From bugzilla at redhat.com Tue Jul 3 09:52:06 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 3 Jul 2012 09:52:06 +0000 Subject: [RHSA-2012:1052-01] Moderate: mod_cluster security update Message-ID: <201207030952.q639q76g009176@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: mod_cluster security update Advisory ID: RHSA-2012:1052-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1052.html Issue date: 2012-07-03 CVE Names: CVE-2012-1154 ===================================================================== 1. Summary: Updated mod_cluster packages that fix one security issue are now available for JBoss Enterprise Application Platform 5.1.2 for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: JBoss Enterprise Application Platform 5 for RHEL 4 AS - noarch JBoss Enterprise Application Platform 5 for RHEL 4 ES - noarch JBoss Enterprise Application Platform 5 for RHEL 5 Server - noarch JBoss Enterprise Application Platform 5 for RHEL 6 Server - noarch 3. Description: mod_cluster is an Apache HTTP Server (httpd) based load balancer that forwards requests from httpd to application server nodes. It can use the AJP, HTTP, or HTTPS protocols for communication with application server nodes. The JBoss Enterprise Application Platform 5.1.2 release (RHSA-2011:1800, RHSA-2011:1799, RHSA-2011:1798) introduced a regression, causing mod_cluster to register and expose the root context of a server by default, even when "ROOT" was in the "excludedContexts" list in the mod_cluster configuration. If an application was deployed on the root context, a remote attacker could use this flaw to bypass intended access restrictions and gain access to that application. (CVE-2012-1154) Warning: Before applying this update, back up your JBoss Enterprise Application Platform's "server/[PROFILE]/deploy/" directory, along with all other customized configuration files. Users of JBoss Enterprise Application Platform 5.1.2 on Red Hat Enterprise Linux 4, 5, and 6 should upgrade to these updated packages, which correct this issue. The JBoss server process must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 802200 - CVE-2012-1154 mod_cluster registers and exposes the root context of a server by default, despite ROOT being in the excluded-contexts list 6. Package List: JBoss Enterprise Application Platform 5 for RHEL 4 AS: Source: ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/mod_cluster-1.0.10-4.GA_CP02_patch01.ep5.el4.src.rpm noarch: mod_cluster-demo-1.0.10-4.GA_CP02_patch01.ep5.el4.noarch.rpm mod_cluster-jbossas-1.0.10-4.GA_CP02_patch01.ep5.el4.noarch.rpm mod_cluster-jbossweb2-1.0.10-4.GA_CP02_patch01.ep5.el4.noarch.rpm mod_cluster-tomcat6-1.0.10-4.GA_CP02_patch01.ep5.el4.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 4 ES: Source: ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/mod_cluster-1.0.10-4.GA_CP02_patch01.ep5.el4.src.rpm noarch: mod_cluster-demo-1.0.10-4.GA_CP02_patch01.ep5.el4.noarch.rpm mod_cluster-jbossas-1.0.10-4.GA_CP02_patch01.ep5.el4.noarch.rpm mod_cluster-jbossweb2-1.0.10-4.GA_CP02_patch01.ep5.el4.noarch.rpm mod_cluster-tomcat6-1.0.10-4.GA_CP02_patch01.ep5.el4.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/mod_cluster-1.0.10-4.1.GA_CP02_patch01.ep5.el5.src.rpm noarch: mod_cluster-demo-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm mod_cluster-jbossas-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm mod_cluster-jbossweb2-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm mod_cluster-tomcat6-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 6 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/mod_cluster-1.0.10-4.1.GA_CP02_patch01.ep5.el6.src.rpm noarch: mod_cluster-demo-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm mod_cluster-jbossas-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm mod_cluster-jbossweb2-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm mod_cluster-tomcat6-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-1154.html https://access.redhat.com/security/updates/classification/#moderate https://rhn.redhat.com/errata/RHSA-2011-1800.html https://rhn.redhat.com/errata/RHSA-2011-1799.html https://rhn.redhat.com/errata/RHSA-2011-1798.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP8sCRXlSAg2UNWIIRAhRUAJ4+JKXITPaY5iOIYRcbZypcA+zmjgCggqJ7 z6KjGsyTe+df+qa90u9ByvA= =ZxRn -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Jul 3 09:53:53 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 3 Jul 2012 09:53:53 +0000 Subject: [RHSA-2012:1053-01] Moderate: mod_cluster security update Message-ID: <201207030953.q639rtO2024786@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: mod_cluster security update Advisory ID: RHSA-2012:1053-01 Product: JBoss Enterprise Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1053.html Issue date: 2012-07-03 CVE Names: CVE-2012-1154 ===================================================================== 1. Summary: Updated mod_cluster packages that fix one security issue are now available for JBoss Enterprise Web Platform 5.1.2 for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: JBoss Enterprise Web Platform 5 for RHEL 4 AS - noarch JBoss Enterprise Web Platform 5 for RHEL 4 ES - noarch JBoss Enterprise Web Platform 5 for RHEL 5 Server - noarch JBoss Enterprise Web Platform 5 for RHEL 6 Server - noarch 3. Description: mod_cluster is an Apache HTTP Server (httpd) based load balancer that forwards requests from httpd to application server nodes. It can use the AJP, HTTP, or HTTPS protocols for communication with application server nodes. The JBoss Enterprise Web Platform 5.1.2 release (RHSA-2011:1804, RHSA-2011:1803, RHSA-2011:1802) introduced a regression, causing mod_cluster to register and expose the root context of a server by default, even when "ROOT" was in the "excludedContexts" list in the mod_cluster configuration. If an application was deployed on the root context, a remote attacker could use this flaw to bypass intended access restrictions and gain access to that application. (CVE-2012-1154) Warning: Before applying this update, back up your JBoss Enterprise Web Platform's "server/[PROFILE]/deploy/" directory and any other customized configuration files. Users of JBoss Enterprise Web Platform 5.1.2 on Red Hat Enterprise Linux 4, 5, and 6 should upgrade to these updated packages, which correct this issue. The JBoss server process must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 802200 - CVE-2012-1154 mod_cluster registers and exposes the root context of a server by default, despite ROOT being in the excluded-contexts list 6. Package List: JBoss Enterprise Web Platform 5 for RHEL 4 AS: Source: mod_cluster-1.0.10-4.GA_CP02_patch01.ep5.el4.src.rpm noarch: mod_cluster-demo-1.0.10-4.GA_CP02_patch01.ep5.el4.noarch.rpm mod_cluster-jbossas-1.0.10-4.GA_CP02_patch01.ep5.el4.noarch.rpm mod_cluster-jbossweb2-1.0.10-4.GA_CP02_patch01.ep5.el4.noarch.rpm mod_cluster-tomcat6-1.0.10-4.GA_CP02_patch01.ep5.el4.noarch.rpm JBoss Enterprise Web Platform 5 for RHEL 4 ES: Source: mod_cluster-1.0.10-4.GA_CP02_patch01.ep5.el4.src.rpm noarch: mod_cluster-demo-1.0.10-4.GA_CP02_patch01.ep5.el4.noarch.rpm mod_cluster-jbossas-1.0.10-4.GA_CP02_patch01.ep5.el4.noarch.rpm mod_cluster-jbossweb2-1.0.10-4.GA_CP02_patch01.ep5.el4.noarch.rpm mod_cluster-tomcat6-1.0.10-4.GA_CP02_patch01.ep5.el4.noarch.rpm JBoss Enterprise Web Platform 5 for RHEL 5 Server: Source: mod_cluster-1.0.10-4.1.GA_CP02_patch01.ep5.el5.src.rpm noarch: mod_cluster-demo-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm mod_cluster-jbossas-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm mod_cluster-jbossweb2-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm mod_cluster-tomcat6-1.0.10-4.1.GA_CP02_patch01.ep5.el5.noarch.rpm JBoss Enterprise Web Platform 5 for RHEL 6 Server: Source: mod_cluster-1.0.10-4.1.GA_CP02_patch01.ep5.el6.src.rpm noarch: mod_cluster-demo-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm mod_cluster-jbossas-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm mod_cluster-jbossweb2-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm mod_cluster-tomcat6-1.0.10-4.1.GA_CP02_patch01.ep5.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-1154.html https://access.redhat.com/security/updates/classification/#moderate https://rhn.redhat.com/errata/RHSA-2011-1804.html https://rhn.redhat.com/errata/RHSA-2011-1803.html https://rhn.redhat.com/errata/RHSA-2011-1802.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP8sDpXlSAg2UNWIIRAgnZAJ0U7lGDaOBIZhMcmUyePx5DHHSpEgCeONvm e4sDrwdss9a1mPNvfbV4HSk= =W0LM -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 5 19:43:36 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 5 Jul 2012 19:43:36 +0000 Subject: [RHSA-2012:1056-01] Moderate: resteasy security update Message-ID: <201207051943.q65Jhc6e032605@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: resteasy security update Advisory ID: RHSA-2012:1056-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1056.html Issue date: 2012-07-05 CVE Names: CVE-2012-0818 ===================================================================== 1. Summary: An update for JBoss Enterprise Application Platform 5.1.2 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: RESTEasy provides various frameworks to help you build RESTful web services and RESTful Java applications. It was found that RESTEasy was vulnerable to XML External Entity (XXE) attacks. If a remote attacker submitted a request containing an external XML entity to a RESTEasy endpoint, the entity would be resolved, allowing the attacker to read files accessible to the user running the application server. This flaw affected DOM (Document Object Model) Document and JAXB (Java Architecture for XML Binding) input. (CVE-2012-0818) Note: The fix for CVE-2012-0818 is not enabled by default. This update adds a new configuration option to disable entity expansion in RESTEasy. If applications on your server expose RESTEasy XML endpoints, a resteasy.document.expand.entity.references configuration snippet must be added to their web.xml file to disable entity expansion in RESTEasy. Refer to Red Hat Bugzilla bug 785631 for details. Warning: Before applying this update, back up your JBoss Enterprise Application Platform's "jboss-as/server/[PROFILE]/deploy/" directory, along with all other customized configuration files. All users of JBoss Enterprise Application Platform 5.1.2 as provided from the Red Hat Customer Portal are advised to install this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 785631 - CVE-2012-0818 RESTEasy: XML eXternal Entity (XXE) flaw 5. References: https://www.redhat.com/security/data/cve/CVE-2012-0818.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=5.1.2 https://bugzilla.redhat.com/show_bug.cgi?id=785631 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP9e5gXlSAg2UNWIIRAhJrAKCrZ5iufDsVwwtMWuuiL5euLjNdLACgtKF1 XRo8ZXPB4zS+/MMp0N5HGy8= =6SXw -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 5 19:44:02 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 5 Jul 2012 19:44:02 +0000 Subject: [RHSA-2012:1057-01] Moderate: resteasy security update Message-ID: <201207051944.q65Ji4j8027043@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: resteasy security update Advisory ID: RHSA-2012:1057-01 Product: JBoss Enterprise Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1057.html Issue date: 2012-07-05 CVE Names: CVE-2012-0818 ===================================================================== 1. Summary: An update for JBoss Enterprise Web Platform 5.1.2 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: RESTEasy provides various frameworks to help you build RESTful web services and RESTful Java applications. It was found that RESTEasy was vulnerable to XML External Entity (XXE) attacks. If a remote attacker submitted a request containing an external XML entity to a RESTEasy endpoint, the entity would be resolved, allowing the attacker to read files accessible to the user running the application server. This flaw affected DOM (Document Object Model) Document and JAXB (Java Architecture for XML Binding) input. (CVE-2012-0818) Note: The fix for CVE-2012-0818 is not enabled by default. This update adds a new configuration option to disable entity expansion in RESTEasy. If applications on your server expose RESTEasy XML endpoints, a resteasy.document.expand.entity.references configuration snippet must be added to their web.xml file to disable entity expansion in RESTEasy. Refer to Red Hat Bugzilla bug 785631 for details. Warning: Before applying this update, back up your JBoss Enterprise Web Platform's "jboss-as-web/server/[PROFILE]/deploy/" directory and any other customized configuration files. All users of JBoss Enterprise Web Platform 5.1.2 as provided from the Red Hat Customer Portal are advised to install this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 785631 - CVE-2012-0818 RESTEasy: XML eXternal Entity (XXE) flaw 5. References: https://www.redhat.com/security/data/cve/CVE-2012-0818.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=enterpriseweb.platform&downloadType=securityPatches&version=5.1.2 https://bugzilla.redhat.com/show_bug.cgi?id=785631 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP9e53XlSAg2UNWIIRAi2VAKCy7baEBtSs6jOWnIiWiS37DrZWtACffV5y AdsuoutfMVcuOdQB0VoaVz8= =b00Z -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 5 19:44:30 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 5 Jul 2012 19:44:30 +0000 Subject: [RHSA-2012:1058-01] Moderate: resteasy security update Message-ID: <201207051944.q65JiW50015545@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: resteasy security update Advisory ID: RHSA-2012:1058-01 Product: JBoss Enterprise Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1058.html Issue date: 2012-07-05 CVE Names: CVE-2012-0818 ===================================================================== 1. Summary: Updated resteasy packages that fix one security issue are now available for JBoss Enterprise Web Platform 5.1.2 for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: JBoss Enterprise Web Platform 5 for RHEL 4 AS - noarch JBoss Enterprise Web Platform 5 for RHEL 4 ES - noarch JBoss Enterprise Web Platform 5 for RHEL 5 Server - noarch JBoss Enterprise Web Platform 5 for RHEL 6 Server - noarch 3. Description: RESTEasy provides various frameworks to help you build RESTful web services and RESTful Java applications. It was found that RESTEasy was vulnerable to XML External Entity (XXE) attacks. If a remote attacker submitted a request containing an external XML entity to a RESTEasy endpoint, the entity would be resolved, allowing the attacker to read files accessible to the user running the application server. This flaw affected DOM (Document Object Model) Document and JAXB (Java Architecture for XML Binding) input. (CVE-2012-0818) Note: The fix for CVE-2012-0818 is not enabled by default. This update adds a new configuration option to disable entity expansion in RESTEasy. If applications on your server expose RESTEasy XML endpoints, a resteasy.document.expand.entity.references configuration snippet must be added to their web.xml file to disable entity expansion in RESTEasy. Refer to Red Hat Bugzilla bug 785631 for details. Warning: Before applying this update, back up your JBoss Enterprise Web Platform's "jboss-as-web/server/[PROFILE]/deploy/" directory and any other customized configuration files. Users of JBoss Enterprise Web Platform 5.1.2 on Red Hat Enterprise Linux 4, 5, and 6 should upgrade to these updated packages, which correct this issue. The JBoss server process must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 785631 - CVE-2012-0818 RESTEasy: XML eXternal Entity (XXE) flaw 6. Package List: JBoss Enterprise Web Platform 5 for RHEL 4 AS: Source: resteasy-1.2.1-10.CP02_patch01.1.ep5.el4.src.rpm noarch: resteasy-1.2.1-10.CP02_patch01.1.ep5.el4.noarch.rpm resteasy-examples-1.2.1-10.CP02_patch01.1.ep5.el4.noarch.rpm resteasy-javadoc-1.2.1-10.CP02_patch01.1.ep5.el4.noarch.rpm resteasy-manual-1.2.1-10.CP02_patch01.1.ep5.el4.noarch.rpm JBoss Enterprise Web Platform 5 for RHEL 4 ES: Source: resteasy-1.2.1-10.CP02_patch01.1.ep5.el4.src.rpm noarch: resteasy-1.2.1-10.CP02_patch01.1.ep5.el4.noarch.rpm resteasy-examples-1.2.1-10.CP02_patch01.1.ep5.el4.noarch.rpm resteasy-javadoc-1.2.1-10.CP02_patch01.1.ep5.el4.noarch.rpm resteasy-manual-1.2.1-10.CP02_patch01.1.ep5.el4.noarch.rpm JBoss Enterprise Web Platform 5 for RHEL 5 Server: Source: resteasy-1.2.1-10.CP02_patch01.1.ep5.el5.src.rpm noarch: resteasy-1.2.1-10.CP02_patch01.1.ep5.el5.noarch.rpm resteasy-examples-1.2.1-10.CP02_patch01.1.ep5.el5.noarch.rpm resteasy-javadoc-1.2.1-10.CP02_patch01.1.ep5.el5.noarch.rpm resteasy-manual-1.2.1-10.CP02_patch01.1.ep5.el5.noarch.rpm JBoss Enterprise Web Platform 5 for RHEL 6 Server: Source: resteasy-1.2.1-10.CP02_patch01.1.ep5.el6.src.rpm noarch: resteasy-1.2.1-10.CP02_patch01.1.ep5.el6.noarch.rpm resteasy-examples-1.2.1-10.CP02_patch01.1.ep5.el6.noarch.rpm resteasy-javadoc-1.2.1-10.CP02_patch01.1.ep5.el6.noarch.rpm resteasy-manual-1.2.1-10.CP02_patch01.1.ep5.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0818.html https://access.redhat.com/security/updates/classification/#moderate https://bugzilla.redhat.com/show_bug.cgi?id=785631 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP9e6QXlSAg2UNWIIRAl0kAKCfXuM73OusPSglS9/qnmON1fM1CgCfRJgK P2nynWwEhWqy2D0fB7l30x4= =C5iI -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 5 19:44:59 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 5 Jul 2012 19:44:59 +0000 Subject: [RHSA-2012:1059-01] Moderate: resteasy security update Message-ID: <201207051944.q65Jix2X015635@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: resteasy security update Advisory ID: RHSA-2012:1059-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1059.html Issue date: 2012-07-05 CVE Names: CVE-2012-0818 ===================================================================== 1. Summary: Updated resteasy packages that fix one security issue are now available for JBoss Enterprise Application Platform 5.1.2 for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: JBoss Enterprise Application Platform 5 for RHEL 4 AS - noarch JBoss Enterprise Application Platform 5 for RHEL 4 ES - noarch JBoss Enterprise Application Platform 5 for RHEL 5 Server - noarch JBoss Enterprise Application Platform 5 for RHEL 6 Server - noarch 3. Description: RESTEasy provides various frameworks to help you build RESTful web services and RESTful Java applications. It was found that RESTEasy was vulnerable to XML External Entity (XXE) attacks. If a remote attacker submitted a request containing an external XML entity to a RESTEasy endpoint, the entity would be resolved, allowing the attacker to read files accessible to the user running the application server. This flaw affected DOM (Document Object Model) Document and JAXB (Java Architecture for XML Binding) input. (CVE-2012-0818) Note: The fix for CVE-2012-0818 is not enabled by default. This update adds a new configuration option to disable entity expansion in RESTEasy. If applications on your server expose RESTEasy XML endpoints, a resteasy.document.expand.entity.references configuration snippet must be added to their web.xml file to disable entity expansion in RESTEasy. Refer to Red Hat Bugzilla bug 785631 for details. Warning: Before applying this update, back up your JBoss Enterprise Application Platform's "jboss-as/server/[PROFILE]/deploy/" directory, along with all other customized configuration files. Users of JBoss Enterprise Application Platform 5.1.2 on Red Hat Enterprise Linux 4, 5, and 6 should upgrade to these updated packages, which correct this issue. The JBoss server process must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 785631 - CVE-2012-0818 RESTEasy: XML eXternal Entity (XXE) flaw 6. Package List: JBoss Enterprise Application Platform 5 for RHEL 4 AS: Source: ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/resteasy-1.2.1-10.CP02_patch01.1.ep5.el4.src.rpm noarch: resteasy-1.2.1-10.CP02_patch01.1.ep5.el4.noarch.rpm resteasy-examples-1.2.1-10.CP02_patch01.1.ep5.el4.noarch.rpm resteasy-javadoc-1.2.1-10.CP02_patch01.1.ep5.el4.noarch.rpm resteasy-manual-1.2.1-10.CP02_patch01.1.ep5.el4.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 4 ES: Source: ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/resteasy-1.2.1-10.CP02_patch01.1.ep5.el4.src.rpm noarch: resteasy-1.2.1-10.CP02_patch01.1.ep5.el4.noarch.rpm resteasy-examples-1.2.1-10.CP02_patch01.1.ep5.el4.noarch.rpm resteasy-javadoc-1.2.1-10.CP02_patch01.1.ep5.el4.noarch.rpm resteasy-manual-1.2.1-10.CP02_patch01.1.ep5.el4.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/resteasy-1.2.1-10.CP02_patch01.1.ep5.el5.src.rpm noarch: resteasy-1.2.1-10.CP02_patch01.1.ep5.el5.noarch.rpm resteasy-examples-1.2.1-10.CP02_patch01.1.ep5.el5.noarch.rpm resteasy-javadoc-1.2.1-10.CP02_patch01.1.ep5.el5.noarch.rpm resteasy-manual-1.2.1-10.CP02_patch01.1.ep5.el5.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 6 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/resteasy-1.2.1-10.CP02_patch01.1.ep5.el6.src.rpm noarch: resteasy-1.2.1-10.CP02_patch01.1.ep5.el6.noarch.rpm resteasy-examples-1.2.1-10.CP02_patch01.1.ep5.el6.noarch.rpm resteasy-javadoc-1.2.1-10.CP02_patch01.1.ep5.el6.noarch.rpm resteasy-manual-1.2.1-10.CP02_patch01.1.ep5.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0818.html https://access.redhat.com/security/updates/classification/#moderate https://bugzilla.redhat.com/show_bug.cgi?id=785631 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP9e6sXlSAg2UNWIIRAj8VAKCKk+Z3Aw1wVUOOXkn8hwnJ1LYupQCfREXy YNsngvPnB//q18YsIf9z02A= =1QTN -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Jul 12 17:26:44 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 12 Jul 2012 17:26:44 +0000 Subject: [RHSA-2012:1072-01] Low: jbosscache security update Message-ID: <201207121726.q6CHQjwM015971@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: jbosscache security update Advisory ID: RHSA-2012:1072-01 Product: JBoss Enterprise Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1072.html Issue date: 2012-07-12 CVE Names: CVE-2012-0034 ===================================================================== 1. Summary: An update for JBoss Enterprise Web Platform 5.1.2 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: JBoss Cache is the clustering backbone for data distribution in JBoss Enterprise Web Platform. It provides the backing implementation for web session replication, stateful session bean replication and entity caching. It was found that NonManagedConnectionFactory would log the username and password in plain text when an exception was thrown. This could lead to the exposure of authentication credentials if local users had permissions to read the log file. (CVE-2012-0034) Warning: Before applying this update, back up your existing JBoss Enterprise Web Platform's "jboss-as-web/server/production/lib/jbosscache-core.jar" file. All users of JBoss Enterprise Web Platform 5.1.2 as provided from the Red Hat Customer Portal are advised to install this update. Refer to the Solution section for installation information. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). To apply this update: 1) Before applying this update, back up your existing JBoss Enterprise Web Platform's "jboss-as-web/server/production/lib/jbosscache-core.jar" file. 2) Download the update. 3) Rename the jbosscache-core-JBPAPP-7852-signed.jar file provided by the ZIP file to jbosscache-core.jar, and then copy it to the "jboss-as-web/server/production/lib/" directory, overwriting the old jbosscache-core.jar. 4) Restart the JBoss server process. 4. Bugs fixed (http://bugzilla.redhat.com/): 772835 - CVE-2012-0034 JBoss Cache: NonManagedConnectionFactory will log password in clear text when an exception occurs 5. References: https://www.redhat.com/security/data/cve/CVE-2012-0034.html https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=11063&product=enterpriseweb.platform&version=5.1.2&downloadType=securityPatches 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFP/wi5XlSAg2UNWIIRAqsPAJkBf9Wh9Af6kcOhd329Rp1IeCImmgCeMPhb Eb7MZ72ZQqThf8ahF3526X0= =FpJ3 -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Jul 23 17:59:15 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 23 Jul 2012 17:59:15 +0000 Subject: [RHSA-2012:1109-01] Important: jbossas security update Message-ID: <201207231759.q6NHxGgG011882@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: jbossas security update Advisory ID: RHSA-2012:1109-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1109.html Issue date: 2012-07-23 CVE Names: CVE-2011-4605 ===================================================================== 1. Summary: An update for JBoss Enterprise Portal Platform 4.3 CP07 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: JBoss Application Server is the base package for JBoss Enterprise Portal Platform, providing the core server components. The Java Naming and Directory Interface (JNDI) Java API allows Java software clients to locate objects or services in an application server. It was found that the JBoss JNDI service allowed unauthenticated, remote write access by default. The JNDI and HA-JNDI services, and the HAJNDIFactory invoker servlet were all affected. A remote attacker able to access the JNDI service (port 1099), HA-JNDI service (port 1100), or the HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add, delete, and modify items in the JNDI tree. This could have various, application-specific impacts. (CVE-2011-4605) Red Hat would like to thank Christian Schl?ter (VIADA) for reporting this issue. Warning: Before applying this update, back up all applications deployed on JBoss Enterprise Portal Platform, along with all customized configuration files. All users of JBoss Enterprise Portal Platform 4.3 CP07 as provided from the Red Hat Customer Portal are advised to install this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up all applications deployed on JBoss Enterprise Portal Platform, along with all customized configuration files. The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 766469 - CVE-2011-4605 JNDI: unauthenticated remote write access is permitted by default 5. References: https://www.redhat.com/security/data/cve/CVE-2011-4605.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=securityPatches&version=4.3+CP07 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQDZDZXlSAg2UNWIIRAo+6AJ44koxMr+X4lvXSxMgaowDTCx/DywCgjQ3e k3Yat1Y6nMvXk9RvGdQMBNM= =lvn4 -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Jul 31 14:35:07 2012 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 31 Jul 2012 14:35:07 +0000 Subject: [RHSA-2012:1125-01] Important: JBoss Enterprise SOA Platform 5.3.0 update Message-ID: <201207311435.q6VEZ9Ue028161@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise SOA Platform 5.3.0 update Advisory ID: RHSA-2012:1125-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1125.html Issue date: 2012-07-31 CVE Names: CVE-2011-3506 CVE-2011-3517 CVE-2011-4605 CVE-2011-4838 CVE-2012-0079 CVE-2012-0818 CVE-2012-2377 ===================================================================== 1. Summary: JBoss Enterprise SOA Platform 5.3.0, which fixes multiple security issues, various bugs, and adds enhancements, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: JBoss Enterprise SOA Platform is the next-generation ESB and business process automation infrastructure. This release of JBoss Enterprise SOA Platform 5.3.0 serves as a replacement for JBoss Enterprise SOA Platform 5.2.0. It includes various bug fixes and enhancements which are detailed in the JBoss Enterprise SOA Platform 5.3.0 Release Notes. The Release Notes will be available shortly from https://access.redhat.com/knowledge/docs/ The following security issues are also fixed with this release: It was found that the JBoss JNDI service allowed unauthenticated, remote write access by default. The JNDI and HA-JNDI services, and the HAJNDIFactory invoker servlet were all affected. A remote attacker able to access the JNDI service (port 1099), HA-JNDI service (port 1100), or the HAJNDIFactory invoker servlet on a JBoss server could use this flaw to add, delete, and modify items in the JNDI tree. This could have various, application-specific impacts. (CVE-2011-4605) A denial of service flaw was found in the implementation of associative arrays (hashes) in JRuby. An attacker able to supply a large number of inputs to a JRuby application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions. (CVE-2011-4838) Note: JBoss Enterprise SOA Platform only provides JRuby as a dependency of the scripting_chain quickstart example application. The CVE-2011-4838 flaw is not exposed unless the version of JRuby shipped with that quickstart is used by a deployed, custom application. It was found that RESTEasy was vulnerable to XML External Entity (XXE) attacks. If a remote attacker submitted a request containing an external XML entity to a RESTEasy endpoint, the entity would be resolved, allowing the attacker to read files accessible to the user running the application server. This flaw affected DOM (Document Object Model) Document and JAXB (Java Architecture for XML Binding) input. The fix for this issue is not enabled by default. Refer to the Solution section for details. (CVE-2012-0818) Multiple flaws were found in the Oracle OpenSSO authentication and administration components. A remote attacker could use these flaws to affect the integrity and availability of a service that uses Oracle OpenSSO. (CVE-2011-3506, CVE-2011-3517, CVE-2012-0079) Note: JBoss Enterprise SOA Platform only provides Oracle OpenSSO as part of the opensso quickstart example application. The CVE-2011-3506, CVE-2011-3517, and CVE-2012-0079 flaws are not exposed unless the opensso quickstart example application is deployed, or you have created and deployed a custom application that is packaged with a copy of Oracle OpenSSO as provided by the opensso quickstart. The opensso quickstart has been removed in this release to address these flaws. Users interested in continuing to receive updates for their custom applications using Oracle OpenSSO are advised to contact Oracle as Red Hat is no longer supporting OpenSSO. When a JGroups channel is started, the JGroups diagnostics service would be enabled by default with no authentication. This service is exposed via IP multicast. An attacker on an adjacent network could exploit this flaw to read diagnostics information. (CVE-2012-2377) Red Hat would like to thank Christian Schl?ter (VIADA) for reporting CVE-2011-4605, and oCERT for reporting CVE-2011-4838. oCERT acknowledges Julian W?lde and Alexander Klink as the original reporters of CVE-2011-4838. Warning: Before installing version 5.3.0, back up your existing JBoss Enterprise SOA Platform installation (including its databases, applications, configuration files, and so on). 3. Solution: All users of JBoss Enterprise SOA Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Enterprise SOA Platform 5.3.0. The References section of this erratum contains a download link (you must log in to download the new version). Before installing version 5.3.0, back up your existing JBoss Enterprise SOA Platform installation (including its databases, applications, configuration files, and so on). The fix for CVE-2012-0818 is not enabled by default. This update adds a new configuration option to disable entity expansion in RESTEasy. If applications on your server expose RESTEasy XML endpoints, a resteasy.document.expand.entity.references configuration snippet must be added to their web.xml file to disable entity expansion in RESTEasy. Refer to Red Hat Bugzilla bug 785631 for details. 4. Bugs fixed (http://bugzilla.redhat.com/): 749078 - CVE-2011-3506 Oracle OpenSSO: unspecified vulnerability in the authentication component 749079 - CVE-2011-3517 Oracle OpenSSO: unspecified vulnerability in the authentication component 766469 - CVE-2011-4605 JNDI: unauthenticated remote write access is permitted by default 770820 - CVE-2011-4838 jruby: hash table collisions DoS (oCERT-2011-003) 783898 - CVE-2012-0079 OpenSSO: Unspecified vulnerability allows remote attackers to affect integrity via unknown vectors 785631 - CVE-2012-0818 RESTEasy: XML eXternal Entity (XXE) flaw 823392 - CVE-2012-2377 JGroups diagnostics service enabled by default with no authentication when a JGroups channel is started 5. References: https://www.redhat.com/security/data/cve/CVE-2011-3506.html https://www.redhat.com/security/data/cve/CVE-2011-3517.html https://www.redhat.com/security/data/cve/CVE-2011-4605.html https://www.redhat.com/security/data/cve/CVE-2011-4838.html https://www.redhat.com/security/data/cve/CVE-2012-0079.html https://www.redhat.com/security/data/cve/CVE-2012-0818.html https://www.redhat.com/security/data/cve/CVE-2012-2377.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=distributions http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html https://bugzilla.redhat.com/show_bug.cgi?id=785631 https://access.redhat.com/knowledge/docs/ 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQF+z+XlSAg2UNWIIRAu0QAJ0VvHl1qMIEROn4fYZn8w68cxUtYQCcDm7N oJSh3P9hyFtyzj+JkX2vKZk= =dqG/ -----END PGP SIGNATURE-----