIIRAk5BAJ9+lfLluatKqILjqU7h4Z8rmFh1nQCdHX4N VpPuao/EfwykJ5eZWaXftwI= =c3ZH -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Mar 22 17:16:19 2017 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 22 Mar 2017 13:16:19 -0400 Subject: [RHSA-2017:0828-01] Important: Red Hat JBoss Enterprise Application Platform 6.4.14 update on RHEL 7 Message-ID: <201703221716.v2MHGJFn018323@lists01.pubmisc.prod.ext.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.14 update on RHEL 7 Advisory ID: RHSA-2017:0828-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-0828.html Issue date: 2017-03-22 CVE Names: CVE-2016-6346 CVE-2016-8657 CVE-2017-6056 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release of Red Hat JBoss Enterprise Application Platform 6.4.14 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.13, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * It was discovered that EAP packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/jbossas configuration files. The file is writable to jboss group (root:jboss, 664). On systems using classic /etc/init.d init scripts (i.e. on Red Hat Enterprise Linux 6 and earlier), the file is sourced by the jboss init script and its content executed with root privileges when jboss service is started, stopped, or restarted. (CVE-2016-8657) * It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. (CVE-2017-6056) * It was found that GZIPInterceptor is enabled when not necessarily required in RESTEasy. An attacker could use this flaw to launch a Denial of Service attack. (CVE-2016-6346) Red Hat would like to thank Mikhail Egorov (Odin) for reporting the CVE-2016-6346 issue. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1372120 - CVE-2016-6346 RESTEasy: Abuse of GZIPInterceptor in RESTEasy can lead to denial of service attack 1400343 - CVE-2016-8657 jboss: jbossas writable config files allow privilege escalation 1419595 - RHEL7 RPMs: Upgrade jbossweb to 7.5.21.Final-redhat-2 1419648 - RHEL7 RPMs: Upgrade jboss-msc to 1.1.7.SP1-redhat-1 1422148 - CVE-2017-6056 tomcat: Infinite loop in the processing of https requests 6. Package List: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server: Source: apache-cxf-2.7.18-6.SP5_redhat_1.1.ep6.el7.src.rpm hornetq-2.3.25-19.SP17_redhat_1.1.ep6.el7.src.rpm infinispan-5.2.21-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-appclient-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-cli-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-client-all-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-clustering-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-cmp-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-configadmin-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-connector-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-controller-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-controller-client-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-core-security-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-deployment-repository-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-deployment-scanner-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-domain-http-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-domain-management-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-ee-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-ee-deployment-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-ejb3-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-embedded-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-host-controller-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jacorb-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jaxr-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jaxrs-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jdr-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jmx-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jpa-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jsf-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jsr77-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-logging-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-mail-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-management-client-content-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-messaging-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-modcluster-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-naming-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-network-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-osgi-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-osgi-configadmin-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-osgi-service-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-picketlink-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-platform-mbean-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-pojo-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-process-controller-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-protocol-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-remoting-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-sar-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-security-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-server-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-system-jmx-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-threads-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-transactions-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-version-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-web-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-webservices-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-weld-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-xts-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-modules-1.3.8-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-msc-1.1.7-1.SP1_redhat_1.1.ep6.el7.src.rpm jboss-remoting3-3.3.9-1.Final_redhat_1.1.ep6.el7.src.rpm jbossas-appclient-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jbossas-bundles-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jbossas-core-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jbossas-domain-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jbossas-javadocs-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jbossas-modules-eap-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jbossas-product-eap-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jbossas-standalone-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jbossas-welcome-content-eap-7.5.14-2.Final_redhat_2.1.ep6.el7.src.rpm jbossts-4.17.39-1.Final_redhat_1.1.ep6.el7.src.rpm jbossweb-7.5.21-2.Final_redhat_2.1.ep6.el7.src.rpm picketbox-4.1.4-1.Final_redhat_1.1.ep6.el7.src.rpm resteasy-2.3.17-1.Final_redhat_1.1.ep6.el7.src.rpm weld-core-1.1.34-1.Final_redhat_1.1.ep6.el7.src.rpm noarch: apache-cxf-2.7.18-6.SP5_redhat_1.1.ep6.el7.noarch.rpm hornetq-2.3.25-19.SP17_redhat_1.1.ep6.el7.noarch.rpm infinispan-5.2.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm infinispan-cachestore-jdbc-5.2.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm infinispan-cachestore-remote-5.2.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm infinispan-client-hotrod-5.2.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm infinispan-core-5.2.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-appclient-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-cli-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-client-all-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-clustering-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-cmp-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-configadmin-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-connector-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-controller-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-controller-client-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-core-security-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-deployment-repository-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-deployment-scanner-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-domain-http-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-domain-management-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-ee-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-ee-deployment-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-ejb3-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-embedded-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-host-controller-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jacorb-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jaxr-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jaxrs-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jdr-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jmx-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jpa-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jsf-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jsr77-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-logging-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-mail-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-management-client-content-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-messaging-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-modcluster-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-naming-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-network-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-osgi-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-osgi-configadmin-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-osgi-service-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-picketlink-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-platform-mbean-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-pojo-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-process-controller-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-protocol-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-remoting-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-sar-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-security-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-server-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-system-jmx-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-threads-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-transactions-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-version-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-web-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-webservices-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-weld-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-xts-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-modules-1.3.8-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-msc-1.1.7-1.SP1_redhat_1.1.ep6.el7.noarch.rpm jboss-remoting3-3.3.9-1.Final_redhat_1.1.ep6.el7.noarch.rpm jbossas-appclient-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-bundles-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-core-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-domain-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-javadocs-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-modules-eap-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-product-eap-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-standalone-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-welcome-content-eap-7.5.14-2.Final_redhat_2.1.ep6.el7.noarch.rpm jbossts-4.17.39-1.Final_redhat_1.1.ep6.el7.noarch.rpm jbossweb-7.5.21-2.Final_redhat_2.1.ep6.el7.noarch.rpm picketbox-4.1.4-1.Final_redhat_1.1.ep6.el7.noarch.rpm resteasy-2.3.17-1.Final_redhat_1.1.ep6.el7.noarch.rpm weld-core-1.1.34-1.Final_redhat_1.1.ep6.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-6346 https://access.redhat.com/security/cve/CVE-2016-8657 https://access.redhat.com/security/cve/CVE-2017-6056 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/?version=6.4 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFY0rFaXlSAg2UNWIIRAoX6AKCL5jpk8HQOw0SnEJ5PJ2xIzBDZVQCgiLu3 UYcH8Xx95vWqLB684d2wu/k= =6G7w -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Mar 22 17:16:33 2017 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 22 Mar 2017 13:16:33 -0400 Subject: [RHSA-2017:0829-01] Important: jboss-ec2-eap security, bug fix, and enhancement update Message-ID: <201703221716.v2MHGX3m018363@lists01.pubmisc.prod.ext.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: jboss-ec2-eap security, bug fix, and enhancement update Advisory ID: RHSA-2017:0829-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-0829.html Issue date: 2017-03-22 CVE Names: CVE-2016-6346 CVE-2016-8657 CVE-2017-6056 ===================================================================== 1. Summary: An update for jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server - noarch 3. Description: The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.14. Security Fix(es): * It was discovered that EAP packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/jbossas configuration files. The file is writable to jboss group (root:jboss, 664). On systems using classic /etc/init.d init scripts (i.e. on Red Hat Enterprise Linux 6 and earlier), the file is sourced by the jboss init script and its content executed with root privileges when jboss service is started, stopped, or restarted. (CVE-2016-8657) * It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. (CVE-2017-6056) * It was found that GZIPInterceptor is enabled when not necessarily required in RESTEasy. An attacker could use this flaw to launch a Denial of Service attack. (CVE-2016-6346) Red Hat would like to thank Mikhail Egorov (Odin) for reporting the CVE-2016-6346 issue. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1372120 - CVE-2016-6346 RESTEasy: Abuse of GZIPInterceptor in RESTEasy can lead to denial of service attack 1400343 - CVE-2016-8657 jboss: jbossas writable config files allow privilege escalation 1422148 - CVE-2017-6056 tomcat: Infinite loop in the processing of https requests 6. Package List: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server: Source: jboss-ec2-eap-7.5.14-2.Final_redhat_2.ep6.el6.src.rpm noarch: jboss-ec2-eap-7.5.14-2.Final_redhat_2.ep6.el6.noarch.rpm jboss-ec2-eap-samples-7.5.14-2.Final_redhat_2.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-6346 https://access.redhat.com/security/cve/CVE-2016-8657 https://access.redhat.com/security/cve/CVE-2017-6056 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/?version=6.4 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFY0rFnXlSAg2UNWIIRAjYsAJ0a1/WnZIUDKINEGSYWruId3mS7DACgqNwV Ctu2cb8clPsZmCc8c0hsIdk= =v6HK -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Mar 22 18:07:23 2017 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 22 Mar 2017 14:07:23 -0400 Subject: [RHSA-2017:0831-01] Important: JBoss Enterprise Application Platform 7.0.5 on RHEL 6 Message-ID: <201703221807.v2MI7NE3025663@lists01.pubmisc.prod.ext.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Application Platform 7.0.5 on RHEL 6 Advisory ID: RHSA-2017:0831-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-0831.html Issue date: 2017-03-22 CVE Names: CVE-2016-8656 CVE-2016-9589 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server - i386, noarch, x86_64 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release of Red Hat JBoss Enterprise Application Platform 7.0.5 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * It was discovered that the jboss init script performed unsafe file handling which could result in local privilege escalation. (CVE-2016-8656) * It was found that JBoss EAP 7 Header Cache was inefficient. An attacker could use this flaw to cause a denial of service attack. (CVE-2016-9589) Red Hat would like to thank Gabriel Lavoie (Halogen Software) for reporting CVE-2016-9589. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1400344 - CVE-2016-8656 jboss: jbossas: unsafe chown of server.log in jboss init script allows privilege escalation 1404782 - CVE-2016-9589 wildfly: ParseState headerValuesCache can be exploited to fill heap with garbage 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-6995 - Tracker bug for the EAP 7.0.5 release for RHEL-6 7. Package List: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server: Source: eap7-activemq-artemis-1.1.0-16.SP19_redhat_1.1.ep7.el6.src.rpm eap7-artemis-native-1.1.0-12.redhat_4.ep7.el6.src.rpm eap7-hibernate-5.0.12-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-infinispan-8.1.7-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-jboss-msc-1.2.7-1.SP1_redhat_1.1.ep7.el6.src.rpm eap7-jboss-xnio-base-3.4.3-2.Final_redhat_1.1.ep7.el6.src.rpm eap7-narayana-5.2.22-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-netty-4.0.35-2.Final_redhat_1.1.ep7.el6.src.rpm eap7-picketlink-bindings-2.5.5-6.SP6_redhat_1.1.ep7.el6.src.rpm eap7-picketlink-federation-2.5.5-6.SP6_redhat_1.1.ep7.el6.src.rpm eap7-resteasy-3.0.19-3.SP1_redhat_1.1.ep7.el6.src.rpm eap7-undertow-1.3.27-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-wildfly-7.0.5-3.GA_redhat_2.1.ep7.el6.src.rpm eap7-wildfly-javadocs-7.0.5-2.GA_redhat_2.1.ep7.el6.src.rpm eap7-wildfly-web-console-eap-2.8.29-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-xml-security-2.0.8-1.redhat_1.1.ep7.el6.src.rpm i386: eap7-artemis-native-1.1.0-12.redhat_4.ep7.el6.i686.rpm eap7-artemis-native-wildfly-1.1.0-12.redhat_4.ep7.el6.i686.rpm noarch: eap7-activemq-artemis-1.1.0-16.SP19_redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-cli-1.1.0-16.SP19_redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-commons-1.1.0-16.SP19_redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-core-client-1.1.0-16.SP19_redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-dto-1.1.0-16.SP19_redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-hornetq-protocol-1.1.0-16.SP19_redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-hqclient-protocol-1.1.0-16.SP19_redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-jms-client-1.1.0-16.SP19_redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-jms-server-1.1.0-16.SP19_redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-journal-1.1.0-16.SP19_redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-native-1.1.0-16.SP19_redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-ra-1.1.0-16.SP19_redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-selector-1.1.0-16.SP19_redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-server-1.1.0-16.SP19_redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-service-extensions-1.1.0-16.SP19_redhat_1.1.ep7.el6.noarch.rpm eap7-hibernate-5.0.12-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-hibernate-core-5.0.12-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-hibernate-entitymanager-5.0.12-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-hibernate-envers-5.0.12-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-hibernate-infinispan-5.0.12-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-hibernate-java8-5.0.12-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-infinispan-8.1.7-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-infinispan-cachestore-jdbc-8.1.7-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-infinispan-cachestore-remote-8.1.7-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-infinispan-client-hotrod-8.1.7-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-infinispan-commons-8.1.7-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-infinispan-core-8.1.7-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-jboss-msc-1.2.7-1.SP1_redhat_1.1.ep7.el6.noarch.rpm eap7-jboss-xnio-base-3.4.3-2.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-narayana-5.2.22-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-narayana-compensations-5.2.22-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-narayana-jbosstxbridge-5.2.22-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-narayana-jbossxts-5.2.22-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-narayana-jts-idlj-5.2.22-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-narayana-jts-integration-5.2.22-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-narayana-restat-api-5.2.22-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-narayana-restat-bridge-5.2.22-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-narayana-restat-integration-5.2.22-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-narayana-restat-util-5.2.22-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-narayana-txframework-5.2.22-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-netty-4.0.35-2.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-netty-all-4.0.35-2.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-picketlink-api-2.5.5-6.SP6_redhat_1.1.ep7.el6.noarch.rpm eap7-picketlink-bindings-2.5.5-6.SP6_redhat_1.1.ep7.el6.noarch.rpm eap7-picketlink-common-2.5.5-6.SP6_redhat_1.1.ep7.el6.noarch.rpm eap7-picketlink-config-2.5.5-6.SP6_redhat_1.1.ep7.el6.noarch.rpm eap7-picketlink-federation-2.5.5-6.SP6_redhat_1.1.ep7.el6.noarch.rpm eap7-picketlink-idm-api-2.5.5-6.SP6_redhat_1.1.ep7.el6.noarch.rpm eap7-picketlink-idm-impl-2.5.5-6.SP6_redhat_1.1.ep7.el6.noarch.rpm eap7-picketlink-idm-simple-schema-2.5.5-6.SP6_redhat_1.1.ep7.el6.noarch.rpm eap7-picketlink-impl-2.5.5-6.SP6_redhat_1.1.ep7.el6.noarch.rpm eap7-picketlink-wildfly8-2.5.5-6.SP6_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-3.0.19-3.SP1_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-async-http-servlet-3.0-3.0.19-3.SP1_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-atom-provider-3.0.19-3.SP1_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-cdi-3.0.19-3.SP1_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-client-3.0.19-3.SP1_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-crypto-3.0.19-3.SP1_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-jackson-provider-3.0.19-3.SP1_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-jackson2-provider-3.0.19-3.SP1_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-jaxb-provider-3.0.19-3.SP1_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-jaxrs-3.0.19-3.SP1_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-jettison-provider-3.0.19-3.SP1_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-jose-jwt-3.0.19-3.SP1_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-jsapi-3.0.19-3.SP1_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-json-p-provider-3.0.19-3.SP1_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-multipart-provider-3.0.19-3.SP1_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-spring-3.0.19-3.SP1_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-validator-provider-11-3.0.19-3.SP1_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-yaml-provider-3.0.19-3.SP1_redhat_1.1.ep7.el6.noarch.rpm eap7-undertow-1.3.27-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-wildfly-7.0.5-3.GA_redhat_2.1.ep7.el6.noarch.rpm eap7-wildfly-javadocs-7.0.5-2.GA_redhat_2.1.ep7.el6.noarch.rpm eap7-wildfly-modules-7.0.5-3.GA_redhat_2.1.ep7.el6.noarch.rpm eap7-wildfly-web-console-eap-2.8.29-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-xml-security-2.0.8-1.redhat_1.1.ep7.el6.noarch.rpm x86_64: eap7-artemis-native-1.1.0-12.redhat_4.ep7.el6.x86_64.rpm eap7-artemis-native-wildfly-1.1.0-12.redhat_4.ep7.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2016-8656 https://access.redhat.com/security/cve/CVE-2016-9589 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/ https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/installation-guide/ https://access.redhat.com/documentation/en/jboss-enterprise-application-platform/ 9. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFY0r1TXlSAg2UNWIIRApywAJ9j+hSNe7AGG7qXBteXLUA5fax9zgCcCUBD q7nLtzoDBQpNgKr0R3aMY5s= =4/uf -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Mar 22 18:07:41 2017 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 22 Mar 2017 14:07:41 -0400 Subject: [RHSA-2017:0832-01] Important: JBoss Enterprise Application Platform 7.0.5 on RHEL 7 Message-ID: <201703221807.v2MI7f6c025709@lists01.pubmisc.prod.ext.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Application Platform 7.0.5 on RHEL 7 Advisory ID: RHSA-2017:0832-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-0832.html Issue date: 2017-03-22 CVE Names: CVE-2016-8656 CVE-2016-9589 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server - noarch, x86_64 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release of Red Hat JBoss Enterprise Application Platform 7.0.5 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * It was discovered that the jboss init script performed unsafe file handling which could result in local privilege escalation. (CVE-2016-8656) * It was found that JBoss EAP 7 Header Cache was inefficient. An attacker could use this flaw to cause a denial of service attack. (CVE-2016-9589) Red Hat would like to thank Gabriel Lavoie (Halogen Software) for reporting CVE-2016-9589. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1400344 - CVE-2016-8656 jboss: jbossas: unsafe chown of server.log in jboss init script allows privilege escalation 1404782 - CVE-2016-9589 wildfly: ParseState headerValuesCache can be exploited to fill heap with garbage 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-6996 - Tracker bug for the EAP 7.0.5 release for RHEL-7 7. Package List: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server: Source: eap7-activemq-artemis-1.1.0-16.SP19_redhat_1.1.ep7.el7.src.rpm eap7-artemis-native-1.1.0-12.redhat_4.ep7.el7.src.rpm eap7-hibernate-5.0.12-1.Final_redhat_1.1.ep7.el7.src.rpm eap7-infinispan-8.1.7-1.Final_redhat_1.1.ep7.el7.src.rpm eap7-jboss-msc-1.2.7-1.SP1_redhat_1.1.ep7.el7.src.rpm eap7-jboss-xnio-base-3.4.3-2.Final_redhat_1.1.ep7.el7.src.rpm eap7-narayana-5.2.22-1.Final_redhat_1.1.ep7.el7.src.rpm eap7-netty-4.0.35-2.Final_redhat_1.1.ep7.el7.src.rpm eap7-picketlink-bindings-2.5.5-6.SP6_redhat_1.1.ep7.el7.src.rpm eap7-picketlink-federation-2.5.5-6.SP6_redhat_1.1.ep7.el7.src.rpm eap7-resteasy-3.0.19-3.SP1_redhat_1.1.ep7.el7.src.rpm eap7-undertow-1.3.27-1.Final_redhat_1.1.ep7.el7.src.rpm eap7-wildfly-7.0.5-3.GA_redhat_2.1.ep7.el7.src.rpm eap7-wildfly-javadocs-7.0.5-2.GA_redhat_2.1.ep7.el7.src.rpm eap7-wildfly-web-console-eap-2.8.29-1.Final_redhat_1.1.ep7.el7.src.rpm eap7-xml-security-2.0.8-1.redhat_1.1.ep7.el7.src.rpm noarch: eap7-activemq-artemis-1.1.0-16.SP19_redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-cli-1.1.0-16.SP19_redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-commons-1.1.0-16.SP19_redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-core-client-1.1.0-16.SP19_redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-dto-1.1.0-16.SP19_redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-hornetq-protocol-1.1.0-16.SP19_redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-hqclient-protocol-1.1.0-16.SP19_redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-jms-client-1.1.0-16.SP19_redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-jms-server-1.1.0-16.SP19_redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-journal-1.1.0-16.SP19_redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-native-1.1.0-16.SP19_redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-ra-1.1.0-16.SP19_redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-selector-1.1.0-16.SP19_redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-server-1.1.0-16.SP19_redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-service-extensions-1.1.0-16.SP19_redhat_1.1.ep7.el7.noarch.rpm eap7-hibernate-5.0.12-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-hibernate-core-5.0.12-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-hibernate-entitymanager-5.0.12-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-hibernate-envers-5.0.12-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-hibernate-infinispan-5.0.12-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-hibernate-java8-5.0.12-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-infinispan-8.1.7-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-infinispan-cachestore-jdbc-8.1.7-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-infinispan-cachestore-remote-8.1.7-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-infinispan-client-hotrod-8.1.7-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-infinispan-commons-8.1.7-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-infinispan-core-8.1.7-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-jboss-msc-1.2.7-1.SP1_redhat_1.1.ep7.el7.noarch.rpm eap7-jboss-xnio-base-3.4.3-2.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-narayana-5.2.22-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-narayana-compensations-5.2.22-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-narayana-jbosstxbridge-5.2.22-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-narayana-jbossxts-5.2.22-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-narayana-jts-idlj-5.2.22-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-narayana-jts-integration-5.2.22-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-narayana-restat-api-5.2.22-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-narayana-restat-bridge-5.2.22-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-narayana-restat-integration-5.2.22-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-narayana-restat-util-5.2.22-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-narayana-txframework-5.2.22-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-netty-4.0.35-2.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-netty-all-4.0.35-2.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-picketlink-api-2.5.5-6.SP6_redhat_1.1.ep7.el7.noarch.rpm eap7-picketlink-bindings-2.5.5-6.SP6_redhat_1.1.ep7.el7.noarch.rpm eap7-picketlink-common-2.5.5-6.SP6_redhat_1.1.ep7.el7.noarch.rpm eap7-picketlink-config-2.5.5-6.SP6_redhat_1.1.ep7.el7.noarch.rpm eap7-picketlink-federation-2.5.5-6.SP6_redhat_1.1.ep7.el7.noarch.rpm eap7-picketlink-idm-api-2.5.5-6.SP6_redhat_1.1.ep7.el7.noarch.rpm eap7-picketlink-idm-impl-2.5.5-6.SP6_redhat_1.1.ep7.el7.noarch.rpm eap7-picketlink-idm-simple-schema-2.5.5-6.SP6_redhat_1.1.ep7.el7.noarch.rpm eap7-picketlink-impl-2.5.5-6.SP6_redhat_1.1.ep7.el7.noarch.rpm eap7-picketlink-wildfly8-2.5.5-6.SP6_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-3.0.19-3.SP1_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-async-http-servlet-3.0-3.0.19-3.SP1_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-atom-provider-3.0.19-3.SP1_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-cdi-3.0.19-3.SP1_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-client-3.0.19-3.SP1_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-crypto-3.0.19-3.SP1_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-jackson-provider-3.0.19-3.SP1_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-jackson2-provider-3.0.19-3.SP1_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-jaxb-provider-3.0.19-3.SP1_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-jaxrs-3.0.19-3.SP1_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-jettison-provider-3.0.19-3.SP1_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-jose-jwt-3.0.19-3.SP1_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-jsapi-3.0.19-3.SP1_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-json-p-provider-3.0.19-3.SP1_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-multipart-provider-3.0.19-3.SP1_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-spring-3.0.19-3.SP1_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-validator-provider-11-3.0.19-3.SP1_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-yaml-provider-3.0.19-3.SP1_redhat_1.1.ep7.el7.noarch.rpm eap7-undertow-1.3.27-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-wildfly-7.0.5-3.GA_redhat_2.1.ep7.el7.noarch.rpm eap7-wildfly-javadocs-7.0.5-2.GA_redhat_2.1.ep7.el7.noarch.rpm eap7-wildfly-modules-7.0.5-3.GA_redhat_2.1.ep7.el7.noarch.rpm eap7-wildfly-web-console-eap-2.8.29-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-xml-security-2.0.8-1.redhat_1.1.ep7.el7.noarch.rpm x86_64: eap7-artemis-native-1.1.0-12.redhat_4.ep7.el7.x86_64.rpm eap7-artemis-native-wildfly-1.1.0-12.redhat_4.ep7.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2016-8656 https://access.redhat.com/security/cve/CVE-2016-9589 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/ https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/installation-guide/ https://access.redhat.com/documentation/en/jboss-enterprise-application-platform/ 9. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFY0r1lXlSAg2UNWIIRAp2RAJ45MrhJ0EMJCNslDnGNU1AgD+q5HgCgoPq3 8+bqdDG8THj2Q8B1FfrFjZQ= =D39C -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Mar 22 18:07:57 2017 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 22 Mar 2017 14:07:57 -0400 Subject: [RHSA-2017:0834-01] Important: jboss-ec2-eap package for EAP 7.0.5 Message-ID: <201703221807.v2MI7v1w025723@lists01.pubmisc.prod.ext.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: jboss-ec2-eap package for EAP 7.0.5 Advisory ID: RHSA-2017:0834-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-0834.html Issue date: 2017-03-22 CVE Names: CVE-2016-8656 CVE-2016-9589 ===================================================================== 1. Summary: An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 and Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server - noarch Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server - noarch 3. Description: The eap7-jboss-ec2-eap package provides scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the eap7-jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 7.0.5. Refer to the JBoss Enterprise Application Platform 7.0.5 Release Notes, linked to in the References section, for information on the most significant bug fixes and enhancements included in this release. Security Fix(es): *It was discovered that the jboss init script performed unsafe file handling which could result in local privilege escalation.(CVE-2016-8656) *It was found that JBoss EAP 7 Header Cache was inefficient. An attacker could use this flaw to cause a denial of service attack.(CVE-2016-9589) The CVE-2016-9589 issue was discovered by Gabriel Lavoie (Halogen Software). Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1400344 - CVE-2016-8656 jboss: jbossas: unsafe chown of server.log in jboss init script allows privilege escalation 1404782 - CVE-2016-9589 wildfly: ParseState headerValuesCache can be exploited to fill heap with garbage 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-6997 - jboss-ec2-eap for EAP 7.0.5 7. Package List: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server: Source: eap7-jboss-ec2-eap-7.0.5-1.GA_redhat_1.ep7.el6.src.rpm noarch: eap7-jboss-ec2-eap-7.0.5-1.GA_redhat_1.ep7.el6.noarch.rpm eap7-jboss-ec2-eap-samples-7.0.5-1.GA_redhat_1.ep7.el6.noarch.rpm Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server: Source: eap7-jboss-ec2-eap-7.0.5-1.GA_redhat_1.ep7.el7.src.rpm noarch: eap7-jboss-ec2-eap-7.0.5-1.GA_redhat_1.ep7.el7.noarch.rpm eap7-jboss-ec2-eap-samples-7.0.5-1.GA_redhat_1.ep7.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2016-8656 https://access.redhat.com/security/cve/CVE-2016-9589 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/ https://access.redhat.com/documentation/en/jboss-enterprise-application-platform/ 9. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFY0r12XlSAg2UNWIIRAjZnAKC2ChGrH83Ltdrusj2unBuzohSuXACgjifD X4MARv05jHQFzbbwmdv55o8= =Vhjc -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Mar 22 18:08:11 2017 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 22 Mar 2017 14:08:11 -0400 Subject: [RHSA-2017:0830-01] Moderate: Red Hat JBoss Enterprise Application Platform security update Message-ID: <201703221808.v2MI8Bsm025735@lists01.pubmisc.prod.ext.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform security update Advisory ID: RHSA-2017:0830-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-0830.html Issue date: 2017-03-22 CVE Names: CVE-2016-9589 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release of Red Hat JBoss Enterprise Application Platform 7.0.5 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * It was found that JBoss EAP 7 Header Cache was inefficient. An attacker could use this flaw to cause a denial of service attack. (CVE-2016-9589) Red Hat would like to thank Gabriel Lavoie (Halogen Software) for reporting this issue. 3. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1404782 - CVE-2016-9589 wildfly: ParseState headerValuesCache can be exploited to fill heap with garbage 5. References: https://access.redhat.com/security/cve/CVE-2016-9589 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=7.0 https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/ https://access.redhat.com/documentation/en/jboss-enterprise-application-platform/ 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFY0r2BXlSAg2UNWIIRAr3xAJ9N4PGGOEl0PqSioC9C7Dozn3jjxQCeNQRD AzjWSs9gjzHWtyK4jDM4zII= =CKYs -----END PGP SIGNATURE-----