From bugzilla at redhat.com Mon Jul 6 11:47:28 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 6 Jul 2009 07:47:28 -0400 Subject: [RHSA-2009:1143-01] Important: JBoss Enterprise Application Platform 4.2.0.CP07 update Message-ID: <200907061147.n66BlSvh015576@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Application Platform 4.2.0.CP07 update Advisory ID: RHSA-2009:1143-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1143.html Issue date: 2009-07-06 CVE Names: CVE-2008-5515 CVE-2009-0580 CVE-2009-0783 ===================================================================== 1. Summary: Updated JBoss Enterprise Application Platform (JBEAP) 4.2 packages that fix various issues are now available for Red Hat Enterprise Linux 5 as JBEAP 4.2.0.CP07. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: JBoss Enterprise Application Platform for RHEL 5 Server - noarch 3. Description: JBoss Enterprise Application Platform is the market leading platform for innovative and scalable Java applications; integrating the JBoss Application Server, with JBoss Hibernate and JBoss Seam into a complete, simple enterprise solution. This release of JBEAP for Red Hat Enterprise Linux 5 serves as a replacement to JBEAP 4.2.0.CP06. These updated packages include bug fixes and enhancements which are detailed in the release notes. The link to the release notes is available below in the References section of this errata. The following security issues are also fixed with this release: It was discovered that request dispatchers did not properly normalize user requests that have trailing query strings, allowing remote attackers to send specially-crafted requests that would cause an information leak. (CVE-2008-5515) It was discovered that the error checking methods of certain authentication classes did not have sufficient error checking, allowing remote attackers to enumerate (via brute force methods) usernames registered with applications deployed on JBossWeb when FORM-based authentication was used. (CVE-2009-0580) It was discovered that web applications containing their own XML parsers could replace the XML parser JBossWeb uses to parse configuration files. A malicious web application running on a JBossWeb instance could read or, potentially, modify the configuration and XML-based data of other web applications deployed on the same JBossWeb instance. (CVE-2009-0783) Warning: before applying this update, please back up the JBEAP "server/[configuration]/deploy/" directory, and any other customized configuration files. All users of JBEAP 4.2 on Red Hat Enterprise Linux 5 are advised to upgrade to these updated packages. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 499600 - Tracker bug for the EAP 4.2.0.cp07 release for RHEL-5. 503978 - CVE-2009-0580 tomcat6 Information disclosure in authentication classes 504153 - CVE-2009-0783 tomcat XML parser information disclosure 504753 - CVE-2008-5515 tomcat request dispatcher information disclosure vulnerability 6. Package List: JBoss Enterprise Application Platform for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/hibernate3-3.2.4-1.SP1_CP08.0jpp.ep1.2.3.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/hibernate3-annotations-3.3.1-1.10.1GA_CP01.ep1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/hibernate3-commons-annotations-3.0.0-1jpp.ep1.5.2.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/hibernate3-entitymanager-3.3.2-2.4.1.ep1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/hibernate3-validator-3.0.0-1jpp.ep1.8.3.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jakarta-slide-webdavclient-2.1-9.2.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-cache-1.4.1-6.SP13.1.ep1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-remoting-2.2.3-2.ep1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-seam-1.2.1-1.ep1.13.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossas-4.2.0-4.GA_CP07.5.1.ep1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossts-4.2.3-1.SP5_CP05.1jpp.ep1.1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossweb-2.0.0-6.CP11.0jpp.ep1.1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jgroups-2.4.6-1.ep1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/rh-eap-docs-4.2.0-5.GA_CP07.ep1.1.1.el5.src.rpm noarch: hibernate3-3.2.4-1.SP1_CP08.0jpp.ep1.2.3.el5.noarch.rpm hibernate3-annotations-3.3.1-1.10.1GA_CP01.ep1.el5.noarch.rpm hibernate3-annotations-javadoc-3.3.1-1.10.1GA_CP01.ep1.el5.noarch.rpm hibernate3-commons-annotations-3.0.0-1jpp.ep1.5.2.el5.noarch.rpm hibernate3-commons-annotations-javadoc-3.0.0-1jpp.ep1.5.2.el5.noarch.rpm hibernate3-entitymanager-3.3.2-2.4.1.ep1.el5.noarch.rpm hibernate3-entitymanager-javadoc-3.3.2-2.4.1.ep1.el5.noarch.rpm hibernate3-javadoc-3.2.4-1.SP1_CP08.0jpp.ep1.2.3.el5.noarch.rpm hibernate3-validator-3.0.0-1jpp.ep1.8.3.el5.noarch.rpm hibernate3-validator-javadoc-3.0.0-1jpp.ep1.8.3.el5.noarch.rpm jakarta-slide-webdavclient-2.1-9.2.el5.noarch.rpm jboss-cache-1.4.1-6.SP13.1.ep1.el5.noarch.rpm jboss-remoting-2.2.3-2.ep1.el5.noarch.rpm jboss-seam-1.2.1-1.ep1.13.el5.noarch.rpm jboss-seam-docs-1.2.1-1.ep1.13.el5.noarch.rpm jbossas-4.2.0-4.GA_CP07.5.1.ep1.el5.noarch.rpm jbossas-4.2.0.GA_CP07-bin-4.2.0-4.GA_CP07.5.1.ep1.el5.noarch.rpm jbossas-client-4.2.0-4.GA_CP07.5.1.ep1.el5.noarch.rpm jbossts-4.2.3-1.SP5_CP05.1jpp.ep1.1.el5.noarch.rpm jbossweb-2.0.0-6.CP11.0jpp.ep1.1.el5.noarch.rpm jgroups-2.4.6-1.ep1.el5.noarch.rpm rh-eap-docs-4.2.0-5.GA_CP07.ep1.1.1.el5.noarch.rpm rh-eap-docs-examples-4.2.0-5.GA_CP07.ep1.1.1.el5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783 http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.2.0.cp07/html-single/Release_Notes/index.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKUePbXlSAg2UNWIIRAgGtAJ4y7JDJnNaT1uleK3OmJ6fUF5Tm0ACeJjfS Fgm8fI4Rn7k/rIJeFt6fNjM= =coR3 -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Jul 6 11:48:27 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 6 Jul 2009 07:48:27 -0400 Subject: [RHSA-2009:1144-01] Important: JBoss Enterprise Application Platform 4.2.0.CP07 update Message-ID: <200907061148.n66BmR1T015961@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Application Platform 4.2.0.CP07 update Advisory ID: RHSA-2009:1144-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1144.html Issue date: 2009-07-06 CVE Names: CVE-2008-5515 CVE-2009-0580 CVE-2009-0783 ===================================================================== 1. Summary: Updated JBoss Enterprise Application Platform (JBEAP) 4.2 packages that fix various issues are now available for Red Hat Enterprise Linux 4 as JBEAP 4.2.0.CP07. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: JBoss Enterprise Application Platform for RHEL 4 AS - noarch JBoss Enterprise Application Platform for RHEL 4 ES - noarch 3. Description: JBoss Enterprise Application Platform is the market leading platform for innovative and scalable Java applications; integrating the JBoss Application Server, with JBoss Hibernate and JBoss Seam into a complete, simple enterprise solution. This release of JBEAP for Red Hat Enterprise Linux 4 serves as a replacement to JBEAP 4.2.0.CP06. These updated packages include bug fixes and enhancements which are detailed in the release notes. The link to the release notes is available below in the References section of this errata. The following security issues are also fixed with this release: It was discovered that request dispatchers did not properly normalize user requests that have trailing query strings, allowing remote attackers to send specially-crafted requests that would cause an information leak. (CVE-2008-5515) It was discovered that the error checking methods of certain authentication classes did not have sufficient error checking, allowing remote attackers to enumerate (via brute force methods) usernames registered with applications deployed on JBossWeb when FORM-based authentication was used. (CVE-2009-0580) It was discovered that web applications containing their own XML parsers could replace the XML parser JBossWeb uses to parse configuration files. A malicious web application running on a JBossWeb instance could read or, potentially, modify the configuration and XML-based data of other web applications deployed on the same JBossWeb instance. (CVE-2009-0783) Warning: before applying this update, please back up the JBEAP "server/[configuration]/deploy/" directory, and any other customized configuration files. All users of JBEAP 4.2 on Red Hat Enterprise Linux 4 are advised to upgrade to these updated packages. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 499605 - Tracker bug for the EAP 4.2.0.cp07 release. 503978 - CVE-2009-0580 tomcat6 Information disclosure in authentication classes 504153 - CVE-2009-0783 tomcat XML parser information disclosure 504753 - CVE-2008-5515 tomcat request dispatcher information disclosure vulnerability 6. Package List: JBoss Enterprise Application Platform for RHEL 4 AS: Source: ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/hibernate3-3.2.4-1.SP1_CP08.0jpp.ep1.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/hibernate3-annotations-3.3.1-1.10.GA_CP01.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/hibernate3-commons-annotations-3.0.0-1jpp.ep1.5.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/hibernate3-entitymanager-3.3.2-2.4.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/hibernate3-validator-3.0.0-1jpp.ep1.8.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/hsqldb-1.8.0.8-2.patch02.1jpp.ep1.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jakarta-slide-webdavclient-2.1-9.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jboss-cache-1.4.1-6.SP13.1.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jboss-remoting-2.2.3-2.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jboss-seam-1.2.1-1.ep1.19.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jbossas-4.2.0-4.GA_CP07.5.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jbossts-4.2.3-1.SP5_CP05.1jpp.ep1.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jbossweb-2.0.0-6.CP11.0jpp.ep1.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jgroups-2.4.6-1.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/rh-eap-docs-4.2.0-5.GA_CP07.ep1.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/xerces-j2-2.7.1-9jpp.ep1.2.el4.src.rpm noarch: hibernate3-3.2.4-1.SP1_CP08.0jpp.ep1.2.el4.noarch.rpm hibernate3-annotations-3.3.1-1.10.GA_CP01.ep1.el4.noarch.rpm hibernate3-annotations-javadoc-3.3.1-1.10.GA_CP01.ep1.el4.noarch.rpm hibernate3-commons-annotations-3.0.0-1jpp.ep1.5.el4.noarch.rpm hibernate3-commons-annotations-javadoc-3.0.0-1jpp.ep1.5.el4.noarch.rpm hibernate3-entitymanager-3.3.2-2.4.ep1.el4.noarch.rpm hibernate3-entitymanager-javadoc-3.3.2-2.4.ep1.el4.noarch.rpm hibernate3-javadoc-3.2.4-1.SP1_CP08.0jpp.ep1.2.el4.noarch.rpm hibernate3-validator-3.0.0-1jpp.ep1.8.el4.noarch.rpm hibernate3-validator-javadoc-3.0.0-1jpp.ep1.8.el4.noarch.rpm hsqldb-1.8.0.8-2.patch02.1jpp.ep1.2.el4.noarch.rpm jakarta-slide-webdavclient-2.1-9.2.el4.noarch.rpm jboss-cache-1.4.1-6.SP13.1.ep1.el4.noarch.rpm jboss-remoting-2.2.3-2.ep1.el4.noarch.rpm jboss-seam-1.2.1-1.ep1.19.el4.noarch.rpm jboss-seam-docs-1.2.1-1.ep1.19.el4.noarch.rpm jbossas-4.2.0-4.GA_CP07.5.ep1.el4.noarch.rpm jbossas-4.2.0.GA_CP07-bin-4.2.0-4.GA_CP07.5.ep1.el4.noarch.rpm jbossas-client-4.2.0-4.GA_CP07.5.ep1.el4.noarch.rpm jbossts-4.2.3-1.SP5_CP05.1jpp.ep1.1.el4.noarch.rpm jbossweb-2.0.0-6.CP11.0jpp.ep1.1.el4.noarch.rpm jgroups-2.4.6-1.ep1.el4.noarch.rpm rh-eap-docs-4.2.0-5.GA_CP07.ep1.1.el4.noarch.rpm rh-eap-docs-examples-4.2.0-5.GA_CP07.ep1.1.el4.noarch.rpm xerces-j2-2.7.1-9jpp.ep1.2.el4.noarch.rpm JBoss Enterprise Application Platform for RHEL 4 ES: Source: ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/hibernate3-3.2.4-1.SP1_CP08.0jpp.ep1.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/hibernate3-annotations-3.3.1-1.10.GA_CP01.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/hibernate3-commons-annotations-3.0.0-1jpp.ep1.5.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/hibernate3-entitymanager-3.3.2-2.4.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/hibernate3-validator-3.0.0-1jpp.ep1.8.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/hsqldb-1.8.0.8-2.patch02.1jpp.ep1.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jakarta-slide-webdavclient-2.1-9.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jboss-cache-1.4.1-6.SP13.1.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jboss-remoting-2.2.3-2.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jboss-seam-1.2.1-1.ep1.19.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jbossas-4.2.0-4.GA_CP07.5.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jbossts-4.2.3-1.SP5_CP05.1jpp.ep1.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jbossweb-2.0.0-6.CP11.0jpp.ep1.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jgroups-2.4.6-1.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/rh-eap-docs-4.2.0-5.GA_CP07.ep1.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/xerces-j2-2.7.1-9jpp.ep1.2.el4.src.rpm noarch: hibernate3-3.2.4-1.SP1_CP08.0jpp.ep1.2.el4.noarch.rpm hibernate3-annotations-3.3.1-1.10.GA_CP01.ep1.el4.noarch.rpm hibernate3-annotations-javadoc-3.3.1-1.10.GA_CP01.ep1.el4.noarch.rpm hibernate3-commons-annotations-3.0.0-1jpp.ep1.5.el4.noarch.rpm hibernate3-commons-annotations-javadoc-3.0.0-1jpp.ep1.5.el4.noarch.rpm hibernate3-entitymanager-3.3.2-2.4.ep1.el4.noarch.rpm hibernate3-entitymanager-javadoc-3.3.2-2.4.ep1.el4.noarch.rpm hibernate3-javadoc-3.2.4-1.SP1_CP08.0jpp.ep1.2.el4.noarch.rpm hibernate3-validator-3.0.0-1jpp.ep1.8.el4.noarch.rpm hibernate3-validator-javadoc-3.0.0-1jpp.ep1.8.el4.noarch.rpm hsqldb-1.8.0.8-2.patch02.1jpp.ep1.2.el4.noarch.rpm jakarta-slide-webdavclient-2.1-9.2.el4.noarch.rpm jboss-cache-1.4.1-6.SP13.1.ep1.el4.noarch.rpm jboss-remoting-2.2.3-2.ep1.el4.noarch.rpm jboss-seam-1.2.1-1.ep1.19.el4.noarch.rpm jboss-seam-docs-1.2.1-1.ep1.19.el4.noarch.rpm jbossas-4.2.0-4.GA_CP07.5.ep1.el4.noarch.rpm jbossas-4.2.0.GA_CP07-bin-4.2.0-4.GA_CP07.5.ep1.el4.noarch.rpm jbossas-client-4.2.0-4.GA_CP07.5.ep1.el4.noarch.rpm jbossts-4.2.3-1.SP5_CP05.1jpp.ep1.1.el4.noarch.rpm jbossweb-2.0.0-6.CP11.0jpp.ep1.1.el4.noarch.rpm jgroups-2.4.6-1.ep1.el4.noarch.rpm rh-eap-docs-4.2.0-5.GA_CP07.ep1.1.el4.noarch.rpm rh-eap-docs-examples-4.2.0-5.GA_CP07.ep1.1.el4.noarch.rpm xerces-j2-2.7.1-9jpp.ep1.2.el4.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783 http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.2.0.cp07/html-single/Release_Notes/index.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKUeRUXlSAg2UNWIIRAvHQAJ0QDESXbeOx/+ACBtmzp/mqL8eUjACfVagm Wk8WdhSr1z3PQnef5K2Xa8I= =xkjo -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Jul 6 11:49:39 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 6 Jul 2009 07:49:39 -0400 Subject: [RHSA-2009:1145-01] Important: JBoss Enterprise Application Platform 4.3.0.CP05 update Message-ID: <200907061149.n66BndG3016421@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Application Platform 4.3.0.CP05 update Advisory ID: RHSA-2009:1145-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1145.html Issue date: 2009-07-06 CVE Names: CVE-2008-5515 CVE-2009-0580 CVE-2009-0783 ===================================================================== 1. Summary: Updated JBoss Enterprise Application Platform (JBEAP) 4.3 packages that fix various issues are now available for Red Hat Enterprise Linux 5 as JBEAP 4.3.0.CP05. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server - noarch 3. Description: JBoss Enterprise Application Platform is the market leading platform for innovative and scalable Java applications; integrating the JBoss Application Server, with JBoss Hibernate and JBoss Seam into a complete, simple enterprise solution. This release of JBEAP for Red Hat Enterprise Linux 5 serves as a replacement to JBEAP 4.3.0.CP04. These updated packages include bug fixes and enhancements which are detailed in the release notes. The link to the release notes is available below in the References section of this errata. The following security issues are also fixed with this release: It was discovered that request dispatchers did not properly normalize user requests that have trailing query strings, allowing remote attackers to send specially-crafted requests that would cause an information leak. (CVE-2008-5515) It was discovered that the error checking methods of certain authentication classes did not have sufficient error checking, allowing remote attackers to enumerate (via brute force methods) usernames registered with applications deployed on JBossWeb when FORM-based authentication was used. (CVE-2009-0580) It was discovered that web applications containing their own XML parsers could replace the XML parser JBossWeb uses to parse configuration files. A malicious web application running on a JBossWeb instance could read or, potentially, modify the configuration and XML-based data of other web applications deployed on the same JBossWeb instance. (CVE-2009-0783) Warning: before applying this update, please back up the JBEAP "server/[configuration]/deploy/" directory, and any other customized configuration files. All users of JBEAP 4.3 on Red Hat Enterprise Linux 5 are advised to upgrade to these updated packages. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 499602 - Tracker bug for the EAP 4.3.0.cp05 release for RHEL-5. 503978 - CVE-2009-0580 tomcat6 Information disclosure in authentication classes 504153 - CVE-2009-0783 tomcat XML parser information disclosure 504753 - CVE-2008-5515 tomcat request dispatcher information disclosure vulnerability 6. Package List: JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/glassfish-jaxb-2.1.4-1.11.1.ep1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/hibernate3-3.2.4-1.SP1_CP08.0jpp.ep1.2.3.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/hibernate3-annotations-3.3.1-1.10.1GA_CP01.ep1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/hibernate3-commons-annotations-3.0.0-1jpp.ep1.5.2.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/hibernate3-entitymanager-3.3.2-2.4.1.ep1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/hibernate3-validator-3.0.0-1jpp.ep1.8.3.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jakarta-slide-webdavclient-2.1-9.2.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-cache-1.4.1-6.SP13.1.ep1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-messaging-1.4.0-2.SP3_CP08.1.ep1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-remoting-2.2.3-2.ep1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.11.el5.1.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossas-4.3.0-4.GA_CP05.6.1.ep1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossts-4.2.3-1.SP5_CP05.1jpp.ep1.1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossweb-2.0.0-6.CP11.0jpp.ep1.1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossws-2.0.1-3.SP2_CP06.3.1.ep1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossws-common-1.0.0-2.GA_CP04.1.ep1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossws-framework-2.0.1-1.GA_CP04.2.ep1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossws-spi-1.0.0-1.GA_CP02.1.ep1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jgroups-2.4.6-1.ep1.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/rh-eap-docs-4.3.0-5.GA_CP05.ep1.2.1.el5.src.rpm noarch: glassfish-jaxb-2.1.4-1.11.1.ep1.el5.noarch.rpm glassfish-jaxb-javadoc-2.1.4-1.11.1.ep1.el5.noarch.rpm hibernate3-3.2.4-1.SP1_CP08.0jpp.ep1.2.3.el5.noarch.rpm hibernate3-annotations-3.3.1-1.10.1GA_CP01.ep1.el5.noarch.rpm hibernate3-annotations-javadoc-3.3.1-1.10.1GA_CP01.ep1.el5.noarch.rpm hibernate3-commons-annotations-3.0.0-1jpp.ep1.5.2.el5.noarch.rpm hibernate3-commons-annotations-javadoc-3.0.0-1jpp.ep1.5.2.el5.noarch.rpm hibernate3-entitymanager-3.3.2-2.4.1.ep1.el5.noarch.rpm hibernate3-entitymanager-javadoc-3.3.2-2.4.1.ep1.el5.noarch.rpm hibernate3-javadoc-3.2.4-1.SP1_CP08.0jpp.ep1.2.3.el5.noarch.rpm hibernate3-validator-3.0.0-1jpp.ep1.8.3.el5.noarch.rpm hibernate3-validator-javadoc-3.0.0-1jpp.ep1.8.3.el5.noarch.rpm jakarta-slide-webdavclient-2.1-9.2.el5.noarch.rpm jboss-cache-1.4.1-6.SP13.1.ep1.el5.noarch.rpm jboss-messaging-1.4.0-2.SP3_CP08.1.ep1.el5.noarch.rpm jboss-remoting-2.2.3-2.ep1.el5.noarch.rpm jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.11.el5.1.noarch.rpm jboss-seam-docs-1.2.1-3.JBPAPP_4_3_0_GA.ep1.11.el5.1.noarch.rpm jbossas-4.3.0-4.GA_CP05.6.1.ep1.el5.noarch.rpm jbossas-4.3.0.GA_CP05-bin-4.3.0-4.GA_CP05.6.1.ep1.el5.noarch.rpm jbossas-client-4.3.0-4.GA_CP05.6.1.ep1.el5.noarch.rpm jbossts-4.2.3-1.SP5_CP05.1jpp.ep1.1.el5.noarch.rpm jbossweb-2.0.0-6.CP11.0jpp.ep1.1.el5.noarch.rpm jbossws-2.0.1-3.SP2_CP06.3.1.ep1.el5.noarch.rpm jbossws-common-1.0.0-2.GA_CP04.1.ep1.el5.noarch.rpm jbossws-framework-2.0.1-1.GA_CP04.2.ep1.el5.noarch.rpm jbossws-native42-2.0.1-3.SP2_CP06.3.1.ep1.el5.noarch.rpm jbossws-spi-1.0.0-1.GA_CP02.1.ep1.el5.noarch.rpm jgroups-2.4.6-1.ep1.el5.noarch.rpm rh-eap-docs-4.3.0-5.GA_CP05.ep1.2.1.el5.noarch.rpm rh-eap-docs-examples-4.3.0-5.GA_CP05.ep1.2.1.el5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783 http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3.0.cp05/html-single/Release_Notes/index.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKUeSPXlSAg2UNWIIRAkIBAKCWmOQW+VYYOQ6dHkjNikiJ+APmwACgoay6 3INFGfSe7Ao0sO/pRclaJu0= =eT3X -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Jul 6 11:50:42 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 6 Jul 2009 07:50:42 -0400 Subject: [RHSA-2009:1146-01] Important: JBoss Enterprise Application Platform 4.3.0.CP05 update Message-ID: <200907061150.n66BogMa017502@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Application Platform 4.3.0.CP05 update Advisory ID: RHSA-2009:1146-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1146.html Issue date: 2009-07-06 CVE Names: CVE-2008-5515 CVE-2009-0580 CVE-2009-0783 ===================================================================== 1. Summary: Updated JBoss Enterprise Application Platform (JBEAP) 4.3 packages that fix various issues are now available for Red Hat Enterprise Linux 4 as JBEAP 4.3.0.CP05. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS - noarch JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES - noarch 3. Description: JBoss Enterprise Application Platform is the market leading platform for innovative and scalable Java applications; integrating the JBoss Application Server, with JBoss Hibernate and JBoss Seam into a complete, simple enterprise solution. This release of JBEAP for Red Hat Enterprise Linux 4 serves as a replacement to JBEAP 4.3.0.CP04. These updated packages include bug fixes and enhancements which are detailed in the release notes. The link to the release notes is available below in the References section of this errata. The following security issues are also fixed with this release: It was discovered that request dispatchers did not properly normalize user requests that have trailing query strings, allowing remote attackers to send specially-crafted requests that would cause an information leak. (CVE-2008-5515) It was discovered that the error checking methods of certain authentication classes did not have sufficient error checking, allowing remote attackers to enumerate (via brute force methods) usernames registered with applications deployed on JBossWeb when FORM-based authentication was used. (CVE-2009-0580) It was discovered that web applications containing their own XML parsers could replace the XML parser JBossWeb uses to parse configuration files. A malicious web application running on a JBossWeb instance could read or, potentially, modify the configuration and XML-based data of other web applications deployed on the same JBossWeb instance. (CVE-2009-0783) Warning: before applying this update, please back up the JBEAP "server/[configuration]/deploy/" directory, and any other customized configuration files. All users of JBEAP 4.3 on Red Hat Enterprise Linux 4 are advised to upgrade to these updated packages. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 499608 - Tracker bug for the EAP 4.3.0.cp05 release. 503978 - CVE-2009-0580 tomcat6 Information disclosure in authentication classes 504153 - CVE-2009-0783 tomcat XML parser information disclosure 504753 - CVE-2008-5515 tomcat request dispatcher information disclosure vulnerability 6. Package List: JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS: Source: ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/glassfish-jaxb-2.1.4-1.11.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/hibernate3-3.2.4-1.SP1_CP08.0jpp.ep1.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/hibernate3-annotations-3.3.1-1.10.GA_CP01.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/hibernate3-commons-annotations-3.0.0-1jpp.ep1.5.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/hibernate3-entitymanager-3.3.2-2.4.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/hibernate3-validator-3.0.0-1jpp.ep1.8.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/hsqldb-1.8.0.8-2.patch02.1jpp.ep1.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jakarta-slide-webdavclient-2.1-9.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jboss-cache-1.4.1-6.SP13.1.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jboss-messaging-1.4.0-2.SP3_CP08.1.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jboss-remoting-2.2.3-2.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.15.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jbossas-4.3.0-4.GA_CP05.6.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jbossts-4.2.3-1.SP5_CP05.1jpp.ep1.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jbossweb-2.0.0-6.CP11.0jpp.ep1.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jbossws-2.0.1-3.SP2_CP06.3.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jbossws-common-1.0.0-2.GA_CP04.1.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jbossws-framework-2.0.1-1.GA_CP04.2.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jbossws-spi-1.0.0-1.GA_CP02.1.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jgroups-2.4.6-1.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/rh-eap-docs-4.3.0-5.GA_CP05.ep1.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/xerces-j2-2.7.1-9jpp.ep1.2.el4.src.rpm noarch: glassfish-jaxb-2.1.4-1.11.ep1.el4.noarch.rpm glassfish-jaxb-javadoc-2.1.4-1.11.ep1.el4.noarch.rpm hibernate3-3.2.4-1.SP1_CP08.0jpp.ep1.2.el4.noarch.rpm hibernate3-annotations-3.3.1-1.10.GA_CP01.ep1.el4.noarch.rpm hibernate3-annotations-javadoc-3.3.1-1.10.GA_CP01.ep1.el4.noarch.rpm hibernate3-commons-annotations-3.0.0-1jpp.ep1.5.el4.noarch.rpm hibernate3-commons-annotations-javadoc-3.0.0-1jpp.ep1.5.el4.noarch.rpm hibernate3-entitymanager-3.3.2-2.4.ep1.el4.noarch.rpm hibernate3-entitymanager-javadoc-3.3.2-2.4.ep1.el4.noarch.rpm hibernate3-javadoc-3.2.4-1.SP1_CP08.0jpp.ep1.2.el4.noarch.rpm hibernate3-validator-3.0.0-1jpp.ep1.8.el4.noarch.rpm hibernate3-validator-javadoc-3.0.0-1jpp.ep1.8.el4.noarch.rpm hsqldb-1.8.0.8-2.patch02.1jpp.ep1.2.el4.noarch.rpm jakarta-slide-webdavclient-2.1-9.2.el4.noarch.rpm jboss-cache-1.4.1-6.SP13.1.ep1.el4.noarch.rpm jboss-messaging-1.4.0-2.SP3_CP08.1.ep1.el4.noarch.rpm jboss-remoting-2.2.3-2.ep1.el4.noarch.rpm jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.15.el4.noarch.rpm jboss-seam-docs-1.2.1-3.JBPAPP_4_3_0_GA.ep1.15.el4.noarch.rpm jbossas-4.3.0-4.GA_CP05.6.ep1.el4.noarch.rpm jbossas-4.3.0.GA_CP05-bin-4.3.0-4.GA_CP05.6.ep1.el4.noarch.rpm jbossas-client-4.3.0-4.GA_CP05.6.ep1.el4.noarch.rpm jbossts-4.2.3-1.SP5_CP05.1jpp.ep1.1.el4.noarch.rpm jbossweb-2.0.0-6.CP11.0jpp.ep1.1.el4.noarch.rpm jbossws-2.0.1-3.SP2_CP06.3.ep1.el4.noarch.rpm jbossws-common-1.0.0-2.GA_CP04.1.ep1.el4.noarch.rpm jbossws-framework-2.0.1-1.GA_CP04.2.ep1.el4.noarch.rpm jbossws-native42-2.0.1-3.SP2_CP06.3.ep1.el4.noarch.rpm jbossws-spi-1.0.0-1.GA_CP02.1.ep1.el4.noarch.rpm jgroups-2.4.6-1.ep1.el4.noarch.rpm rh-eap-docs-4.3.0-5.GA_CP05.ep1.2.el4.noarch.rpm rh-eap-docs-examples-4.3.0-5.GA_CP05.ep1.2.el4.noarch.rpm xerces-j2-2.7.1-9jpp.ep1.2.el4.noarch.rpm JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES: Source: ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/glassfish-jaxb-2.1.4-1.11.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/hibernate3-3.2.4-1.SP1_CP08.0jpp.ep1.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/hibernate3-annotations-3.3.1-1.10.GA_CP01.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/hibernate3-commons-annotations-3.0.0-1jpp.ep1.5.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/hibernate3-entitymanager-3.3.2-2.4.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/hibernate3-validator-3.0.0-1jpp.ep1.8.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/hsqldb-1.8.0.8-2.patch02.1jpp.ep1.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jakarta-slide-webdavclient-2.1-9.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jboss-cache-1.4.1-6.SP13.1.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jboss-messaging-1.4.0-2.SP3_CP08.1.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jboss-remoting-2.2.3-2.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.15.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jbossas-4.3.0-4.GA_CP05.6.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jbossts-4.2.3-1.SP5_CP05.1jpp.ep1.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jbossweb-2.0.0-6.CP11.0jpp.ep1.1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jbossws-2.0.1-3.SP2_CP06.3.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jbossws-common-1.0.0-2.GA_CP04.1.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jbossws-framework-2.0.1-1.GA_CP04.2.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jbossws-spi-1.0.0-1.GA_CP02.1.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jgroups-2.4.6-1.ep1.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/rh-eap-docs-4.3.0-5.GA_CP05.ep1.2.el4.src.rpm ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/xerces-j2-2.7.1-9jpp.ep1.2.el4.src.rpm noarch: glassfish-jaxb-2.1.4-1.11.ep1.el4.noarch.rpm glassfish-jaxb-javadoc-2.1.4-1.11.ep1.el4.noarch.rpm hibernate3-3.2.4-1.SP1_CP08.0jpp.ep1.2.el4.noarch.rpm hibernate3-annotations-3.3.1-1.10.GA_CP01.ep1.el4.noarch.rpm hibernate3-annotations-javadoc-3.3.1-1.10.GA_CP01.ep1.el4.noarch.rpm hibernate3-commons-annotations-3.0.0-1jpp.ep1.5.el4.noarch.rpm hibernate3-commons-annotations-javadoc-3.0.0-1jpp.ep1.5.el4.noarch.rpm hibernate3-entitymanager-3.3.2-2.4.ep1.el4.noarch.rpm hibernate3-entitymanager-javadoc-3.3.2-2.4.ep1.el4.noarch.rpm hibernate3-javadoc-3.2.4-1.SP1_CP08.0jpp.ep1.2.el4.noarch.rpm hibernate3-validator-3.0.0-1jpp.ep1.8.el4.noarch.rpm hibernate3-validator-javadoc-3.0.0-1jpp.ep1.8.el4.noarch.rpm hsqldb-1.8.0.8-2.patch02.1jpp.ep1.2.el4.noarch.rpm jakarta-slide-webdavclient-2.1-9.2.el4.noarch.rpm jboss-cache-1.4.1-6.SP13.1.ep1.el4.noarch.rpm jboss-messaging-1.4.0-2.SP3_CP08.1.ep1.el4.noarch.rpm jboss-remoting-2.2.3-2.ep1.el4.noarch.rpm jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.15.el4.noarch.rpm jboss-seam-docs-1.2.1-3.JBPAPP_4_3_0_GA.ep1.15.el4.noarch.rpm jbossas-4.3.0-4.GA_CP05.6.ep1.el4.noarch.rpm jbossas-4.3.0.GA_CP05-bin-4.3.0-4.GA_CP05.6.ep1.el4.noarch.rpm jbossas-client-4.3.0-4.GA_CP05.6.ep1.el4.noarch.rpm jbossts-4.2.3-1.SP5_CP05.1jpp.ep1.1.el4.noarch.rpm jbossweb-2.0.0-6.CP11.0jpp.ep1.1.el4.noarch.rpm jbossws-2.0.1-3.SP2_CP06.3.ep1.el4.noarch.rpm jbossws-common-1.0.0-2.GA_CP04.1.ep1.el4.noarch.rpm jbossws-framework-2.0.1-1.GA_CP04.2.ep1.el4.noarch.rpm jbossws-native42-2.0.1-3.SP2_CP06.3.ep1.el4.noarch.rpm jbossws-spi-1.0.0-1.GA_CP02.1.ep1.el4.noarch.rpm jgroups-2.4.6-1.ep1.el4.noarch.rpm rh-eap-docs-4.3.0-5.GA_CP05.ep1.2.el4.noarch.rpm rh-eap-docs-examples-4.3.0-5.GA_CP05.ep1.2.el4.noarch.rpm xerces-j2-2.7.1-9jpp.ep1.2.el4.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783 http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3.0.cp05/html-single/Release_Notes/index.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKUeTZXlSAg2UNWIIRAh2aAJ9q7whFLRqTrJH/l7JR8hV7mTSy3ACfWJeA 7P+U8qxywbmjqWVo5lkSorw= =HpBO -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Jul 14 19:48:25 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 14 Jul 2009 15:48:25 -0400 Subject: [RHSA-2009:1155-01] Important: httpd security update Message-ID: <200907141948.n6EJmPAG014796@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: httpd security update Advisory ID: RHSA-2009:1155-01 Product: JBoss Enterprise Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1155.html Issue date: 2009-07-14 CVE Names: CVE-2009-1195 CVE-2009-1890 CVE-2009-1891 ===================================================================== 1. Summary: Updated httpd packages that fix multiple security issues are now available for JBoss Enterprise Web Server 1.0.0 for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: JBoss Enterprise Web Server 5Server-JBEWS-5.0.0 - i386, x86_64 3. Description: The Apache HTTP Server is a popular Web server. A denial of service flaw was found in the Apache mod_proxy module when it was used as a reverse proxy. A remote attacker could use this flaw to force a proxy process to consume large amounts of CPU time. (CVE-2009-1890) A flaw was found in the handling of the "Options" and "AllowOverride" directives used by the Apache HTTP Server. In configurations using the "AllowOverride" directive with certain "Options=" arguments, local users were not restricted from executing commands from a Server-Side-Include script as intended. (CVE-2009-1195) A denial of service flaw was found in the Apache mod_deflate module. This module continued to compress large files until compression was complete, even if the network connection that requested the content was closed before compression completed. This would cause mod_deflate to consume large amounts of CPU if mod_deflate was enabled for a large file. (CVE-2009-1891) All users of JBoss Enterprise Web Server 1.0.0 should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 489436 - CVE-2009-1195 AllowOverride Options=IncludesNoExec allows Options Includes 509125 - CVE-2009-1891 httpd: possible temporary DoS (CPU consumption) in mod_deflate 509375 - CVE-2009-1890 httpd: mod_proxy reverse proxy DoS (infinite loop) 6. Package List: JBoss Enterprise Web Server 5Server-JBEWS-5.0.0: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/httpd-2.2.10-10.ep5.el5.src.rpm i386: httpd-2.2.10-10.ep5.el5.i386.rpm httpd-debuginfo-2.2.10-10.ep5.el5.i386.rpm httpd-devel-2.2.10-10.ep5.el5.i386.rpm httpd-manual-2.2.10-10.ep5.el5.i386.rpm mod_ssl-2.2.10-10.ep5.el5.i386.rpm x86_64: httpd-2.2.10-10.ep5.el5.x86_64.rpm httpd-debuginfo-2.2.10-10.ep5.el5.x86_64.rpm httpd-devel-2.2.10-10.ep5.el5.x86_64.rpm httpd-manual-2.2.10-10.ep5.el5.x86_64.rpm mod_ssl-2.2.10-10.ep5.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1891 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKXOEBXlSAg2UNWIIRApzHAJ0Qs3r82//RQcMt517rdRHVe1ikVQCeMiaG Iaw4MvlfDsb4jl/HbOnlA8k= =8jxg -----END PGP SIGNATURE----- From bugzilla at redhat.com Fri Jul 17 13:21:44 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 17 Jul 2009 09:21:44 -0400 Subject: [RHSA-2009:1160-01] Important: httpd22 security update Message-ID: <200907171321.n6HDLioS024081@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: httpd22 security update Advisory ID: RHSA-2009:1160-01 Product: JBoss Enterprise Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1160.html Issue date: 2009-07-17 CVE Names: CVE-2009-0023 CVE-2009-1195 CVE-2009-1890 CVE-2009-1891 CVE-2009-1955 ===================================================================== 1. Summary: Updated httpd22 packages that fix multiple security issues are now available for JBoss Enterprise Web Server 1.0.0 for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: JBoss Enterprise Web Server 4AS-JBEWS-5.0.0 - i386, x86_64 JBoss Enterprise Web Server 4ES-JBEWS-5.0.0 - i386, x86_64 3. Description: The Apache HTTP Server is a popular Web server. The httpd22 packages shipped with JBoss Enterprise Web Server 1.0.0 for Red Hat Enterprise Linux 4 contain an embedded copy of the Apache Portable Runtime (APR) utility library, a free library of C data structures and routines, which includes interfaces to support XML parsing, LDAP connections, database interfaces, URI parsing, and more. A denial of service flaw was found in the Apache mod_proxy module when it was used as a reverse proxy. A remote attacker could use this flaw to force a proxy process to consume large amounts of CPU time. (CVE-2009-1890) A denial of service flaw was found in the apr-util Extensible Markup Language (XML) parser. A remote attacker could create a specially-crafted XML document that would cause excessive memory consumption when processed by the XML decoding engine. (CVE-2009-1955) A heap-based underwrite flaw was found in the way apr-util created compiled forms of particular search patterns. An attacker could formulate a specially-crafted search keyword, that would overwrite arbitrary heap memory locations when processed by the pattern preparation engine. (CVE-2009-0023) A flaw was found in the handling of the "Options" and "AllowOverride" directives used by the Apache HTTP Server. In configurations using the "AllowOverride" directive with certain "Options=" arguments, local users were not restricted from executing commands from a Server-Side-Include script as intended. (CVE-2009-1195) A denial of service flaw was found in the Apache mod_deflate module. This module continued to compress large files until compression was complete, even if the network connection that requested the content was closed before compression completed. This would cause mod_deflate to consume large amounts of CPU if mod_deflate was enabled for a large file. (CVE-2009-1891) All users of JBoss Enterprise Web Server 1.0.0 should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 489436 - CVE-2009-1195 AllowOverride Options=IncludesNoExec allows Options Includes 503928 - CVE-2009-0023 apr-util heap buffer underwrite 504555 - CVE-2009-1955 apr-util billion laughs attack 509125 - CVE-2009-1891 httpd: possible temporary DoS (CPU consumption) in mod_deflate 509375 - CVE-2009-1890 httpd: mod_proxy reverse proxy DoS (infinite loop) 6. Package List: JBoss Enterprise Web Server 4AS-JBEWS-5.0.0: Source: ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/httpd22-2.2.10-23.1.ep5.el4.src.rpm i386: httpd22-2.2.10-23.1.ep5.el4.i386.rpm httpd22-apr-2.2.10-23.1.ep5.el4.i386.rpm httpd22-apr-devel-2.2.10-23.1.ep5.el4.i386.rpm httpd22-apr-util-2.2.10-23.1.ep5.el4.i386.rpm httpd22-apr-util-devel-2.2.10-23.1.ep5.el4.i386.rpm httpd22-debuginfo-2.2.10-23.1.ep5.el4.i386.rpm httpd22-devel-2.2.10-23.1.ep5.el4.i386.rpm mod_ssl22-2.2.10-23.1.ep5.el4.i386.rpm x86_64: httpd22-2.2.10-23.1.ep5.el4.x86_64.rpm httpd22-apr-2.2.10-23.1.ep5.el4.x86_64.rpm httpd22-apr-devel-2.2.10-23.1.ep5.el4.x86_64.rpm httpd22-apr-util-2.2.10-23.1.ep5.el4.x86_64.rpm httpd22-apr-util-devel-2.2.10-23.1.ep5.el4.x86_64.rpm httpd22-debuginfo-2.2.10-23.1.ep5.el4.x86_64.rpm httpd22-devel-2.2.10-23.1.ep5.el4.x86_64.rpm mod_ssl22-2.2.10-23.1.ep5.el4.x86_64.rpm JBoss Enterprise Web Server 4ES-JBEWS-5.0.0: Source: ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/httpd22-2.2.10-23.1.ep5.el4.src.rpm i386: httpd22-2.2.10-23.1.ep5.el4.i386.rpm httpd22-apr-2.2.10-23.1.ep5.el4.i386.rpm httpd22-apr-devel-2.2.10-23.1.ep5.el4.i386.rpm httpd22-apr-util-2.2.10-23.1.ep5.el4.i386.rpm httpd22-apr-util-devel-2.2.10-23.1.ep5.el4.i386.rpm httpd22-debuginfo-2.2.10-23.1.ep5.el4.i386.rpm httpd22-devel-2.2.10-23.1.ep5.el4.i386.rpm mod_ssl22-2.2.10-23.1.ep5.el4.i386.rpm x86_64: httpd22-2.2.10-23.1.ep5.el4.x86_64.rpm httpd22-apr-2.2.10-23.1.ep5.el4.x86_64.rpm httpd22-apr-devel-2.2.10-23.1.ep5.el4.x86_64.rpm httpd22-apr-util-2.2.10-23.1.ep5.el4.x86_64.rpm httpd22-apr-util-devel-2.2.10-23.1.ep5.el4.x86_64.rpm httpd22-debuginfo-2.2.10-23.1.ep5.el4.x86_64.rpm httpd22-devel-2.2.10-23.1.ep5.el4.x86_64.rpm mod_ssl22-2.2.10-23.1.ep5.el4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0023 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1891 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKYHp5XlSAg2UNWIIRAiYxAJ48+oAOaf9PlIjfVxKa3m5MbK8BOACfcHaV v/QNXqvGxqY2ixyVhcATpeE= =YoJk -----END PGP SIGNATURE-----