From bugzilla at redhat.com Wed Oct 1 19:16:34 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 1 Oct 2014 19:16:34 +0000 Subject: [RHSA-2014:1351-01] Important: Red Hat JBoss Fuse/A-MQ 6.1.0 security update Message-ID: <201410011916.s91JGYlL001190@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Fuse/A-MQ 6.1.0 security update Advisory ID: RHSA-2014:1351-01 Product: Red Hat JBoss Fuse Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1351.html Issue date: 2014-10-01 CVE Names: CVE-2014-0034 CVE-2014-0035 CVE-2014-0074 CVE-2014-0107 CVE-2014-0109 CVE-2014-0110 CVE-2014-0168 CVE-2014-0193 CVE-2014-0225 ===================================================================== 1. Summary: Red Hat JBoss Fuse and A-MQ 6.1.0 Rollup Patch 1, which addresses several security issues, multiple bug fixes, and adds various enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications. This patch is an update to Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ 6.1.0. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files. The following security issues are addressed in this release: It was discovered that Apache Shiro authenticated users without specifying a user name or a password when used in conjunction with an LDAP back end that allowed unauthenticated binds. (CVE-2014-0074) It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java. (CVE-2014-0107) It was found that the SecurityTokenService (STS), provided as a part of Apache CXF, could under certain circumstances accept invalid SAML tokens as valid. A remote attacker could use a specially crafted SAML token to gain access to an application that uses STS for validation of SAML tokens. (CVE-2014-0034) A denial of service flaw was found in the way Apache CXF created error messages for certain POST requests. A remote attacker could send a specially crafted request which, when processed by an application using Apache CXF, could consume an excessive amount of memory on the system, possibly triggering an Out Of Memory (OOM) error. (CVE-2014-0109) It was found that when a large invalid SOAP message was processed by Apache CXF, it could be saved to a temporary file in the /tmp directory. A remote attacker could send a specially crafted SOAP message that, when processed by an application using Apache CXF, would use an excessive amount of disk space, possibly causing a denial of service. (CVE-2014-0110) It was found that Jolokia was vulnerable to Cross-Site Request Forgery (CSRF) attacks. A remote attacker could provide a specially crafted web page that, when visited by a user logged in to Jolokia, could allow the attacker to execute arbitrary methods on MBeans exposed via JMX. (CVE-2014-0168) It was found that the Spring Framework did not, by default, disable the resolution of URI references in a DTD declaration when processing user-provided XML documents. By observing differences in response times, an attacker could identify valid IP addresses on the internal network with functioning web servers. (CVE-2014-0225) It was discovered that UsernameTokens were sent in plain text by an Apache CXF client that used a Symmetric EncryptBeforeSigning password policy. A man-in-the-middle attacker could use this flaw to obtain the user name and password used by the client application using Apache CXF. (CVE-2014-0035) A flaw was found in the WebSocket08FrameDecoder implementation that could allow a remote attacker to trigger an Out Of Memory Exception by issuing a series of TextWebSocketFrame and ContinuationWebSocketFrames. Depending on the server configuration, this could lead to a denial of service. (CVE-2014-0193) Refer to the readme.txt file included with the patch files for installation instructions. Red Hat would like to thank James Roper of Typesafe for reporting the CVE-2014-0193 issue. All users of Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ 6.1.0 as provided from the Red Hat Customer Portal are advised to apply this security update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1072603 - CVE-2014-0074 Apache Shiro: successful authentication without specifying user name or password 1080248 - CVE-2014-0107 Xalan-Java: insufficient constraints in secure processing feature 1084838 - CVE-2014-0168 Jolokia: cross-site request forgery (CSRF) 1092783 - CVE-2014-0193 netty: DoS via memory exhaustion during data aggregation 1093526 - CVE-2014-0109 Apache CXF: HTML content posted to SOAP endpoint could cause OOM errors 1093527 - CVE-2014-0110 Apache CXF: Large invalid content could cause temporary space to fill 1093529 - CVE-2014-0034 Apache CXF: The SecurityTokenService accepts certain invalid SAML Tokens as valid 1093530 - CVE-2014-0035 Apache CXF: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy 1110110 - CVE-2014-0225 Spring Framework: Information disclosure via SSRF 5. References: https://www.redhat.com/security/data/cve/CVE-2014-0034.html https://www.redhat.com/security/data/cve/CVE-2014-0035.html https://www.redhat.com/security/data/cve/CVE-2014-0074.html https://www.redhat.com/security/data/cve/CVE-2014-0107.html https://www.redhat.com/security/data/cve/CVE-2014-0109.html https://www.redhat.com/security/data/cve/CVE-2014-0110.html https://www.redhat.com/security/data/cve/CVE-2014-0168.html https://www.redhat.com/security/data/cve/CVE-2014-0193.html https://www.redhat.com/security/data/cve/CVE-2014-0225.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.1.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFULFL0XlSAg2UNWIIRAoi3AJ0VFbjJDO+Gxezhg5l1BKhNPNLa9QCgjYGW EPv9aB5VOthoXWY+ITIPO8I= =krP3 -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 9 16:22:53 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 9 Oct 2014 16:22:53 +0000 Subject: [RHSA-2014:1369-01] Important: Fuse ESB Enterprise/Fuse MQ Enterprise 7.1.0 update Message-ID: <201410091622.s99GMrmB009664@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Fuse ESB Enterprise/Fuse MQ Enterprise 7.1.0 update Advisory ID: RHSA-2014:1369-01 Product: Fuse Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1369.html Issue date: 2014-10-09 CVE Names: CVE-2013-2172 CVE-2014-0074 CVE-2014-0107 ===================================================================== 1. Summary: Fuse ESB Enterprise/MQ Enterprise 7.1.0 R1 P6 (Patch 6 on Rollup Patch 1), which addresses three security issues, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Fuse ESB Enterprise is an integration platform based on Apache ServiceMix. Fuse MQ Enterprise, based on Apache ActiveMQ, is a standards-compliant messaging system that is tailored for use in mission critical applications. This release of Fuse ESB Enterprise/MQ Enterprise 7.1.0 R1 P6 is an update to Fuse ESB Enterprise 7.1.0 and Fuse MQ Enterprise 7.1.0. The following security issues are addressed with this release: It was discovered that Apache Shiro authenticated users without specifying a user name or a password when used in conjunction with an LDAP back end that allowed unauthenticated binds. (CVE-2014-0074) It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java. (CVE-2014-0107) A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block. (CVE-2013-2172) All users of Fuse ESB Enterprise/MQ Enterprise 7.1.0 as provided from the Red Hat Customer Portal are advised to upgrade to Fuse ESB Enterprise/MQ Enterprise 7.1.0 R1 P6. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 999263 - CVE-2013-2172 Apache Santuario XML Security for Java: XML signature spoofing 1072603 - CVE-2014-0074 Apache Shiro: successful authentication without specifying user name or password 1080248 - CVE-2014-0107 Xalan-Java: insufficient constraints in secure processing feature 5. References: https://www.redhat.com/security/data/cve/CVE-2013-2172.html https://www.redhat.com/security/data/cve/CVE-2014-0074.html https://www.redhat.com/security/data/cve/CVE-2014-0107.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.esb.enterprise&downloadType=securityPatches&version=7.1.0 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.mq.enterprise&downloadType=securityPatches&version=7.1.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUNrZEXlSAg2UNWIIRArFQAJ9pRAwrZGkfzsoGRgH3agtYx22mqACdEI3M sL6ZSK8vP+2WCJ42pAI9Jf8= =hS+J -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 9 19:00:00 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 9 Oct 2014 19:00:00 +0000 Subject: [RHSA-2014:1370-01] Moderate: Apache POI security update Message-ID: <201410091900.s99J015p028939@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Apache POI security update Advisory ID: RHSA-2014:1370-01 Product: Red Hat JBoss Fuse Service Works Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1370.html Issue date: 2014-10-09 CVE Names: CVE-2014-3529 CVE-2014-3574 ===================================================================== 1. Summary: An update for the Apache POI component that fixes two security issues is now available from the Red Hat Customer Portal for Red Hat Fuse Service Works 6.0.0. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Apache POI is a library providing Java API for working with OOXML document files. It was found that Apache POI would resolve entities in OOXML documents. A remote attacker able to supply OOXML documents that are parsed by Apache POI could use this flaw to read files accessible to the user running the application server, and potentially perform more advanced XML External Entity (XXE) attacks. (CVE-2014-3529) It was found that Apache POI would expand an unlimited number of entities in OOXML documents. A remote attacker able to supply OOXML documents that are parsed by Apache POI could use this flaw to trigger a denial of service attack via excessive CPU and memory consumption. (CVE-2014-3574) All users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the Red Hat Customer Portal are advised to apply this security update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the updates). Before applying the updates, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1138135 - CVE-2014-3529 apache-poi: XML eXternal Entity (XXE) flaw 1138140 - CVE-2014-3574 apache-poi: entity expansion (billion laughs) flaw 5. References: https://www.redhat.com/security/data/cve/CVE-2014-3529.html https://www.redhat.com/security/data/cve/CVE-2014-3574.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks&downloadType=securityPatches&version=6.0.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUNtsLXlSAg2UNWIIRAn8pAKCdZMQorQAcaWKV4YsTiqelNRhC5QCeLHiI qwVeNHI4GpGsc/XrkxDTl00= =AVHU -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Oct 13 21:13:38 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 13 Oct 2014 21:13:38 +0000 Subject: [RHSA-2014:1398-01] Moderate: Apache POI security update Message-ID: <201410132113.s9DLDcvT011221@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Apache POI security update Advisory ID: RHSA-2014:1398-01 Product: Red Hat JBoss Data Virtualization Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1398.html Issue date: 2014-10-13 CVE Names: CVE-2014-3529 CVE-2014-3574 ===================================================================== 1. Summary: An update for the Apache POI component that fixes two security issues is now available from the Red Hat Customer Portal for Red Hat JBoss Data Virtualization 6.0.0. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Apache POI is a library providing Java API for working with OOXML document files. It was found that Apache POI would resolve entities in OOXML documents. A remote attacker able to supply OOXML documents that are parsed by Apache POI could use this flaw to read files accessible to the user running the application server, and potentially perform more advanced XML External Entity (XXE) attacks. (CVE-2014-3529) It was found that Apache POI would expand an unlimited number of entities in OOXML documents. A remote attacker able to supply OOXML documents that are parsed by Apache POI could use this flaw to trigger a denial of service attack via excessive CPU and memory consumption. (CVE-2014-3574) All users of Red Hat JBoss Data Virtualization 6.0.0 as provided from the Red Hat Customer Portal are advised to apply this security update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the updates). Before applying the updates, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1138135 - CVE-2014-3529 apache-poi: XML eXternal Entity (XXE) flaw 1138140 - CVE-2014-3574 apache-poi: entity expansion (billion laughs) flaw 5. References: https://www.redhat.com/security/data/cve/CVE-2014-3529.html https://www.redhat.com/security/data/cve/CVE-2014-3574.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform&downloadType=securityPatches&version=6.0.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUPEAeXlSAg2UNWIIRAq+OAJwNx8ewtJpYLY8zXN3s+8FsXnUHNQCgqjeA lAHVYh8EaQQYg7c+MIu+H7Y= =1w/+ -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Oct 13 21:14:15 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 13 Oct 2014 21:14:15 +0000 Subject: [RHSA-2014:1399-01] Moderate: Apache POI security update Message-ID: <201410132114.s9DLEFLN011665@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Apache POI security update Advisory ID: RHSA-2014:1399-01 Product: Red Hat JBoss BPM Suite Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1399.html Issue date: 2014-10-13 CVE Names: CVE-2014-3529 CVE-2014-3574 ===================================================================== 1. Summary: An update for the Apache POI component that fixes two security issues is now available from the Red Hat Customer Portal for Red Hat JBoss BPM Suite 6.0.3. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Apache POI is a library providing Java API for working with OOXML document files. It was found that Apache POI would resolve entities in OOXML documents. A remote attacker able to supply OOXML documents that are parsed by Apache POI could use this flaw to read files accessible to the user running the application server, and potentially perform more advanced XML External Entity (XXE) attacks. (CVE-2014-3529) It was found that Apache POI would expand an unlimited number of entities in OOXML documents. A remote attacker able to supply OOXML documents that are parsed by Apache POI could use this flaw to trigger a denial of service attack via excessive CPU and memory consumption. (CVE-2014-3574) All users of Red Hat JBoss BPM Suite 6.0.3 as provided from the Red Hat Customer Portal are advised to apply this security update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the updates). Before applying the updates, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1138135 - CVE-2014-3529 apache-poi: XML eXternal Entity (XXE) flaw 1138140 - CVE-2014-3574 apache-poi: entity expansion (billion laughs) flaw 5. References: https://www.redhat.com/security/data/cve/CVE-2014-3529.html https://www.redhat.com/security/data/cve/CVE-2014-3574.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=distributions&version=6.0.3 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUPECZXlSAg2UNWIIRAivPAJ9edFU/svnIaYZYoG3EAgsb/qBLTwCeIUOm 4usrH1s9uTDFqjpLnbIX6D4= =uxv6 -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Oct 13 21:16:08 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 13 Oct 2014 21:16:08 +0000 Subject: [RHSA-2014:1400-01] Moderate: Apache POI security update Message-ID: <201410132116.s9DLG8Im001125@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Apache POI security update Advisory ID: RHSA-2014:1400-01 Product: Red Hat JBoss BRMS Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1400.html Issue date: 2014-10-13 CVE Names: CVE-2014-3529 CVE-2014-3574 ===================================================================== 1. Summary: An update for the Apache POI component that fixes two security issues is now available from the Red Hat Customer Portal for Red Hat JBoss BRMS 6.0.3. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Apache POI is a library providing Java API for working with OOXML document files. It was found that Apache POI would resolve entities in OOXML documents. A remote attacker able to supply OOXML documents that are parsed by Apache POI could use this flaw to read files accessible to the user running the application server, and potentially perform more advanced XML External Entity (XXE) attacks. (CVE-2014-3529) It was found that Apache POI would expand an unlimited number of entities in OOXML documents. A remote attacker able to supply OOXML documents that are parsed by Apache POI could use this flaw to trigger a denial of service attack via excessive CPU and memory consumption. (CVE-2014-3574) All users of Red Hat JBoss BRMS 6.0.3 as provided from the Red Hat Customer Portal are advised to apply this security update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the updates). Before applying the updates, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1138135 - CVE-2014-3529 apache-poi: XML eXternal Entity (XXE) flaw 1138140 - CVE-2014-3574 apache-poi: entity expansion (billion laughs) flaw 5. References: https://www.redhat.com/security/data/cve/CVE-2014-3529.html https://www.redhat.com/security/data/cve/CVE-2014-3574.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions&version=6.0.3 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUPEDXXlSAg2UNWIIRAjhYAKC3jcJYSaLN6UpLA0+QXqS20wmXpQCfe2ry OKjSsoFCUMCmEt/aaagZXgg= =K3le -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 28 21:43:43 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 28 Oct 2014 21:43:43 +0000 Subject: [RHSA-2014:1725-01] Moderate: Red Hat JBoss Enterprise Application Platform 5.2.0 security update Message-ID: <201410282143.s9SLhh64009022@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 5.2.0 security update Advisory ID: RHSA-2014:1725-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1725.html Issue date: 2014-10-28 CVE Names: CVE-2013-4517 ===================================================================== 1. Summary: An update for Red Hat JBoss Enterprise Application Platform 5.2.0 that fixes one security issue is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform is a platform for Java applications, which integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam. It was discovered that the Apache Santuario XML Security for Java project allowed Document Type Definitions (DTDs) to be processed when applying Transforms even when secure validation was enabled. A remote attacker could use this flaw to exhaust all available memory on the system, causing a denial of service. (CVE-2013-4517) All users of Red Hat JBoss Enterprise Application Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to apply this update. The JBoss server process must be restarted for this update to take effect. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). 4. Bugs fixed (https://bugzilla.redhat.com/): 1045257 - CVE-2013-4517 Apache Santuario XML Security for Java: Java XML Signature DoS Attack 5. References: https://access.redhat.com/security/cve/CVE-2013-4517 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=appplatform&version=5.2.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUUA4AXlSAg2UNWIIRAu5aAJ0b/p7t8wfJXQRCt/ttDy2PdCvraQCfQZBX 1vFbXLdXMe6bWX+5xjgCkUo= =KaEw -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 28 21:44:26 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 28 Oct 2014 21:44:26 +0000 Subject: [RHSA-2014:1726-01] Moderate: Red Hat JBoss Enterprise Application Platform 5.2.0 security update Message-ID: <201410282144.s9SLiRh6011353@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 5.2.0 security update Advisory ID: RHSA-2014:1726-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1726.html Issue date: 2014-10-28 CVE Names: CVE-2013-4517 ===================================================================== 1. Summary: Updated packages for Red Hat JBoss Enterprise Application Platform 5.2.0 that fix one security issue are now available for Red Hat Enterprise Linux 4, 5, and 6. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS - noarch Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES - noarch Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server - noarch Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform is a platform for Java applications, which integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam. It was discovered that the Apache Santuario XML Security for Java project allowed Document Type Definitions (DTDs) to be processed when applying Transforms even when secure validation was enabled. A remote attacker could use this flaw to exhaust all available memory on the system, causing a denial of service. (CVE-2013-4517) All users of Red Hat JBoss Enterprise Application Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing Red Hat JBoss Enterprise Application Platform 5 installation (including all applications and configuration files). This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1045257 - CVE-2013-4517 Apache Santuario XML Security for Java: Java XML Signature DoS Attack 6. Package List: Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS: Source: xml-security-1.5.6-3.ep5.el4.src.rpm noarch: xml-security-1.5.6-3.ep5.el4.noarch.rpm Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES: Source: xml-security-1.5.6-3.ep5.el4.src.rpm noarch: xml-security-1.5.6-3.ep5.el4.noarch.rpm Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server: Source: xml-security-1.5.6-3.ep5.el5.src.rpm noarch: xml-security-1.5.6-3.ep5.el5.noarch.rpm Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server: Source: xml-security-1.5.6-3.el6.src.rpm noarch: xml-security-1.5.6-3.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2013-4517 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUUA4jXlSAg2UNWIIRAs8KAJkBZATWLxFO30cBwCEqYlXKpBDbcgCfQeg7 mOVVgD/Mt9F8Mo7yN4VYjXQ= =g6+X -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 28 21:45:01 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 28 Oct 2014 21:45:01 +0000 Subject: [RHSA-2014:1727-01] Moderate: Red Hat JBoss Enterprise Web Platform 5.2.0 security update Message-ID: <201410282145.s9SLj1e4009506@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Web Platform 5.2.0 security update Advisory ID: RHSA-2014:1727-01 Product: Red Hat JBoss Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1727.html Issue date: 2014-10-28 CVE Names: CVE-2013-4517 ===================================================================== 1. Summary: An update for Red Hat JBoss Enterprise Web Platform 5.2.0 that fixes one security issue is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Red Hat JBoss Enterprise Web Platform is a platform for Java applications, which integrates the JBoss Web Server with JBoss Hibernate and JBoss Seam. It was discovered that the Apache Santuario XML Security for Java project allowed Document Type Definitions (DTDs) to be processed when applying Transforms even when secure validation was enabled. A remote attacker could use this flaw to exhaust all available memory on the system, causing a denial of service. (CVE-2013-4517) All users of Red Hat JBoss Enterprise Web Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to apply this update. The JBoss server process must be restarted for this update to take effect. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing JBoss Enterprise Web Platform installation (including all applications and configuration files). 4. Bugs fixed (https://bugzilla.redhat.com/): 1045257 - CVE-2013-4517 Apache Santuario XML Security for Java: Java XML Signature DoS Attack 5. References: https://access.redhat.com/security/cve/CVE-2013-4517 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=enterpriseweb.platform&downloadType=securityPatches&version=5.2.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUUA5QXlSAg2UNWIIRAsqeAJ9iDCgOScgWOzz2C6oo/p+p9KOW9gCeP/0h 5KwgEnzfv2Xa4Fzio2L8Sn4= =4SWh -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Oct 28 21:45:42 2014 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 28 Oct 2014 21:45:42 +0000 Subject: [RHSA-2014:1728-01] Moderate: Red Hat JBoss Enterprise Web Platform 5.2.0 security update Message-ID: <201410282145.s9SLjg7i009757@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Web Platform 5.2.0 security update Advisory ID: RHSA-2014:1728-01 Product: Red Hat JBoss Web Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1728.html Issue date: 2014-10-28 CVE Names: CVE-2013-4517 ===================================================================== 1. Summary: Updated packages for Red Hat JBoss Enterprise Web Platform 5.2.0 that fix one security issue are now available for Red Hat Enterprise Linux 4, 5, and 6. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Platform 5 for RHEL 4 AS - noarch Red Hat JBoss Web Platform 5 for RHEL 4 ES - noarch Red Hat JBoss Web Platform 5 for RHEL 5 Server - noarch Red Hat JBoss Web Platform 5 for RHEL 6 Server - noarch 3. Description: Red Hat JBoss Enterprise Web Platform is a platform for Java applications, which integrates the JBoss Web Server with JBoss Hibernate and JBoss Seam. It was discovered that the Apache Santuario XML Security for Java project allowed Document Type Definitions (DTDs) to be processed when applying Transforms even when secure validation was enabled. A remote attacker could use this flaw to exhaust all available memory on the system, causing a denial of service. (CVE-2013-4517) All users of Red Hat JBoss Enterprise Web Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing Red Hat JBoss Enterprise Web Platform 5 installation (including all applications and configuration files). This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1045257 - CVE-2013-4517 Apache Santuario XML Security for Java: Java XML Signature DoS Attack 6. Package List: Red Hat JBoss Web Platform 5 for RHEL 4 AS: Source: xml-security-1.5.6-3.ep5.el4.src.rpm noarch: xml-security-1.5.6-3.ep5.el4.noarch.rpm Red Hat JBoss Web Platform 5 for RHEL 4 ES: Source: xml-security-1.5.6-3.ep5.el4.src.rpm noarch: xml-security-1.5.6-3.ep5.el4.noarch.rpm Red Hat JBoss Web Platform 5 for RHEL 5 Server: Source: xml-security-1.5.6-3.ep5.el5.src.rpm noarch: xml-security-1.5.6-3.ep5.el5.noarch.rpm Red Hat JBoss Web Platform 5 for RHEL 6 Server: Source: xml-security-1.5.6-3.el6.src.rpm noarch: xml-security-1.5.6-3.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2013-4517 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUUA55XlSAg2UNWIIRAjLxAKCYDATFlg+EukuEgq1HcK8ZPa4X6gCeLOHI vCngNalVFDc9WdBdP1YkT8Q= =AYTq -----END PGP SIGNATURE-----