From bugzilla at redhat.com Mon Aug 5 16:20:48 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 5 Aug 2013 16:20:48 +0000 Subject: [RHSA-2013:1133-01] Moderate: httpd security update Message-ID: <201308051620.r75GKmuF014783@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: httpd security update Advisory ID: RHSA-2013:1133-01 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1133.html Issue date: 2013-08-05 CVE Names: CVE-2013-1862 CVE-2013-1896 ===================================================================== 1. Summary: Updated httpd packages that fix two security issues are now available for Red Hat JBoss Web Server 2.0.1 for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 2 for RHEL 5 Server - i386, x86_64 Red Hat JBoss Web Server 2 for RHEL 6 Server - i386, x86_64 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. A flaw was found in the way the mod_dav module of the Apache HTTP Server handled merge requests. An attacker could use this flaw to send a crafted merge request that contains URIs that are not configured for DAV, causing the httpd child process to crash. (CVE-2013-1896) It was found that mod_rewrite did not filter terminal escape sequences from its log file. If mod_rewrite was configured with the RewriteLog directive, a remote attacker could use specially-crafted HTTP requests to inject terminal escape sequences into the mod_rewrite log file. If a victim viewed the log file with a terminal emulator, it could result in arbitrary command execution with the privileges of that user. (CVE-2013-1862) Warning: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). All users of Red Hat JBoss Web Server 2.0.1 should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, users must restart the httpd service for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 953729 - CVE-2013-1862 httpd: mod_rewrite allows terminal escape sequences to be written to the log file 983549 - CVE-2013-1896 httpd: mod_dav DoS (httpd child process crash) via a URI MERGE request with source URI not handled by mod_dav 6. Package List: Red Hat JBoss Web Server 2 for RHEL 5 Server: Source: httpd-2.2.22-25.ep6.el5.src.rpm httpd-2.2.22-25.ep6.el5.src.rpm i386: httpd-2.2.22-25.ep6.el5.i386.rpm httpd-2.2.22-25.ep6.el5.i386.rpm httpd-debuginfo-2.2.22-25.ep6.el5.i386.rpm httpd-debuginfo-2.2.22-25.ep6.el5.i386.rpm httpd-devel-2.2.22-25.ep6.el5.i386.rpm httpd-manual-2.2.22-25.ep6.el5.i386.rpm httpd-tools-2.2.22-25.ep6.el5.i386.rpm mod_ssl-2.2.22-25.ep6.el5.i386.rpm x86_64: httpd-2.2.22-25.ep6.el5.x86_64.rpm httpd-debuginfo-2.2.22-25.ep6.el5.x86_64.rpm httpd-debuginfo-2.2.22-25.ep6.el5.x86_64.rpm httpd-devel-2.2.22-25.ep6.el5.x86_64.rpm httpd-manual-2.2.22-25.ep6.el5.x86_64.rpm httpd-tools-2.2.22-25.ep6.el5.x86_64.rpm mod_ssl-2.2.22-25.ep6.el5.x86_64.rpm Red Hat JBoss Web Server 2 for RHEL 6 Server: Source: httpd-2.2.22-25.ep6.el6.src.rpm httpd-2.2.22-25.ep6.el6.src.rpm i386: httpd-2.2.22-25.ep6.el6.i386.rpm httpd-2.2.22-25.ep6.el6.i386.rpm httpd-debuginfo-2.2.22-25.ep6.el6.i386.rpm httpd-debuginfo-2.2.22-25.ep6.el6.i386.rpm httpd-devel-2.2.22-25.ep6.el6.i386.rpm httpd-devel-2.2.22-25.ep6.el6.i386.rpm httpd-manual-2.2.22-25.ep6.el6.i386.rpm httpd-manual-2.2.22-25.ep6.el6.i386.rpm httpd-tools-2.2.22-25.ep6.el6.i386.rpm httpd-tools-2.2.22-25.ep6.el6.i386.rpm mod_ssl-2.2.22-25.ep6.el6.i386.rpm mod_ssl-2.2.22-25.ep6.el6.i386.rpm x86_64: httpd-2.2.22-25.ep6.el6.x86_64.rpm httpd-2.2.22-25.ep6.el6.x86_64.rpm httpd-debuginfo-2.2.22-25.ep6.el6.x86_64.rpm httpd-debuginfo-2.2.22-25.ep6.el6.x86_64.rpm httpd-devel-2.2.22-25.ep6.el6.x86_64.rpm httpd-devel-2.2.22-25.ep6.el6.x86_64.rpm httpd-manual-2.2.22-25.ep6.el6.x86_64.rpm httpd-manual-2.2.22-25.ep6.el6.x86_64.rpm httpd-tools-2.2.22-25.ep6.el6.x86_64.rpm httpd-tools-2.2.22-25.ep6.el6.x86_64.rpm mod_ssl-2.2.22-25.ep6.el6.x86_64.rpm mod_ssl-2.2.22-25.ep6.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-1862.html https://www.redhat.com/security/data/cve/CVE-2013-1896.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFR/9C/XlSAg2UNWIIRAkDcAKC66V0v9gh6PkNg93fXl6CUES3CVwCgr6zJ dtGnQS1zwKlK7HCeIs+wsrc= =N7Wc -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Aug 5 16:21:30 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 5 Aug 2013 16:21:30 +0000 Subject: [RHSA-2013:1134-01] Moderate: httpd security update Message-ID: <201308051621.r75GLV30015399@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: httpd security update Advisory ID: RHSA-2013:1134-01 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1134.html Issue date: 2013-08-05 CVE Names: CVE-2013-1862 CVE-2013-1896 ===================================================================== 1. Summary: An update for the Apache HTTP Server component of Red Hat JBoss Web Server 2.0.1 that fixes two security issues is now available from the Red Hat Customer Portal for Red Hat Enterprise Linux 5 and 6, Solaris, and Microsoft Windows. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. A flaw was found in the way the mod_dav module of the Apache HTTP Server handled merge requests. An attacker could use this flaw to send a crafted merge request that contains URIs that are not configured for DAV, causing the httpd child process to crash. (CVE-2013-1896) It was found that mod_rewrite did not filter terminal escape sequences from its log file. If mod_rewrite was configured with the RewriteLog directive, a remote attacker could use specially-crafted HTTP requests to inject terminal escape sequences into the mod_rewrite log file. If a victim viewed the log file with a terminal emulator, it could result in arbitrary command execution with the privileges of that user. (CVE-2013-1862) Note: CVE-2013-1862 affects mod_rewrite. In the process of testing this patch, it was found that enabling mod_rewrite on 64-bit versions of Windows Server 2008 and Windows Server 2008 R2 running Red Hat JBoss Web Server 2.0.1 could cause an httpd thread to crash, and the httpd process to restart. This bug is present in the GA release of Red Hat JBoss Web Server 2.0.1, and is not a regression introduced by this patch. This bug may be resolved in a future update to JBoss Web Server 2. Warning: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). All users of Red Hat JBoss Web Server 2.0.1 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). The Apache HTTP Server must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 953729 - CVE-2013-1862 httpd: mod_rewrite allows terminal escape sequences to be written to the log file 983549 - CVE-2013-1896 httpd: mod_dav DoS (httpd child process crash) via a URI MERGE request with source URI not handled by mod_dav 5. References: https://www.redhat.com/security/data/cve/CVE-2013-1862.html https://www.redhat.com/security/data/cve/CVE-2013-1896.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=2.0.1 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFR/9D3XlSAg2UNWIIRAj9VAKCZ/9xHqfUpEYR5bk/DKG2t+Q5nYACeLRyd saDTOXUt102n6Ag8GJepTag= =0rne -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Aug 7 18:18:43 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 7 Aug 2013 18:18:43 +0000 Subject: [RHSA-2013:1143-01] Important: JBoss Web Services security update Message-ID: <201308071818.r77IIhOP008680@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Web Services security update Advisory ID: RHSA-2013:1143-01 Product: Red Hat JBoss Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1143.html Issue date: 2013-08-07 CVE Names: CVE-2012-5575 ===================================================================== 1. Summary: An update for the JBoss Web Services component in Red Hat JBoss SOA Platform 4.3 CP05 and Red Hat JBoss Portal 4.3 CP07 which fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Red Hat JBoss SOA Platform is the next-generation ESB and business process automation infrastructure. Red Hat JBoss Portal is the open source implementation of the Java EE suite of services and Portal services running atop Red Hat JBoss Enterprise Application Platform. XML encryption backwards compatibility attacks were found against various frameworks, including Apache CXF. An attacker could force a server to use insecure, legacy cryptosystems, even when secure cryptosystems were enabled on endpoints. By forcing the use of legacy cryptosystems, flaws such as CVE-2011-1096 and CVE-2011-2487 would be exposed, allowing plain text to be recovered from cryptograms and symmetric keys. This issue only affected the JBoss Web Services Native (jbossws-native) stack as Red Hat JBoss SOA Platform 4 and Red Hat JBoss Portal 4 do not use JBoss Web Services CXF (jbossws-cxf). (CVE-2012-5575) For jbossws-native, the fix for CVE-2012-5575 is implemented by two new configuration parameters in the 'encryption' element. This element can be a child of 'requires' in both client and server wsse configuration descriptors (set on a per-application basis via the application's jboss-wsse-server.xml and jboss-wsse-client.xml files). The new attributes are 'algorithms' and 'keyWrapAlgorithms'. These attributes should contain a blank space or comma separated list of algorithm IDs that are allowed for the encrypted incoming message, both for encryption and private key wrapping. For backwards compatibility, no algorithm checks are performed by default for empty lists or missing attributes. For example (do not include the line break in your configuration): encryption algorithms="aes-192-gcm aes-256-gcm" keyWrapAlgorithms="rsa_oaep" Specifies that incoming messages are required to be encrypted, and that the only permitted encryption algorithms are AES-192 and 256 in GCM mode, and RSA-OAEP only for key wrapping. Before performing any decryption, the jbossws-native stack will verify that each algorithm specified in the incoming messages is included in the allowed algorithms lists from these new encryption element attributes. The algorithm values to be used for 'algorithms' and 'keyWrapAlgorithms' are the same as for 'algorithm' and 'keyWrapAlgorithm' in the 'encrypt' element. After applying this update, an "org.xml.sax.SAXParseException: DOCTYPE is disallowed..." error may occur when using transactions. To work around this issue, add -Dorg.jboss.ws.enable_doctype_decl=true to the application server's run parameters. Also, for users of Red Hat JBoss SOA Platform 4.3 CP05, after installing this update, ensure any @BindingType annotations in your deployed applications are updated to be applied to the relevant service implementations rather than the interfaces. Red Hat would like to thank Tibor Jager, Kenneth G. Paterson and Juraj Somorovsky of Ruhr-University Bochum for reporting CVE-2012-5575. Warning: Before applying this update, back up your JBoss installation, including any databases, database settings, applications, configuration files, and so on. All users of Red Hat JBoss SOA Platform 4.3 CP05 and Red Hat JBoss Portal 4.3 CP07 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains download links (you must log in to download the update). Before applying this update, back up your JBoss installation, including any databases, database settings, applications, configuration files, and so on. For both Red Hat JBoss SOA Platform and Red Hat JBoss Portal, it is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. After applying this update, an "org.xml.sax.SAXParseException: DOCTYPE is disallowed..." error may occur when using transactions. To work around this issue, add -Dorg.jboss.ws.enable_doctype_decl=true to the application server's run parameters. Also, for users of Red Hat JBoss SOA Platform 4.3 CP05, after installing this update, ensure any @BindingType annotations in your deployed applications are updated to be applied to the relevant service implementations rather than the interfaces. 4. Bugs fixed (http://bugzilla.redhat.com/): 880443 - CVE-2012-5575 jbossws-native, jbossws-cxf, apache-cxf: XML encryption backwards compatibility attacks 5. References: https://www.redhat.com/security/data/cve/CVE-2012-5575.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=securityPatches&version=4.3.0.GA_CP05 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=securityPatches&version=4.3+CP07 http://cxf.apache.org/cve-2012-5575.html 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSAo9kXlSAg2UNWIIRAsjOAJ0T2Z+v9MaWuq6s2SrSXGU4xS5i8gCfUu4U ZyFACDL2dyX9J9P7pgR5+f0= =BUr2 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Aug 8 17:11:28 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 8 Aug 2013 17:11:28 +0000 Subject: [RHSA-2013:1147-01] Moderate: Red Hat JBoss SOA Platform 5.3.1 update Message-ID: <201308081711.r78HBSoq001390@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss SOA Platform 5.3.1 update Advisory ID: RHSA-2013:1147-01 Product: Red Hat JBoss Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1147.html Issue date: 2013-08-08 CVE Names: CVE-2012-5783 CVE-2013-0269 CVE-2013-1821 ===================================================================== 1. Summary: Red Hat JBoss SOA Platform 5.3.1 roll up patch 3, which fixes three security issues and various bugs, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss SOA Platform is the next-generation ESB and business process automation infrastructure. Red Hat JBoss SOA Platform allows IT to leverage existing (MoM and EAI), modern (SOA and BPM-Rules), and future (EDA and CEP) integration methodologies to dramatically improve business process execution speed and quality. This roll up patch serves as a cumulative upgrade for Red Hat JBoss SOA Platform 5.3.1. It includes various bug fixes. The following security issues are also fixed with this release: The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. (CVE-2012-5783) A flaw in JRuby's JSON gem allowed remote attacks by creating different types of malicious objects. For example, it could initiate a denial of service attack through resource consumption by using a JSON document to create arbitrary Ruby symbols, which were never garbage collected. It could also be exploited to create internal objects which could allow a SQL injection attack. (CVE-2013-0269) It was discovered that JRuby's REXML library did not properly restrict XML entity expansion. An attacker could use this flaw to cause a denial of service by tricking a Ruby application using REXML to read text nodes from specially-crafted XML content, which will result in REXML consuming large amounts of system memory. (CVE-2013-1821) Note: Red Hat JBoss SOA Platform only provides JRuby as a dependency of the scripting_chain quickstart example application. The CVE-2013-0269 and CVE-2013-1821 flaws are not exposed unless the version of JRuby shipped with that quickstart is used by a deployed, custom application. Red Hat would like to thank Ruby on Rails upstream for reporting CVE-2013-0269. Upstream acknowledges Thomas Hollstegge of Zweitag and Ben Murphy as the original reporters of CVE-2013-0269. Warning: Before applying the update, back up your existing Red Hat JBoss SOA Platform installation (including its databases, applications, configuration files, and so on). All users of Red Hat JBoss SOA Platform 5.3.1 as provided from the Red Hat Customer Portal are advised to apply this roll up patch. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss SOA Platform installation (including its databases, applications, configuration files, and so on). Note that it is recommended to halt the Red Hat JBoss SOA Platform server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss SOA Platform server by starting the JBoss Application Server process. 4. Bugs fixed (http://bugzilla.redhat.com/): 873317 - CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name 909029 - CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection 914716 - CVE-2013-1821 ruby: entity expansion DoS vulnerability in REXML 5. References: https://www.redhat.com/security/data/cve/CVE-2012-5783.html https://www.redhat.com/security/data/cve/CVE-2013-0269.html https://www.redhat.com/security/data/cve/CVE-2013-1821.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=securityPatches&version=5.3.1+GA 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSA9EwXlSAg2UNWIIRAhzrAKCHi/c/QlVAaZhaXYwTWQP/V0x35gCeK5An ur06oB3IUj+5xhcU+/QNJao= =+AH5 -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Aug 12 18:37:28 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 12 Aug 2013 18:37:28 +0000 Subject: [RHSA-2013:1151-01] Important: Red Hat JBoss Enterprise Application Platform 6.1.0 security update Message-ID: <201308121837.r7CIbS3E031743@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.1.0 security update Advisory ID: RHSA-2013:1151-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1151.html Issue date: 2013-08-12 CVE Names: CVE-2013-4128 CVE-2013-4213 ===================================================================== 1. Summary: Updated Red Hat JBoss Enterprise Application Platform 6.1.0 packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server - noarch Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. A flaw was discovered in the way authenticated connections were cached on the server by remote-naming. After a user has successfully logged in, a remote attacker could use a remoting client to log in as that user without knowing their password, allowing them to access data and perform actions with the privileges of that user. (CVE-2013-4128) A flaw was discovered in the way connections for remote EJB invocations via the EJB client API were cached on the server. After a user has successfully logged in, a remote attacker could use an EJB client to log in as that user without knowing their password, allowing them to access data and perform actions with the privileges of that user. (CVE-2013-4213) These issues were discovered by Wolf-Dieter Fink of the Red Hat GSS Team. Warning: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. All users of Red Hat JBoss Enterprise Application Platform 6.1.0 on Red Hat Enterprise Linux 5 and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 984795 - CVE-2013-4128 JBoss remote-naming: Session fixation due improper connection caching 985359 - CVE-2013-4213 JBoss ejb-client: Session fixation due improper connection caching 6. Package List: Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-client-all-7.2.0-9.Final_redhat_9.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-ejb-client-1.0.21-2.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-remote-naming-1.0.6-3.Final_redhat_3.ep6.el5.src.rpm noarch: jboss-as-client-all-7.2.0-9.Final_redhat_9.ep6.el5.noarch.rpm jboss-ejb-client-1.0.21-2.Final_redhat_2.ep6.el5.noarch.rpm jboss-remote-naming-1.0.6-3.Final_redhat_3.ep6.el5.noarch.rpm Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-client-all-7.2.0-9.Final_redhat_9.ep6.el6.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-ejb-client-1.0.21-2.Final_redhat_2.ep6.el6.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-remote-naming-1.0.6-3.Final_redhat_3.ep6.el6.src.rpm noarch: jboss-as-client-all-7.2.0-9.Final_redhat_9.ep6.el6.noarch.rpm jboss-ejb-client-1.0.21-2.Final_redhat_2.ep6.el6.noarch.rpm jboss-remote-naming-1.0.6-3.Final_redhat_3.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4128.html https://www.redhat.com/security/data/cve/CVE-2013-4213.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSCStMXlSAg2UNWIIRAl35AJ9MllOXhfW0Gipsl8r4llONunLzkgCfYY2N q4Q16dSAKOWbVnlN6NAn6b4= =uVrw -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Aug 12 18:37:56 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 12 Aug 2013 18:37:56 +0000 Subject: [RHSA-2013:1152-01] Important: Red Hat JBoss Enterprise Application Platform 6.1.0 security update Message-ID: <201308121837.r7CIbvkT015996@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.1.0 security update Advisory ID: RHSA-2013:1152-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1152.html Issue date: 2013-08-12 CVE Names: CVE-2013-4128 CVE-2013-4213 ===================================================================== 1. Summary: An update for Red Hat JBoss Enterprise Application Platform 6.1.0 that fixes two security issues is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. A flaw was discovered in the way authenticated connections were cached on the server by remote-naming. After a user has successfully logged in, a remote attacker could use a remoting client to log in as that user without knowing their password, allowing them to access data and perform actions with the privileges of that user. (CVE-2013-4128) A flaw was discovered in the way connections for remote EJB invocations via the EJB client API were cached on the server. After a user has successfully logged in, a remote attacker could use an EJB client to log in as that user without knowing their password, allowing them to access data and perform actions with the privileges of that user. (CVE-2013-4213) These issues were discovered by Wolf-Dieter Fink of the Red Hat GSS Team. Warning: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. All users of Red Hat JBoss Enterprise Application Platform 6.1.0 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. The JBoss server process must be restarted for the update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 984795 - CVE-2013-4128 JBoss remote-naming: Session fixation due improper connection caching 985359 - CVE-2013-4213 JBoss ejb-client: Session fixation due improper connection caching 5. References: https://www.redhat.com/security/data/cve/CVE-2013-4128.html https://www.redhat.com/security/data/cve/CVE-2013-4213.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.1.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSCStxXlSAg2UNWIIRAut6AJ9y5zGuZHzsyBBu7SMxLA1n4hn2zQCfTyUp lzO4SXe81U5+sYj6YPKkg74= =r0QV -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Aug 29 23:33:36 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 29 Aug 2013 23:33:36 +0000 Subject: [RHSA-2013:1185-01] Important: Red Hat JBoss Fuse 6.0.0 patch 2 Message-ID: <201308292333.r7TNXaOI003294@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Fuse 6.0.0 patch 2 Advisory ID: RHSA-2013:1185-01 Product: Fuse Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1185.html Issue date: 2013-08-29 CVE Names: CVE-2013-0269 CVE-2013-1768 CVE-2013-1821 CVE-2013-2160 ===================================================================== 1. Summary: Red Hat JBoss Fuse 6.0.0 patch 2, which fixes several security issues and various bugs, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss Fuse 6.0.0, based on Apache ServiceMix, provides an integration platform. Red Hat JBoss Fuse 6.0.0 patch 2 is an update to Red Hat JBoss Fuse 6.0.0 and includes bug fixes. Refer to the readme file included with the patch files for information about these fixes. The following security issues are also resolved with this update: A flaw was found in the logging performed during deserialization of the BrokerFactory class in Apache OpenJPA. A remote attacker able to supply a serialized instance of the BrokerFactory class, which will be deserialized on a server, could use this flaw to write an executable file to the server's file system. (CVE-2013-1768) A flaw in JRuby's JSON gem allowed remote attacks by creating different types of malicious objects. For example, it could initiate a denial of service attack through resource consumption by using a JSON document to create arbitrary Ruby symbols, which were never garbage collected. It could also be exploited to create internal objects which could allow a SQL injection attack. (CVE-2013-0269) It was discovered that JRuby's REXML library did not properly restrict XML entity expansion. An attacker could use this flaw to cause a denial of service by tricking a Ruby application using REXML to read text nodes from specially-crafted XML content, which will result in REXML consuming large amounts of system memory. (CVE-2013-1821) Note: Red Hat JBoss Fuse 6.0.0 ships JRuby as part of the camel-ruby component, which allows users to define Camel routes in Ruby. The default use of JRuby in Red Hat JBoss Fuse 6.0.0 does not appear to expose either CVE-2013-0269 or CVE-2013-1821. If the version of JRuby shipped with Red Hat JBoss Fuse 6.0.0 was used to build a custom application, then these flaws could be exposed. Multiple denial of service flaws were found in the way the Apache CXF StAX parser implementation processed certain XML files. If a web service utilized the StAX parser, a remote attacker could provide a specially-crafted XML file that, when processed, would lead to excessive CPU and memory consumption. (CVE-2013-2160) Red Hat would like to thank Ruby on Rails upstream for reporting CVE-2013-0269, and Andreas Falkenberg of SEC Consult Deutschland GmbH, and Christian Mainka, Juraj Somorovsky and Joerg Schwenk of Ruhr-University Bochum for reporting CVE-2013-2160. Upstream acknowledges Thomas Hollstegge of Zweitag and Ben Murphy as the original reporters of CVE-2013-0269. All users of Red Hat JBoss Fuse 6.0 as provided from the Red Hat Customer Portal are advised to apply this patch. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (http://bugzilla.redhat.com/): 909029 - CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection 914716 - CVE-2013-1821 ruby: entity expansion DoS vulnerability in REXML 929197 - CVE-2013-2160 cxf, jbossws-cxf, apache-cxf: Multiple denial of service flaws in the StAX parser 984034 - CVE-2013-1768 openjpa: Remote arbitrary code execution by creating a serialized object and leveraging improperly secured server programs 5. References: https://www.redhat.com/security/data/cve/CVE-2013-0269.html https://www.redhat.com/security/data/cve/CVE-2013-1768.html https://www.redhat.com/security/data/cve/CVE-2013-1821.html https://www.redhat.com/security/data/cve/CVE-2013-2160.html https://access.redhat.com/security/updates/classification/#important https://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.0.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSH9ozXlSAg2UNWIIRAmRbAJ0WBNb8U1KhyttX7+rALW786Y0SJQCeKCld f3doC6a80mcQywcOq9tsEkI= =qOJi -----END PGP SIGNATURE-----