From bugzilla at redhat.com Mon Mar 4 21:18:25 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 4 Mar 2013 21:18:25 +0000 Subject: [RHSA-2013:0586-01] Important: jbosssx security update Message-ID: <201303042118.r24LIPkS022070@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: jbosssx security update Advisory ID: RHSA-2013:0586-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0586.html Issue date: 2013-03-04 CVE Names: CVE-2012-5629 ===================================================================== 1. Summary: An update for JBoss Enterprise BRMS Platform 5.3.1, JBoss Enterprise Portal Platform 4.3.0 CP07 and 5.2.2, and JBoss Enterprise SOA Platform 4.2.0 CP05, and 4.3.0 CP05 which fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: JBoss Enterprise BRMS Platform is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules. JBoss Enterprise Portal Platform is the open source implementation of the Java EE suite of services and Portal services running atop JBoss Enterprise Application Platform. JBoss Enterprise SOA Platform is the next-generation ESB and business process automation infrastructure. When using LDAP authentication with the provided LDAP login modules (LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by default. An attacker could use this flaw to bypass intended authentication by providing an empty password for a valid username, as the LDAP server may recognize this as an 'unauthenticated authentication' (RFC 4513). This update sets the allowEmptyPasswords option for the LDAP login modules to false if the option is not already configured. (CVE-2012-5629) Warning: Before applying this update, back up your JBoss installation, including any databases, database settings, applications, configuration files, and so on. All users of JBoss Enterprise BRMS Platform 5.3.1, JBoss Enterprise Portal Platform 4.3.0 CP07 and 5.2.2, and JBoss Enterprise SOA Platform 4.2.0 CP05, and 4.3.0 CP05 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains download links (you must log in to download the update). Before applying this update, back up your JBoss installation, including any databases, database settings, applications, configuration files, and so on. For JBoss Enterprise BRMS Platform, JBoss Enterprise Portal Platform, and JBoss Enterprise SOA Platform, it is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (http://bugzilla.redhat.com/): 885569 - CVE-2012-5629 JBoss: allows empty password to authenticate against LDAP 5. References: https://www.redhat.com/security/data/cve/CVE-2012-5629.html https://access.redhat.com/security/updates/classification/#important http://tools.ietf.org/html/rfc4513 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=5.3.1 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=securityPatches&version=4.3+CP07 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=securityPatches&version=5.2.2 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=securityPatches&version=4.2.0.GA_CP05 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=soaplatform&version=4.3.0.GA_CP05 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRNQ+MXlSAg2UNWIIRAs8XAJwP2jzgF+CZsR5FEyj7Y0n0xQnV3wCfY+hg HmyWnEEOh1jEeElyCfsHVzc= =ePN7 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Mar 7 19:27:39 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 7 Mar 2013 19:27:39 +0000 Subject: [RHSA-2013:0613-01] Important: JBoss Enterprise Portal Platform 5.2.2 security update Message-ID: <201303071927.r27JRdF1010685@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Portal Platform 5.2.2 security update Advisory ID: RHSA-2013:0613-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0613.html Issue date: 2013-03-07 CVE Names: CVE-2013-0314 CVE-2013-0315 ===================================================================== 1. Summary: An update for the GateIn Portal component in JBoss Enterprise Portal Platform 5.2.2 that fixes two security issues is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: JBoss Enterprise Portal Platform is the open source implementation of the Java EE suite of services and Portal services running atop JBoss Enterprise Application Platform. It comprises a set of offerings for enterprise customers who are looking for pre-configured profiles of JBoss Enterprise Middleware components that have been tested and certified together to provide an integrated experience. It was found that the GateIn Portal export/import gadget allowed an export ZIP to be uploaded and imported to a site without authentication. A remote attacker could use this flaw to modify the contents of a site, remove the site, or modify access controls applied to portlets in the site. (CVE-2013-0314) It was found that the GateIn Portal export/import gadget was vulnerable to XXE (XML External Entity) attacks. If the XML provided to the import gadget contained an external XML entity, this XML entity would be resolved. A remote attacker who can access the import gadget could use this flaw to read files in the context of the user running the application server. (CVE-2013-0315) The CVE-2013-0314 issue was discovered by Nick Scavelli of Red Hat, and CVE-2013-0315 was discovered by Arun Neelicattu and David Jorm of the Red Hat Security Response Team. Warning: Before applying this update, back up all applications deployed on JBoss Enterprise Portal Platform, along with all customized configuration files, and any databases and database settings. All users of JBoss Enterprise Portal Platform 5.2.2 as provided from the Red Hat Customer Portal are advised to install this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up all applications deployed on JBoss Enterprise Portal Platform, along with all customized configuration files, and any databases and database settings. Note that it is recommended to halt the JBoss Enterprise Portal Platform server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the JBoss Enterprise Portal Platform server by starting the JBoss Application Server process. 4. Bugs fixed (http://bugzilla.redhat.com/): 913327 - CVE-2013-0314 GateIn Portal: remote unauthenticated site import 913340 - CVE-2013-0315 GateIn Portal: XML eXternal Entity (XXE) flaw in site import 5. References: https://www.redhat.com/security/data/cve/CVE-2013-0314.html https://www.redhat.com/security/data/cve/CVE-2013-0315.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=securityPatches&version=5.2.2 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFROOoKXlSAg2UNWIIRAkxSAKC5GcazK49phjiSU0hcWQr+fsECOQCeL3bZ Mv+yLLzlOmsh17aKVghs0ig= =pWZ/ -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Mar 11 19:57:56 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 11 Mar 2013 19:57:56 +0000 Subject: [RHSA-2013:0629-01] Moderate: jbossweb security update Message-ID: <201303111957.r2BJvuMk012380@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: jbossweb security update Advisory ID: RHSA-2013:0629-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0629.html Issue date: 2013-03-11 CVE Names: CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 ===================================================================== 1. Summary: Updated jbossweb packages for JBoss Enterprise Application Platform 5.2.0 which fix multiple security issues are now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: JBoss Enterprise Application Platform 5 for RHEL 4 AS - noarch JBoss Enterprise Application Platform 5 for RHEL 4 ES - noarch JBoss Enterprise Application Platform 5 for RHEL 5 Server - noarch JBoss Enterprise Application Platform 5 for RHEL 6 Server - noarch 3. Description: JBoss Web is the web container, based on Apache Tomcat, in JBoss Enterprise Application Platform. It provides a single deployment platform for the JavaServer Pages (JSP) and Java Servlet technologies. Multiple weaknesses were found in the JBoss Web DIGEST authentication implementation, effectively reducing the security normally provided by DIGEST authentication. A remote attacker could use these flaws to perform replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886, CVE-2012-5887) Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). All users of JBoss Enterprise Application Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 873664 - CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 tomcat: three DIGEST authentication implementation issues 6. Package List: JBoss Enterprise Application Platform 5 for RHEL 4 AS: Source: ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jbossweb-2.1.13-3_patch_02.ep5.el4.src.rpm noarch: jbossweb-2.1.13-3_patch_02.ep5.el4.noarch.rpm jbossweb-el-1.0-api-2.1.13-3_patch_02.ep5.el4.noarch.rpm jbossweb-jsp-2.1-api-2.1.13-3_patch_02.ep5.el4.noarch.rpm jbossweb-lib-2.1.13-3_patch_02.ep5.el4.noarch.rpm jbossweb-servlet-2.5-api-2.1.13-3_patch_02.ep5.el4.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 4 ES: Source: ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jbossweb-2.1.13-3_patch_02.ep5.el4.src.rpm noarch: jbossweb-2.1.13-3_patch_02.ep5.el4.noarch.rpm jbossweb-el-1.0-api-2.1.13-3_patch_02.ep5.el4.noarch.rpm jbossweb-jsp-2.1-api-2.1.13-3_patch_02.ep5.el4.noarch.rpm jbossweb-lib-2.1.13-3_patch_02.ep5.el4.noarch.rpm jbossweb-servlet-2.5-api-2.1.13-3_patch_02.ep5.el4.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossweb-2.1.13-3_patch_02.ep5.el5.src.rpm noarch: jbossweb-2.1.13-3_patch_02.ep5.el5.noarch.rpm jbossweb-el-1.0-api-2.1.13-3_patch_02.ep5.el5.noarch.rpm jbossweb-jsp-2.1-api-2.1.13-3_patch_02.ep5.el5.noarch.rpm jbossweb-lib-2.1.13-3_patch_02.ep5.el5.noarch.rpm jbossweb-servlet-2.5-api-2.1.13-3_patch_02.ep5.el5.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 6 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbossweb-2.1.13-4_patch_02.ep5.el6.src.rpm noarch: jbossweb-2.1.13-4_patch_02.ep5.el6.noarch.rpm jbossweb-el-1.0-api-2.1.13-4_patch_02.ep5.el6.noarch.rpm jbossweb-jsp-2.1-api-2.1.13-4_patch_02.ep5.el6.noarch.rpm jbossweb-lib-2.1.13-4_patch_02.ep5.el6.noarch.rpm jbossweb-servlet-2.5-api-2.1.13-4_patch_02.ep5.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-5885.html https://www.redhat.com/security/data/cve/CVE-2012-5886.html https://www.redhat.com/security/data/cve/CVE-2012-5887.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRPjcxXlSAg2UNWIIRAtuMAJ9NsCpQT6cPMMl++dXNJYUoFCfX5QCgqTk1 rtEsOJDj4TqV9A01raib3/Y= =QEBW -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Mar 11 19:58:32 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 11 Mar 2013 19:58:32 +0000 Subject: [RHSA-2013:0631-01] Moderate: jbossweb security update Message-ID: <201303111958.r2BJwXc6014380@int-mx02.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: jbossweb security update Advisory ID: RHSA-2013:0631-01 Product: JBoss Enterprise Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0631.html Issue date: 2013-03-11 CVE Names: CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 ===================================================================== 1. Summary: Updated jbossweb packages for JBoss Enterprise Web Platform 5.2.0 which fix multiple security issues are now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: JBoss Enterprise Web Platform 5 for RHEL 4 AS - noarch JBoss Enterprise Web Platform 5 for RHEL 4 ES - noarch JBoss Enterprise Web Platform 5 for RHEL 5 Server - noarch JBoss Enterprise Web Platform 5 for RHEL 6 Server - noarch 3. Description: JBoss Web is a web container based on Apache Tomcat. It provides a single deployment platform for the JavaServer Pages (JSP) and Java Servlet technologies. Multiple weaknesses were found in the JBoss Web DIGEST authentication implementation, effectively reducing the security normally provided by DIGEST authentication. A remote attacker could use these flaws to perform replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886, CVE-2012-5887) Warning: Before applying this update, back up your existing JBoss Enterprise Web Platform installation (including all applications and configuration files). All users of JBoss Enterprise Web Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 873664 - CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 tomcat: three DIGEST authentication implementation issues 6. Package List: JBoss Enterprise Web Platform 5 for RHEL 4 AS: Source: jbossweb-2.1.13-3_patch_02.ep5.el4.src.rpm noarch: jbossweb-2.1.13-3_patch_02.ep5.el4.noarch.rpm jbossweb-el-1.0-api-2.1.13-3_patch_02.ep5.el4.noarch.rpm jbossweb-jsp-2.1-api-2.1.13-3_patch_02.ep5.el4.noarch.rpm jbossweb-lib-2.1.13-3_patch_02.ep5.el4.noarch.rpm jbossweb-servlet-2.5-api-2.1.13-3_patch_02.ep5.el4.noarch.rpm JBoss Enterprise Web Platform 5 for RHEL 4 ES: Source: jbossweb-2.1.13-3_patch_02.ep5.el4.src.rpm noarch: jbossweb-2.1.13-3_patch_02.ep5.el4.noarch.rpm jbossweb-el-1.0-api-2.1.13-3_patch_02.ep5.el4.noarch.rpm jbossweb-jsp-2.1-api-2.1.13-3_patch_02.ep5.el4.noarch.rpm jbossweb-lib-2.1.13-3_patch_02.ep5.el4.noarch.rpm jbossweb-servlet-2.5-api-2.1.13-3_patch_02.ep5.el4.noarch.rpm JBoss Enterprise Web Platform 5 for RHEL 5 Server: Source: jbossweb-2.1.13-3_patch_02.ep5.el5.src.rpm noarch: jbossweb-2.1.13-3_patch_02.ep5.el5.noarch.rpm jbossweb-el-1.0-api-2.1.13-3_patch_02.ep5.el5.noarch.rpm jbossweb-jsp-2.1-api-2.1.13-3_patch_02.ep5.el5.noarch.rpm jbossweb-lib-2.1.13-3_patch_02.ep5.el5.noarch.rpm jbossweb-servlet-2.5-api-2.1.13-3_patch_02.ep5.el5.noarch.rpm JBoss Enterprise Web Platform 5 for RHEL 6 Server: Source: jbossweb-2.1.13-4_patch_02.ep5.el6.src.rpm noarch: jbossweb-2.1.13-4_patch_02.ep5.el6.noarch.rpm jbossweb-el-1.0-api-2.1.13-4_patch_02.ep5.el6.noarch.rpm jbossweb-jsp-2.1-api-2.1.13-4_patch_02.ep5.el6.noarch.rpm jbossweb-lib-2.1.13-4_patch_02.ep5.el6.noarch.rpm jbossweb-servlet-2.5-api-2.1.13-4_patch_02.ep5.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-5885.html https://www.redhat.com/security/data/cve/CVE-2012-5886.html https://www.redhat.com/security/data/cve/CVE-2012-5887.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRPjdSXlSAg2UNWIIRAteRAJ9ic5pts4Q0fDhYL1Qk2FVRKIRbhgCbBBxL g26XdAbE1aSQPLyc1oVAqRM= =vHk5 -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Mar 11 19:59:00 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 11 Mar 2013 19:59:00 +0000 Subject: [RHSA-2013:0632-01] Moderate: jbossweb security update Message-ID: <201303111959.r2BJx1mi003959@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: jbossweb security update Advisory ID: RHSA-2013:0632-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0632.html Issue date: 2013-03-11 CVE Names: CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 ===================================================================== 1. Summary: An update for JBoss Enterprise Application Platform 5.2.0 which fixes multiple security issues is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: JBoss Web is the web container, based on Apache Tomcat, in JBoss Enterprise Application Platform. It provides a single deployment platform for the JavaServer Pages (JSP) and Java Servlet technologies. Multiple weaknesses were found in the JBoss Web DIGEST authentication implementation, effectively reducing the security normally provided by DIGEST authentication. A remote attacker could use these flaws to perform replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886, CVE-2012-5887) Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). All users of JBoss Enterprise Application Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 873664 - CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 tomcat: three DIGEST authentication implementation issues 5. References: https://www.redhat.com/security/data/cve/CVE-2012-5885.html https://www.redhat.com/security/data/cve/CVE-2012-5886.html https://www.redhat.com/security/data/cve/CVE-2012-5887.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=5.2.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD4DBQFRPjd0XlSAg2UNWIIRAo8KAJjqsO30BfkOcYQ5/Q4XaV+kQnMsAKCgFE/p vLvSiYQ4Bhx1kl6c1SEfww== =3u7u -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Mar 11 19:59:56 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 11 Mar 2013 19:59:56 +0000 Subject: [RHSA-2013:0633-01] Moderate: jbossweb security update Message-ID: <201303111959.r2BJxvov025478@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: jbossweb security update Advisory ID: RHSA-2013:0633-01 Product: JBoss Enterprise Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0633.html Issue date: 2013-03-11 CVE Names: CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 ===================================================================== 1. Summary: An update for JBoss Enterprise Web Platform 5.2.0 which fixes multiple security issues is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: JBoss Web is a web container based on Apache Tomcat. It provides a single deployment platform for the JavaServer Pages (JSP) and Java Servlet technologies. Multiple weaknesses were found in the JBoss Web DIGEST authentication implementation, effectively reducing the security normally provided by DIGEST authentication. A remote attacker could use these flaws to perform replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886, CVE-2012-5887) Warning: Before applying this update, back up your existing JBoss Enterprise Web Platform installation (including all applications and configuration files). All users of JBoss Enterprise Web Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Web Platform installation (including all applications and configuration files). The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 873664 - CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 tomcat: three DIGEST authentication implementation issues 5. References: https://www.redhat.com/security/data/cve/CVE-2012-5885.html https://www.redhat.com/security/data/cve/CVE-2012-5886.html https://www.redhat.com/security/data/cve/CVE-2012-5887.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=enterpriseweb.platform&downloadType=securityPatches&version=5.2.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRPjetXlSAg2UNWIIRAnN4AKC4ZvJHC8ME2ufJV3wXkETKsk/v6QCfVPsn NsYaebyoKQfVpdgVAP/3kEY= =yCKt -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 12 19:08:07 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 12 Mar 2013 19:08:07 +0000 Subject: [RHSA-2013:0641-01] Important: tomcat5 security update Message-ID: <201303121908.r2CJ87kR008399@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: tomcat5 security update Advisory ID: RHSA-2013:0641-01 Product: JBoss Enterprise Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0641.html Issue date: 2013-03-12 CVE Names: CVE-2012-3546 ===================================================================== 1. Summary: Updated tomcat5 packages that fix one security issue are now available for JBoss Enterprise Web Server 1.0.2 for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: JBoss Enterprise Web Server 1.0 for RHEL 5 Server - noarch JBoss Enterprise Web Server 1.0 for RHEL 6 Server - noarch 3. Description: Apache Tomcat is a servlet container. It was found that when an application used FORM authentication, along with another component that calls request.setUserPrincipal() before the call to FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was possible to bypass the security constraint checks in the FORM authenticator by appending "/j_security_check" to the end of a URL. A remote attacker with an authenticated session on an affected application could use this flaw to circumvent authorization controls, and thereby access resources not permitted by the roles associated with their authenticated session. (CVE-2012-3546) Warning: Before applying the update, back up your existing JBoss Enterprise Web Server installation (including all applications and configuration files). Users of Tomcat should upgrade to these updated packages, which resolve this issue. Tomcat must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 883634 - CVE-2012-3546 Tomcat/JBoss Web: Bypass of security constraints 6. Package List: JBoss Enterprise Web Server 1.0 for RHEL 5 Server: Source: tomcat5-5.5.33-31_patch_08.ep5.el5.src.rpm noarch: tomcat5-5.5.33-31_patch_08.ep5.el5.noarch.rpm tomcat5-admin-webapps-5.5.33-31_patch_08.ep5.el5.noarch.rpm tomcat5-common-lib-5.5.33-31_patch_08.ep5.el5.noarch.rpm tomcat5-jasper-5.5.33-31_patch_08.ep5.el5.noarch.rpm tomcat5-jasper-eclipse-5.5.33-31_patch_08.ep5.el5.noarch.rpm tomcat5-jasper-javadoc-5.5.33-31_patch_08.ep5.el5.noarch.rpm tomcat5-jsp-2.0-api-5.5.33-31_patch_08.ep5.el5.noarch.rpm tomcat5-jsp-2.0-api-javadoc-5.5.33-31_patch_08.ep5.el5.noarch.rpm tomcat5-parent-5.5.33-31_patch_08.ep5.el5.noarch.rpm tomcat5-server-lib-5.5.33-31_patch_08.ep5.el5.noarch.rpm tomcat5-servlet-2.4-api-5.5.33-31_patch_08.ep5.el5.noarch.rpm tomcat5-servlet-2.4-api-javadoc-5.5.33-31_patch_08.ep5.el5.noarch.rpm tomcat5-webapps-5.5.33-31_patch_08.ep5.el5.noarch.rpm JBoss Enterprise Web Server 1.0 for RHEL 6 Server: Source: tomcat5-5.5.33-34_patch_08.ep5.el6.src.rpm noarch: tomcat5-5.5.33-34_patch_08.ep5.el6.noarch.rpm tomcat5-admin-webapps-5.5.33-34_patch_08.ep5.el6.noarch.rpm tomcat5-common-lib-5.5.33-34_patch_08.ep5.el6.noarch.rpm tomcat5-jasper-5.5.33-34_patch_08.ep5.el6.noarch.rpm tomcat5-jasper-eclipse-5.5.33-34_patch_08.ep5.el6.noarch.rpm tomcat5-jasper-javadoc-5.5.33-34_patch_08.ep5.el6.noarch.rpm tomcat5-jsp-2.0-api-5.5.33-34_patch_08.ep5.el6.noarch.rpm tomcat5-jsp-2.0-api-javadoc-5.5.33-34_patch_08.ep5.el6.noarch.rpm tomcat5-parent-5.5.33-34_patch_08.ep5.el6.noarch.rpm tomcat5-server-lib-5.5.33-34_patch_08.ep5.el6.noarch.rpm tomcat5-servlet-2.4-api-5.5.33-34_patch_08.ep5.el6.noarch.rpm tomcat5-servlet-2.4-api-javadoc-5.5.33-34_patch_08.ep5.el6.noarch.rpm tomcat5-webapps-5.5.33-34_patch_08.ep5.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-3546.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRP3z4XlSAg2UNWIIRAvuOAKCMnevK7OOzbpQdIzHI9Zr0mcKeVgCdG4/e ypeUIt9qgKl2Kma9nJw9qXg= =7w2V -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Mar 12 19:08:57 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 12 Mar 2013 19:08:57 +0000 Subject: [RHSA-2013:0642-01] Important: tomcat5 security update Message-ID: <201303121908.r2CJ8vKB007140@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: tomcat5 security update Advisory ID: RHSA-2013:0642-01 Product: JBoss Enterprise Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0642.html Issue date: 2013-03-12 CVE Names: CVE-2012-3546 ===================================================================== 1. Summary: An update for the Apache Tomcat 5 component for JBoss Enterprise Web Server 1.0.2 that fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Apache Tomcat is a servlet container. It was found that when an application used FORM authentication, along with another component that calls request.setUserPrincipal() before the call to FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was possible to bypass the security constraint checks in the FORM authenticator by appending "/j_security_check" to the end of a URL. A remote attacker with an authenticated session on an affected application could use this flaw to circumvent authorization controls, and thereby access resources not permitted by the roles associated with their authenticated session. (CVE-2012-3546) Warning: Before applying the update, back up your existing JBoss Enterprise Web Server installation (including all applications and configuration files). All users of JBoss Enterprise Web Server 1.0.2 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Web Server installation (including all applications and configuration files). Tomcat must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 883634 - CVE-2012-3546 Tomcat/JBoss Web: Bypass of security constraints 5. References: https://www.redhat.com/security/data/cve/CVE-2012-3546.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=1.0.2 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRP30sXlSAg2UNWIIRAoPDAJ4l0Bq0KuAAhZ9oyXrvByneMj6kiACgjabp 1gp/LTVKoPiqHnZWfpfA2WM= =G28K -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Mar 13 18:52:45 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 13 Mar 2013 18:52:45 +0000 Subject: [RHSA-2013:0644-01] Important: apache-cxf security update Message-ID: <201303131852.r2DIqkIa028491@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: apache-cxf security update Advisory ID: RHSA-2013:0644-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0644.html Issue date: 2013-03-13 CVE Names: CVE-2012-5633 CVE-2013-0239 ===================================================================== 1. Summary: An updated apache-cxf package for JBoss Enterprise Application Platform 6.0.1 which fixes two security issues is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: JBoss Enterprise Application Platform 6 for RHEL 5 Server - noarch JBoss Enterprise Application Platform 6 for RHEL 6 Server - noarch 3. Description: Apache CXF is an open source services framework. It was found that the Apache CXF UsernameTokenPolicyValidator and UsernameTokenInterceptor allowed a UsernameToken element with no password child element to bypass authentication. A remote attacker could use this flaw to circumvent access controls applied to web services by omitting the password in a UsernameToken. This flaw was exploitable on web services that rely on WS-SecurityPolicy plain text UsernameTokens to authenticate users. It was not exploitable when using hashed passwords or WS-Security without WS-SecurityPolicy. (CVE-2013-0239) If web services were deployed using Apache CXF with the WSS4JInInterceptor enabled to apply WS-Security processing, HTTP GET requests to these services were always granted access, without applying authentication checks. The URIMappingInterceptor is a legacy mechanism for allowing REST-like access (via GET requests) to simple SOAP services. A remote attacker could use this flaw to access the REST-like interface of a simple SOAP service using GET requests that bypass the security constraints applied by WSS4JInInterceptor. This flaw was only exploitable if WSS4JInInterceptor was used to apply WS-Security processing. Services that use WS-SecurityPolicy to apply security were not affected. (CVE-2012-5633) Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. All users of JBoss Enterprise Application Platform 6.0.1 on Red Hat Enterprise Linux 5 and 6 are advised to upgrade to this updated package. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 889008 - CVE-2012-5633 jbossws-cxf, apache-cxf: Bypass of security constraints on WS endpoints when using WSS4JInInterceptor 905722 - CVE-2013-0239 jbossws-cxf, apache-cxf: UsernameTokenPolicyValidator and UsernameTokenInterceptor allow empty passwords to authenticate 6. Package List: JBoss Enterprise Application Platform 6 for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/apache-cxf-2.4.9-6.redhat_3.ep6.el5.src.rpm noarch: apache-cxf-2.4.9-6.redhat_3.ep6.el5.noarch.rpm JBoss Enterprise Application Platform 6 for RHEL 6 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/apache-cxf-2.4.9-6.redhat_3.ep6.el6.src.rpm noarch: apache-cxf-2.4.9-6.redhat_3.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-5633.html https://www.redhat.com/security/data/cve/CVE-2013-0239.html https://access.redhat.com/security/updates/classification/#important http://cxf.apache.org/security-advisories.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRQMroXlSAg2UNWIIRAsB2AJsEzX0IKZufsKXqoIqwxZR0hB5/CwCdEBKl KM6vUQOZpx9vbQ0lQzIR9zs= =mTLb -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Mar 13 18:53:08 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 13 Mar 2013 18:53:08 +0000 Subject: [RHSA-2013:0645-01] Important: apache-cxf security update Message-ID: <201303131853.r2DIr8Cx031432@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: apache-cxf security update Advisory ID: RHSA-2013:0645-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0645.html Issue date: 2013-03-13 CVE Names: CVE-2012-5633 CVE-2013-0239 ===================================================================== 1. Summary: An update for the Apache CXF component of JBoss Enterprise Application Platform 6.0.1 which fixes two security issues is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Apache CXF is an open source services framework. It was found that the Apache CXF UsernameTokenPolicyValidator and UsernameTokenInterceptor allowed a UsernameToken element with no password child element to bypass authentication. A remote attacker could use this flaw to circumvent access controls applied to web services by omitting the password in a UsernameToken. This flaw was exploitable on web services that rely on WS-SecurityPolicy plain text UsernameTokens to authenticate users. It was not exploitable when using hashed passwords or WS-Security without WS-SecurityPolicy. (CVE-2013-0239) If web services were deployed using Apache CXF with the WSS4JInInterceptor enabled to apply WS-Security processing, HTTP GET requests to these services were always granted access, without applying authentication checks. The URIMappingInterceptor is a legacy mechanism for allowing REST-like access (via GET requests) to simple SOAP services. A remote attacker could use this flaw to access the REST-like interface of a simple SOAP service using GET requests that bypass the security constraints applied by WSS4JInInterceptor. This flaw was only exploitable if WSS4JInInterceptor was used to apply WS-Security processing. Services that use WS-SecurityPolicy to apply security were not affected. (CVE-2012-5633) Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. All users of JBoss Enterprise Application Platform 6.0.1 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 889008 - CVE-2012-5633 jbossws-cxf, apache-cxf: Bypass of security constraints on WS endpoints when using WSS4JInInterceptor 905722 - CVE-2013-0239 jbossws-cxf, apache-cxf: UsernameTokenPolicyValidator and UsernameTokenInterceptor allow empty passwords to authenticate 5. References: https://www.redhat.com/security/data/cve/CVE-2012-5633.html https://www.redhat.com/security/data/cve/CVE-2013-0239.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.0.1 http://cxf.apache.org/security-advisories.html 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRQMsEXlSAg2UNWIIRAgUQAJsESWKOn49e+/+VFp6fGm+fUusyRQCfY6fX JNLkyVTSeDe8M9v+NvewgrE= =sG0I -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Mar 14 16:57:23 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 14 Mar 2013 16:57:23 +0000 Subject: [RHSA-2013:0647-01] Moderate: jbossweb security update Message-ID: <201303141657.r2EGvNxr002285@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: jbossweb security update Advisory ID: RHSA-2013:0647-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0647.html Issue date: 2013-03-14 CVE Names: CVE-2012-4431 CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 ===================================================================== 1. Summary: Updated jbossweb packages for JBoss Enterprise Application Platform 6.0.1 that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: JBoss Enterprise Application Platform 6 for RHEL 5 Server - noarch JBoss Enterprise Application Platform 6 for RHEL 6 Server - noarch 3. Description: JBoss Web is the web container, based on Apache Tomcat, in JBoss Enterprise Application Platform. It provides a single deployment platform for the JavaServer Pages (JSP) and Java Servlet technologies. It was found that sending a request without a session identifier to a protected resource could bypass the Cross-Site Request Forgery (CSRF) prevention filter in JBoss Web. A remote attacker could use this flaw to perform CSRF attacks against applications that rely on the CSRF prevention filter and do not contain internal mitigation for CSRF. (CVE-2012-4431) Multiple weaknesses were found in the JBoss Web DIGEST authentication implementation, effectively reducing the security normally provided by DIGEST authentication. A remote attacker could use these flaws to perform replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886, CVE-2012-5887) Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. All users of JBoss Enterprise Application Platform 6.0.1 on Red Hat Enterprise Linux 5 and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 873664 - CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 tomcat: three DIGEST authentication implementation issues 883636 - CVE-2012-4431 Tomcat/JBoss Web - Bypass of CSRF prevention filter 6. Package List: JBoss Enterprise Application Platform 6 for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossweb-7.0.17-4.Final_redhat_3.ep6.el5.src.rpm noarch: jbossweb-7.0.17-4.Final_redhat_3.ep6.el5.noarch.rpm jbossweb-lib-7.0.17-4.Final_redhat_3.ep6.el5.noarch.rpm JBoss Enterprise Application Platform 6 for RHEL 6 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbossweb-7.0.17-4.Final_redhat_3.ep6.el6.src.rpm noarch: jbossweb-7.0.17-4.Final_redhat_3.ep6.el6.noarch.rpm jbossweb-lib-7.0.17-4.Final_redhat_3.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-4431.html https://www.redhat.com/security/data/cve/CVE-2012-5885.html https://www.redhat.com/security/data/cve/CVE-2012-5886.html https://www.redhat.com/security/data/cve/CVE-2012-5887.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRQgFjXlSAg2UNWIIRAvUQAJ4nAtEkm/0xhk6krtplodCzQiiAdgCgmj84 lTqy4DtD/Ep1LaUZLZvatTA= =kg7T -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Mar 14 16:57:47 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 14 Mar 2013 16:57:47 +0000 Subject: [RHSA-2013:0648-01] Moderate: jbossweb security update Message-ID: <201303141657.r2EGvl22002404@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: jbossweb security update Advisory ID: RHSA-2013:0648-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0648.html Issue date: 2013-03-14 CVE Names: CVE-2012-4431 CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 ===================================================================== 1. Summary: An update for JBoss Enterprise Application Platform 6.0.1 which fixes multiple security issues is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: JBoss Web is the web container, based on Apache Tomcat, in JBoss Enterprise Application Platform. It provides a single deployment platform for the JavaServer Pages (JSP) and Java Servlet technologies. It was found that sending a request without a session identifier to a protected resource could bypass the Cross-Site Request Forgery (CSRF) prevention filter in JBoss Web. A remote attacker could use this flaw to perform CSRF attacks against applications that rely on the CSRF prevention filter and do not contain internal mitigation for CSRF. (CVE-2012-4431) Multiple weaknesses were found in the JBoss Web DIGEST authentication implementation, effectively reducing the security normally provided by DIGEST authentication. A remote attacker could use these flaws to perform replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886, CVE-2012-5887) Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. All users of JBoss Enterprise Application Platform 6.0.1 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 873664 - CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 tomcat: three DIGEST authentication implementation issues 883636 - CVE-2012-4431 Tomcat/JBoss Web - Bypass of CSRF prevention filter 5. References: https://www.redhat.com/security/data/cve/CVE-2012-4431.html https://www.redhat.com/security/data/cve/CVE-2012-5885.html https://www.redhat.com/security/data/cve/CVE-2012-5886.html https://www.redhat.com/security/data/cve/CVE-2012-5887.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.0.1 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRQgF6XlSAg2UNWIIRAhzNAJsFD9q+momiHEBJHRqDBOMiePNQzACeNEAQ OjVArP2OglOFy8TvHfmNC8E= =btkz -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Mar 14 16:58:34 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 14 Mar 2013 16:58:34 +0000 Subject: [RHSA-2013:0649-01] Important: Fuse ESB Enterprise 7.1.0 update Message-ID: <201303141658.r2EGwZJN027095@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Fuse ESB Enterprise 7.1.0 update Advisory ID: RHSA-2013:0649-01 Product: Fuse Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0649.html Issue date: 2013-03-14 CVE Names: CVE-2012-5055 CVE-2012-5633 CVE-2013-0239 ===================================================================== 1. Summary: Fuse ESB Enterprise 7.1.0 Patch 3, which fixes three security issues and various bugs, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Fuse ESB Enterprise, based on Apache ServiceMix, provides an integration platform. This release of Fuse ESB Enterprise 7.1.0 Patch 3 is an update to Fuse ESB Enterprise 7.1.0 and includes bug fixes. Refer to the readme file included with the patch files for information about the bug fixes. The following security issues are also fixed with this release: If web services were deployed using Apache CXF with the WSS4JInInterceptor enabled to apply WS-Security processing, HTTP GET requests to these services were always granted access, without applying authentication checks. The URIMappingInterceptor is a legacy mechanism for allowing REST-like access (via GET requests) to simple SOAP services. A remote attacker could use this flaw to access the REST-like interface of a simple SOAP service using GET requests that bypass the security constraints applied by WSS4JInInterceptor. This flaw was only exploitable if WSS4JInInterceptor was used to apply WS-Security processing. Services that use WS-SecurityPolicy to apply security were not affected. (CVE-2012-5633) It was found that the Apache CXF UsernameTokenPolicyValidator and UsernameTokenInterceptor allowed a UsernameToken element with no password child element to bypass authentication. A remote attacker could use this flaw to circumvent access controls applied to web services by omitting the password in a UsernameToken. This flaw was exploitable on web services that rely on WS-SecurityPolicy plain text UsernameTokens to authenticate users. It was not exploitable when using hashed passwords or WS-Security without WS-SecurityPolicy. (CVE-2013-0239) A flaw was found in the way the Spring Security Framework DaoAuthenticationProvider performed user authentication. A remote attacker could possibly use this flaw to determine if a username was valid or not by observing the time differences during attempted authentication. A caller to an Apache Camel route could possibly use this flaw to perform a side-channel timing attacking to find valid usernames (but not their passwords). (CVE-2012-5055) All users of Fuse ESB Enterprise 7.1.0 as provided from the Red Hat Customer Portal are advised to upgrade to Fuse ESB Enterprise 7.1.0 Patch 3. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (http://bugzilla.redhat.com/): 886031 - CVE-2012-5055 Spring Security: Ability to determine if username is valid via DaoAuthenticationProvider 889008 - CVE-2012-5633 jbossws-cxf, apache-cxf: Bypass of security constraints on WS endpoints when using WSS4JInInterceptor 905722 - CVE-2013-0239 jbossws-cxf, apache-cxf: UsernameTokenPolicyValidator and UsernameTokenInterceptor allow empty passwords to authenticate 5. References: https://www.redhat.com/security/data/cve/CVE-2012-5055.html https://www.redhat.com/security/data/cve/CVE-2012-5633.html https://www.redhat.com/security/data/cve/CVE-2013-0239.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.esb.enterprise&downloadType=securityPatches&version=7.1.0 http://cxf.apache.org/cve-2012-5633.html http://cxf.apache.org/cve-2013-0239.html http://support.springsource.com/security/cve-2012-5055 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRQgGUXlSAg2UNWIIRAnY6AJ49sfVOoaO0QtfOKQJrqlp7o6J41QCffgUU dR0APZ3WaA2Xp+VIC6sfBdo= =ME/s -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Mar 20 16:06:05 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 20 Mar 2013 16:06:05 +0000 Subject: [RHSA-2013:0665-01] Important: JBoss Data Grid 6.1.0 update Message-ID: <201303201606.r2KG651x008125@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Data Grid 6.1.0 update Advisory ID: RHSA-2013:0665-01 Product: JBoss Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0665.html Issue date: 2013-03-20 CVE Names: CVE-2012-4431 CVE-2012-5629 CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 ===================================================================== 1. Summary: JBoss Data Grid 6.1.0, which fixes multiple security issues, various bugs, and adds enhancements, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: JBoss Data Grid is a distributed in-memory data grid, based on Infinispan. This release of JBoss Data Grid 6.1.0 serves as a replacement for JBoss Data Grid 6.0.1. It includes various bug fixes and enhancements which are detailed in the JBoss Data Grid 6.1.0 Release Notes. The Release Notes will be available shortly from https://access.redhat.com/knowledge/docs/ This update also fixes the following security issues: When using LDAP authentication with either the "ldap" configuration entry or the provided LDAP login modules (LdapLoginModule/LdapExtLoginModule), empty passwords were allowed by default. An attacker could use this flaw to bypass intended authentication by providing an empty password for a valid username, as the LDAP server may recognize this as an 'unauthenticated authentication' (RFC 4513). This update sets the allowEmptyPasswords option for the LDAP login modules to false if the option is not already configured. (CVE-2012-5629) Note: If you are using the "ldap" configuration entry and rely on empty passwords, they will no longer work after applying this update. The jboss-as-domain-management module, by default, will prevent empty passwords. This cannot be configured; however, a future release may add a configuration option to allow empty passwords when using the "ldap" configuration entry. It was found that sending a request without a session identifier to a protected resource could bypass the Cross-Site Request Forgery (CSRF) prevention filter in JBoss Web. A remote attacker could use this flaw to perform CSRF attacks against applications that rely on the CSRF prevention filter and do not contain internal mitigation for CSRF. (CVE-2012-4431) Multiple weaknesses were found in the JBoss Web DIGEST authentication implementation, effectively reducing the security normally provided by DIGEST authentication. A remote attacker could use these flaws to perform replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886, CVE-2012-5887) Warning: Before applying this update, back up your existing JBoss Data Grid installation. All users of JBoss Data Grid 6.0.1 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Data Grid 6.1.0. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Data Grid installation. 4. Bugs fixed (http://bugzilla.redhat.com/): 873664 - CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 tomcat: three DIGEST authentication implementation issues 883636 - CVE-2012-4431 Tomcat/JBoss Web - Bypass of CSRF prevention filter 885569 - CVE-2012-5629 JBoss: allows empty password to authenticate against LDAP 5. References: https://www.redhat.com/security/data/cve/CVE-2012-4431.html https://www.redhat.com/security/data/cve/CVE-2012-5629.html https://www.redhat.com/security/data/cve/CVE-2012-5885.html https://www.redhat.com/security/data/cve/CVE-2012-5886.html https://www.redhat.com/security/data/cve/CVE-2012-5887.html https://access.redhat.com/security/updates/classification/#important http://tools.ietf.org/html/rfc4513 http://tomcat.apache.org/security-6.html https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=distributions https://access.redhat.com/knowledge/docs/ 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRSd5IXlSAg2UNWIIRAladAKCATks4vo5LRmNi00r6/L7ip58AQACfSsp3 7UJoY8wOXgzMvQdj4HOcPrE= =LY1h -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Mar 25 17:20:33 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 25 Mar 2013 17:20:33 +0000 Subject: [RHSA-2013:0679-01] Moderate: jakarta-commons-httpclient security update Message-ID: <201303251720.r2PHKXJ3014892@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: jakarta-commons-httpclient security update Advisory ID: RHSA-2013:0679-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0679.html Issue date: 2013-03-25 CVE Names: CVE-2012-5783 ===================================================================== 1. Summary: An update for JBoss Enterprise Application Platform 5.2.0 which fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: The Jakarta Commons HttpClient component can be used to build HTTP-aware client applications (such as web browsers and web service clients). The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. (CVE-2012-5783) Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). All users of JBoss Enterprise Application Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 873317 - CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name 5. References: https://www.redhat.com/security/data/cve/CVE-2012-5783.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=5.2.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRUIdUXlSAg2UNWIIRAu47AJ0bVSaGSmwzBjGGaSzaWov933iw9QCgr87K jjfP+62awau8qV4yD/OcwVU= =g4wP -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Mar 25 17:21:12 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 25 Mar 2013 17:21:12 +0000 Subject: [RHSA-2013:0680-01] Moderate: jakarta-commons-httpclient security update Message-ID: <201303251721.r2PHLCaR014303@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: jakarta-commons-httpclient security update Advisory ID: RHSA-2013:0680-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0680.html Issue date: 2013-03-25 CVE Names: CVE-2012-5783 ===================================================================== 1. Summary: An updated jakarta-commons-httpclient package for JBoss Enterprise Application Platform 5.2.0 which fixes one security issue is now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: JBoss Enterprise Application Platform 5 for RHEL 4 AS - noarch JBoss Enterprise Application Platform 5 for RHEL 4 ES - noarch JBoss Enterprise Application Platform 5 for RHEL 5 Server - noarch JBoss Enterprise Application Platform 5 for RHEL 6 Server - noarch 3. Description: The Jakarta Commons HttpClient component can be used to build HTTP-aware client applications (such as web browsers and web service clients). The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. (CVE-2012-5783) Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). All users of JBoss Enterprise Application Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to this updated package. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 873317 - CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name 6. Package List: JBoss Enterprise Application Platform 5 for RHEL 4 AS: Source: ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jakarta-commons-httpclient-3.1-2.1_patch_01.ep5.el4.src.rpm noarch: jakarta-commons-httpclient-3.1-2.1_patch_01.ep5.el4.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 4 ES: Source: ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jakarta-commons-httpclient-3.1-2.1_patch_01.ep5.el4.src.rpm noarch: jakarta-commons-httpclient-3.1-2.1_patch_01.ep5.el4.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jakarta-commons-httpclient-3.1-2.1_patch_01.ep5.el5.src.rpm noarch: jakarta-commons-httpclient-3.1-2.1_patch_01.ep5.el5.noarch.rpm JBoss Enterprise Application Platform 5 for RHEL 6 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jakarta-commons-httpclient-3.1-2_patch_01.ep5.el6.src.rpm noarch: jakarta-commons-httpclient-3.1-2_patch_01.ep5.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-5783.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRUIdvXlSAg2UNWIIRAowOAJ9ZUqMyRI5CZxLFgmV9EL7o02mvLwCgw5XB A7E7JXGBdnemkjTKMGqhgmQ= =9eWH -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Mar 25 17:21:34 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 25 Mar 2013 17:21:34 +0000 Subject: [RHSA-2013:0681-01] Moderate: jakarta-commons-httpclient security update Message-ID: <201303251721.r2PHLYiV015857@int-mx12.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: jakarta-commons-httpclient security update Advisory ID: RHSA-2013:0681-01 Product: JBoss Enterprise Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0681.html Issue date: 2013-03-25 CVE Names: CVE-2012-5783 ===================================================================== 1. Summary: An update for JBoss Enterprise Web Platform 5.2.0 which fixes one security issue is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: The Jakarta Commons HttpClient component can be used to build HTTP-aware client applications (such as web browsers and web service clients). The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. (CVE-2012-5783) Warning: Before applying this update, back up your existing JBoss Enterprise Web Platform installation (including all applications and configuration files). All users of JBoss Enterprise Web Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Web Platform installation (including all applications and configuration files). The JBoss server process must be restarted for this update to take effect. 4. Bugs fixed (http://bugzilla.redhat.com/): 873317 - CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name 5. References: https://www.redhat.com/security/data/cve/CVE-2012-5783.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=enterpriseweb.platform&downloadType=securityPatches&version=5.2.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRUIePXlSAg2UNWIIRAgkRAJ9OzSxMGNaXyVdcfdhqfiWUZtkCmwCeJ+VD /NbVYNWiDg+D9901x8j87nc= =sfqk -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Mar 25 17:22:21 2013 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 25 Mar 2013 17:22:21 +0000 Subject: [RHSA-2013:0682-01] Moderate: jakarta-commons-httpclient security update Message-ID: <201303251722.r2PHMLLt006864@int-mx01.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: jakarta-commons-httpclient security update Advisory ID: RHSA-2013:0682-01 Product: JBoss Enterprise Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0682.html Issue date: 2013-03-25 CVE Names: CVE-2012-5783 ===================================================================== 1. Summary: An updated jakarta-commons-httpclient package for JBoss Enterprise Web Platform 5.2.0 which fixes one security issue is now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: JBoss Enterprise Web Platform 5 for RHEL 4 AS - noarch JBoss Enterprise Web Platform 5 for RHEL 4 ES - noarch JBoss Enterprise Web Platform 5 for RHEL 5 Server - noarch JBoss Enterprise Web Platform 5 for RHEL 6 Server - noarch 3. Description: The Jakarta Commons HttpClient component can be used to build HTTP-aware client applications (such as web browsers and web service clients). The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. (CVE-2012-5783) Warning: Before applying this update, back up your existing JBoss Enterprise Web Platform installation (including all applications and configuration files). All users of JBoss Enterprise Web Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to this updated package. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 873317 - CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name 6. Package List: JBoss Enterprise Web Platform 5 for RHEL 4 AS: Source: jakarta-commons-httpclient-3.1-2.1_patch_01.ep5.el4.src.rpm noarch: jakarta-commons-httpclient-3.1-2.1_patch_01.ep5.el4.noarch.rpm JBoss Enterprise Web Platform 5 for RHEL 4 ES: Source: jakarta-commons-httpclient-3.1-2.1_patch_01.ep5.el4.src.rpm noarch: jakarta-commons-httpclient-3.1-2.1_patch_01.ep5.el4.noarch.rpm JBoss Enterprise Web Platform 5 for RHEL 5 Server: Source: jakarta-commons-httpclient-3.1-2.1_patch_01.ep5.el5.src.rpm noarch: jakarta-commons-httpclient-3.1-2.1_patch_01.ep5.el5.noarch.rpm JBoss Enterprise Web Platform 5 for RHEL 6 Server: Source: jakarta-commons-httpclient-3.1-2_patch_01.ep5.el6.src.rpm noarch: jakarta-commons-httpclient-3.1-2_patch_01.ep5.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-5783.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRUIe5XlSAg2UNWIIRAuI/AKCCuannWVI1XXDxUGPY0oz85zv+IgCghWdd nq9FS8tk5g3yC3l7k3EasBs= =3Gl2 -----END PGP SIGNATURE-----