From bugzilla at redhat.com Mon Aug 3 19:42:00 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 3 Aug 2015 15:42:00 -0400 Subject: [RHSA-2015:1538-01] Moderate: Red Hat JBoss BRMS 6.1.2 update Message-ID: <201508031942.t73Jg09w024621@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss BRMS 6.1.2 update Advisory ID: RHSA-2015:1538-01 Product: Red Hat JBoss BRMS Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1538.html Issue date: 2015-08-03 CVE Names: CVE-2015-0263 CVE-2015-0264 ===================================================================== 1. Summary: Red Hat JBoss BRMS 6.1.2, which fixes two security issues, several bugs, and adds various enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules. This release of Red Hat JBoss BRMS 6.1.2 serves as a replacement for Red Hat JBoss BRMS 6.1.0, and includes bug fixes and enhancements, which are documented in the README.txt file included with the patch files. The following security issues are also fixed with this release: It was found that Apache Camel's XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2015-0263) It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2015-0264) All users of Red Hat JBoss BRMS 6.1.0 as provided from the Red Hat Customer Portal are advised to upgrade to Red Hat JBoss BRMS 6.1.2. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1203341 - CVE-2015-0264 Camel: XXE via XPath expression evaluation 1203344 - CVE-2015-0263 Camel: XXE in via SAXSource expansion 5. References: https://access.redhat.com/security/cve/CVE-2015-0263 https://access.redhat.com/security/cve/CVE-2015-0264 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.1.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFVv8QFXlSAg2UNWIIRApd6AJsGRPT4s4kK/Jo79I0OGAb5ZBRGGwCeOC6H YWNkXlqH35CPLQqBTjs5VEs= =Sg2X -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Aug 3 19:42:06 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 3 Aug 2015 15:42:06 -0400 Subject: [RHSA-2015:1539-01] Moderate: Red Hat JBoss BPM Suite 6.1.2 update Message-ID: <201508031942.t73Jg6Om019797@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss BPM Suite 6.1.2 update Advisory ID: RHSA-2015:1539-01 Product: Red Hat JBoss BPM Suite Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1539.html Issue date: 2015-08-03 CVE Names: CVE-2015-0263 CVE-2015-0264 CVE-2015-1818 ===================================================================== 1. Summary: Red Hat JBoss BPM Suite 6.1.2, which fixes three security issues, several bugs, and adds various enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes. This release of Red Hat JBoss BPM Suite 6.1.2 serves as a replacement for Red Hat JBoss BPM Suite 6.1.0, and includes bug fixes and enhancements, which are documented in the README.txt file included with the patch files. The following security issues are also fixed with this release: It was found that Apache Camel's XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2015-0263) It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2015-0264) A flaw was found in the dashbuilder import facility: the DocumentBuilders instantiated in org.jboss.dashboard.export.ImportManagerImpl did not disable external entities. This could allow an attacker to perform a variety of XML External Entity (XXE) and Server-Side Request Forgery (SSRF) attacks. (CVE-2015-1818) Red Hat would like to thank David Jorm of IIX Product Security for reporting the CVE-2015-1818 issue. All users of Red Hat JBoss BPM Suite 6.1.0 as provided from the Red Hat Customer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.1.2. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1201714 - CVE-2015-1818 dashbuilder: XXE/SSRF vulnerability 1203341 - CVE-2015-0264 Camel: XXE via XPath expression evaluation 1203344 - CVE-2015-0263 Camel: XXE in via SAXSource expansion 5. References: https://access.redhat.com/security/cve/CVE-2015-0263 https://access.redhat.com/security/cve/CVE-2015-0264 https://access.redhat.com/security/cve/CVE-2015-1818 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.1.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFVv8QNXlSAg2UNWIIRAtCYAJ0T7zhmrIg381kNZX+5HD3HixHj2gCgwjA4 4vgTc6jmwGO3InA/2DlY8CU= =hZiZ -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Aug 4 17:18:10 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 4 Aug 2015 13:18:10 -0400 Subject: [RHSA-2015:1543-01] Moderate: Red Hat JBoss Portal 6.2.0 security update Message-ID: <201508041718.t74HIAu8016561@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Portal 6.2.0 security update Advisory ID: RHSA-2015:1543-01 Product: Red Hat JBoss Portal Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1543.html Issue date: 2015-08-04 CVE Names: CVE-2015-5176 ===================================================================== 1. Summary: An update for the PortletBridge component of Red Hat JBoss Portal 6.2.0 that fixes one security issue is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Red Hat JBoss Portal is the open source implementation of the Java EE suite of services and Portal services running atop Red Hat JBoss Enterprise Application Platform. It was found that PortletBridge PortletRequestDispatcher did not respect security constraints set by the servlet if a portlet request asked for rendering of a non-JSF resource such as JSP or HTML. A remote attacker could use this flaw to potentially bypass certain security constraints and gain access to restricted resources. (CVE-2015-5176) Red Hat would like to thank Liferay, Inc. for reporting this issue. All users of Red Hat JBoss Portal 6.2.0 as provided from the Red Hat Customer Portal are advised to apply this update. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up all applications deployed on JBoss Enterprise Portal Platform, along with all customized configuration files, and any databases and database settings. 4. Bugs fixed (https://bugzilla.redhat.com/): 1244835 - CVE-2015-5176 PortletBridge: information disclosure via auto-dispatching of non-JSF resources 5. References: https://access.redhat.com/security/cve/CVE-2015-5176 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=securityPatches&version=6.2.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFVwPPQXlSAg2UNWIIRAk6QAJ0VBlZFWo9YRDdK1dnjJrSaFMZt8gCdERsY USupii3PFHog3v7SdBrc5d4= =W2oe -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Aug 5 16:22:40 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 5 Aug 2015 12:22:40 -0400 Subject: [RHSA-2015:1551-01] Important: Red Hat JBoss Fuse Service Works 6.0.0 security update Message-ID: <201508051622.t75GMeuF003371@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Fuse Service Works 6.0.0 security update Advisory ID: RHSA-2015:1551-01 Product: Red Hat JBoss Fuse Service Works Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1551.html Issue date: 2015-08-05 CVE Names: CVE-2013-7397 CVE-2013-7398 ===================================================================== 1. Summary: Red Hat JBoss Fuse Service Works 6.0.0 roll up patch 5, which fixes two security issues and various bugs, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss Fuse Service Works is the next-generation ESB and business process automation infrastructure. This roll up patch serves as a cumulative upgrade for Red Hat JBoss Fuse Service Works 6.0.0. It includes various bug fixes, which are listed in the README file included with the patch files. The following security issues are also fixed with this release: It was found that async-http-client would disable SSL/TLS certificate verification under certain conditions, for example if HTTPS communication also used client certificates. A man-in-the-middle (MITM) attacker could use this flaw to spoof a valid certificate. (CVE-2013-7397) It was found that async-http-client did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. (CVE-2013-7398) All users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the Red Hat Customer Portal are advised to apply this roll up patch. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Fuse Service Works installation (including its databases, applications, configuration files, and so on). Note that it is recommended to halt the Red Hat JBoss Fuse Service Works server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss Fuse Service Works server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1133769 - CVE-2013-7397 async-http-client: SSL/TLS certificate verification is disabled under certain conditions 1133773 - CVE-2013-7398 async-http-client: missing hostname verification for SSL certificates 5. References: https://access.redhat.com/security/cve/CVE-2013-7397 https://access.redhat.com/security/cve/CVE-2013-7398 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks&downloadType=securityPatches&version=6.0.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFVwjhOXlSAg2UNWIIRAidOAJ99GuSq7MLaQ6/Ft/o6HHzT/YNfPgCfWFYk hCFx3CQAQDwA2Omgs3ahiQI= =S2Ea -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Aug 13 15:39:34 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 13 Aug 2015 11:39:34 -0400 Subject: [RHSA-2015:1621-01] Moderate: Red Hat JBoss Web Server 2.1.0 tomcat security update Message-ID: <201508131539.t7DFdYdd031973@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Web Server 2.1.0 tomcat security update Advisory ID: RHSA-2015:1621-01 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1621.html Issue date: 2015-08-13 CVE Names: CVE-2014-0230 CVE-2014-7810 ===================================================================== 1. Summary: An update for the Apache Tomcat 6 and Apache Tomcat 7 component for Red Hat JBoss Web Server 2.1.0 that fixes two security issues is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and preventing further, legitimate connections to the Tomcat server to be made. (CVE-2014-0230) All users of Red Hat JBoss Web Server 2.1.0 as provided from the Red Hat Customer Portal are advised to apply this update. The Red Hat JBoss Web Server process must be restarted for the update to take effect. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). 4. Bugs fixed (https://bugzilla.redhat.com/): 1191200 - CVE-2014-0230 tomcat: non-persistent DoS attack by feeding data by aborting an upload 1222573 - CVE-2014-7810 Tomcat/JbossWeb: security manager bypass via EL expressions 5. References: https://access.redhat.com/security/cve/CVE-2014-0230 https://access.redhat.com/security/cve/CVE-2014-7810 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=2.1.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFVzLo0XlSAg2UNWIIRAn5EAJ0VDF059K780gyI6N/2jVjcSbclfgCglMLb yFR0tJnxS1RBQ+xgM8XpQQg= =Bgvs -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Aug 13 15:39:46 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 13 Aug 2015 11:39:46 -0400 Subject: [RHSA-2015:1622-01] Moderate: Red Hat JBoss Web Server 2.1.0 tomcat security update Message-ID: <201508131539.t7DFdkoa013259@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Web Server 2.1.0 tomcat security update Advisory ID: RHSA-2015:1622-01 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1622.html Issue date: 2015-08-13 CVE Names: CVE-2014-0230 CVE-2014-7810 ===================================================================== 1. Summary: Updated tomcat6 and tomcat7 packages that fix two security issues are now available for Red Hat JBoss Web Server 2.1.0 on Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 2 for RHEL 5 Server - noarch Red Hat JBoss Web Server 2 for RHEL 6 Server - noarch Red Hat JBoss Web Server 2 for RHEL 7 Server - noarch 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and preventing further, legitimate connections to the Tomcat server to be made. (CVE-2014-0230) All users of Red Hat JBoss Web Server 2.1.0 as provided from the Red Hat Customer Portal are advised to apply this update. The Red Hat JBoss Web Server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied, and back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1191200 - CVE-2014-0230 tomcat: non-persistent DoS attack by feeding data by aborting an upload 1222573 - CVE-2014-7810 Tomcat/JbossWeb: security manager bypass via EL expressions 6. Package List: Red Hat JBoss Web Server 2 for RHEL 5 Server: Source: tomcat6-6.0.41-15_patch_04.ep6.el5.src.rpm tomcat7-7.0.54-19_patch_04.ep6.el5.src.rpm noarch: tomcat6-6.0.41-15_patch_04.ep6.el5.noarch.rpm tomcat6-admin-webapps-6.0.41-15_patch_04.ep6.el5.noarch.rpm tomcat6-docs-webapp-6.0.41-15_patch_04.ep6.el5.noarch.rpm tomcat6-el-2.1-api-6.0.41-15_patch_04.ep6.el5.noarch.rpm tomcat6-javadoc-6.0.41-15_patch_04.ep6.el5.noarch.rpm tomcat6-jsp-2.1-api-6.0.41-15_patch_04.ep6.el5.noarch.rpm tomcat6-lib-6.0.41-15_patch_04.ep6.el5.noarch.rpm tomcat6-log4j-6.0.41-15_patch_04.ep6.el5.noarch.rpm tomcat6-maven-devel-6.0.41-15_patch_04.ep6.el5.noarch.rpm tomcat6-servlet-2.5-api-6.0.41-15_patch_04.ep6.el5.noarch.rpm tomcat6-webapps-6.0.41-15_patch_04.ep6.el5.noarch.rpm tomcat7-7.0.54-19_patch_04.ep6.el5.noarch.rpm tomcat7-admin-webapps-7.0.54-19_patch_04.ep6.el5.noarch.rpm tomcat7-docs-webapp-7.0.54-19_patch_04.ep6.el5.noarch.rpm tomcat7-el-2.2-api-7.0.54-19_patch_04.ep6.el5.noarch.rpm tomcat7-javadoc-7.0.54-19_patch_04.ep6.el5.noarch.rpm tomcat7-jsp-2.2-api-7.0.54-19_patch_04.ep6.el5.noarch.rpm tomcat7-lib-7.0.54-19_patch_04.ep6.el5.noarch.rpm tomcat7-log4j-7.0.54-19_patch_04.ep6.el5.noarch.rpm tomcat7-maven-devel-7.0.54-19_patch_04.ep6.el5.noarch.rpm tomcat7-servlet-3.0-api-7.0.54-19_patch_04.ep6.el5.noarch.rpm tomcat7-webapps-7.0.54-19_patch_04.ep6.el5.noarch.rpm Red Hat JBoss Web Server 2 for RHEL 6 Server: Source: tomcat6-6.0.41-15_patch_04.ep6.el6.src.rpm tomcat7-7.0.54-19_patch_04.ep6.el6.src.rpm noarch: tomcat6-6.0.41-15_patch_04.ep6.el6.noarch.rpm tomcat6-admin-webapps-6.0.41-15_patch_04.ep6.el6.noarch.rpm tomcat6-docs-webapp-6.0.41-15_patch_04.ep6.el6.noarch.rpm tomcat6-el-2.1-api-6.0.41-15_patch_04.ep6.el6.noarch.rpm tomcat6-javadoc-6.0.41-15_patch_04.ep6.el6.noarch.rpm tomcat6-jsp-2.1-api-6.0.41-15_patch_04.ep6.el6.noarch.rpm tomcat6-lib-6.0.41-15_patch_04.ep6.el6.noarch.rpm tomcat6-log4j-6.0.41-15_patch_04.ep6.el6.noarch.rpm tomcat6-maven-devel-6.0.41-15_patch_04.ep6.el6.noarch.rpm tomcat6-servlet-2.5-api-6.0.41-15_patch_04.ep6.el6.noarch.rpm tomcat6-webapps-6.0.41-15_patch_04.ep6.el6.noarch.rpm tomcat7-7.0.54-19_patch_04.ep6.el6.noarch.rpm tomcat7-admin-webapps-7.0.54-19_patch_04.ep6.el6.noarch.rpm tomcat7-docs-webapp-7.0.54-19_patch_04.ep6.el6.noarch.rpm tomcat7-el-2.2-api-7.0.54-19_patch_04.ep6.el6.noarch.rpm tomcat7-javadoc-7.0.54-19_patch_04.ep6.el6.noarch.rpm tomcat7-jsp-2.2-api-7.0.54-19_patch_04.ep6.el6.noarch.rpm tomcat7-lib-7.0.54-19_patch_04.ep6.el6.noarch.rpm tomcat7-log4j-7.0.54-19_patch_04.ep6.el6.noarch.rpm tomcat7-maven-devel-7.0.54-19_patch_04.ep6.el6.noarch.rpm tomcat7-servlet-3.0-api-7.0.54-19_patch_04.ep6.el6.noarch.rpm tomcat7-webapps-7.0.54-19_patch_04.ep6.el6.noarch.rpm Red Hat JBoss Web Server 2 for RHEL 7 Server: Source: tomcat6-6.0.41-15_patch_04.ep6.el7.src.rpm tomcat7-7.0.54-20_patch_04.ep6.el7.src.rpm noarch: tomcat6-6.0.41-15_patch_04.ep6.el7.noarch.rpm tomcat6-admin-webapps-6.0.41-15_patch_04.ep6.el7.noarch.rpm tomcat6-docs-webapp-6.0.41-15_patch_04.ep6.el7.noarch.rpm tomcat6-el-2.1-api-6.0.41-15_patch_04.ep6.el7.noarch.rpm tomcat6-javadoc-6.0.41-15_patch_04.ep6.el7.noarch.rpm tomcat6-jsp-2.1-api-6.0.41-15_patch_04.ep6.el7.noarch.rpm tomcat6-lib-6.0.41-15_patch_04.ep6.el7.noarch.rpm tomcat6-log4j-6.0.41-15_patch_04.ep6.el7.noarch.rpm tomcat6-maven-devel-6.0.41-15_patch_04.ep6.el7.noarch.rpm tomcat6-servlet-2.5-api-6.0.41-15_patch_04.ep6.el7.noarch.rpm tomcat6-webapps-6.0.41-15_patch_04.ep6.el7.noarch.rpm tomcat7-7.0.54-20_patch_04.ep6.el7.noarch.rpm tomcat7-admin-webapps-7.0.54-20_patch_04.ep6.el7.noarch.rpm tomcat7-docs-webapp-7.0.54-20_patch_04.ep6.el7.noarch.rpm tomcat7-el-2.2-api-7.0.54-20_patch_04.ep6.el7.noarch.rpm tomcat7-javadoc-7.0.54-20_patch_04.ep6.el7.noarch.rpm tomcat7-jsp-2.2-api-7.0.54-20_patch_04.ep6.el7.noarch.rpm tomcat7-lib-7.0.54-20_patch_04.ep6.el7.noarch.rpm tomcat7-log4j-7.0.54-20_patch_04.ep6.el7.noarch.rpm tomcat7-maven-devel-7.0.54-20_patch_04.ep6.el7.noarch.rpm tomcat7-servlet-3.0-api-7.0.54-20_patch_04.ep6.el7.noarch.rpm tomcat7-webapps-7.0.54-20_patch_04.ep6.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-0230 https://access.redhat.com/security/cve/CVE-2014-7810 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFVzLpBXlSAg2UNWIIRAp1DAKC3+LI5g5mPk1KDc0HGtqYVviYcnACfSsPx cOyulHGWld/awnIrle9SO1o= =uB70 -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Aug 18 19:06:49 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 18 Aug 2015 15:06:49 -0400 Subject: [RHSA-2015:1641-03] Important: Red Hat JBoss Web Server 2.1.0 security update Message-ID: <201508181906.t7IJ6n1u032634@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 2.1.0 security update Advisory ID: RHSA-2015:1641-03 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1641.html Issue date: 2015-08-18 CVE Names: CVE-2014-8111 CVE-2015-0298 ===================================================================== 1. Summary: An update for Red Hat JBoss Web Server 2.1.0 that fixes two security issues is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. A flaw was found in the way the mod_cluster manager processed certain MCMP messages. An attacker with access to the network from which MCMP messages are allowed to be sent could use this flaw to execute arbitrary JavaScript code in the mod_cluster manager web interface. (CVE-2015-0298) It was discovered that a JkUnmount rule for a subtree of a previous JkMount rule could be ignored. This could allow a remote attacker to potentially access a private artifact in a tree that would otherwise not be accessible to them. (CVE-2014-8111) All users of Red Hat JBoss Web Server 2.1.0 as provided from the Red Hat Customer Portal are advised to apply this update. The Red Hat JBoss Web Server process must be restarted for the update to take effect. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). 4. Bugs fixed (https://bugzilla.redhat.com/): 1182591 - CVE-2014-8111 Tomcat mod_jk: information leak due to incorrect JkMount/JkUnmount directives processing 1197769 - CVE-2015-0298 mod_cluster: JavaScript code injection is possible via MCMP mod_manager messages 5. References: https://access.redhat.com/security/cve/CVE-2014-8111 https://access.redhat.com/security/cve/CVE-2015-0298 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=2.1.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFV04JIXlSAg2UNWIIRAvwWAJ0TyWHgLfvmuHxeo/yw3cxUHMFQwQCfUQTT AZazcWpVed8aBxNQ4iAzRMY= =gX+U -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue Aug 18 19:07:05 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 18 Aug 2015 15:07:05 -0400 Subject: [RHSA-2015:1642-03] Important: Red Hat JBoss Web Server 2.1.0 security update Message-ID: <201508181907.t7IJ75oj026934@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 2.1.0 security update Advisory ID: RHSA-2015:1642-03 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1642.html Issue date: 2015-08-18 CVE Names: CVE-2014-8111 CVE-2015-0298 ===================================================================== 1. Summary: An update for Red Hat JBoss Web Server 2.1.0 that fixes two security issues is now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 2 for RHEL 5 Server - i386, x86_64 Red Hat JBoss Web Server 2 for RHEL 6 Server - i386, x86_64 Red Hat JBoss Web Server 2 for RHEL 7 Server - x86_64 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. A flaw was found in the way the mod_cluster manager processed certain MCMP messages. An attacker with access to the network from which MCMP messages are allowed to be sent could use this flaw to execute arbitrary JavaScript code in the mod_cluster manager web interface. (CVE-2015-0298) It was discovered that a JkUnmount rule for a subtree of a previous JkMount rule could be ignored. This could allow a remote attacker to potentially access a private artifact in a tree that would otherwise not be accessible to them. (CVE-2014-8111) All users of Red Hat JBoss Web Server 2.1.0 are advised to apply this update. The Red Hat JBoss Web Server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied, and back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1182591 - CVE-2014-8111 Tomcat mod_jk: information leak due to incorrect JkMount/JkUnmount directives processing 1197769 - CVE-2015-0298 mod_cluster: JavaScript code injection is possible via MCMP mod_manager messages 6. Package List: Red Hat JBoss Web Server 2 for RHEL 5 Server: Source: mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el5.src.rpm mod_jk-1.2.40-4.redhat_2.ep6.el5.src.rpm i386: mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el5.i386.rpm mod_cluster-native-debuginfo-1.2.9-4.Final_redhat_2.ep6.el5.i386.rpm mod_jk-ap22-1.2.40-4.redhat_2.ep6.el5.i386.rpm mod_jk-debuginfo-1.2.40-4.redhat_2.ep6.el5.i386.rpm mod_jk-manual-1.2.40-4.redhat_2.ep6.el5.i386.rpm x86_64: mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el5.x86_64.rpm mod_cluster-native-debuginfo-1.2.9-4.Final_redhat_2.ep6.el5.x86_64.rpm mod_jk-ap22-1.2.40-4.redhat_2.ep6.el5.x86_64.rpm mod_jk-debuginfo-1.2.40-4.redhat_2.ep6.el5.x86_64.rpm mod_jk-manual-1.2.40-4.redhat_2.ep6.el5.x86_64.rpm Red Hat JBoss Web Server 2 for RHEL 6 Server: Source: mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el6.src.rpm mod_jk-1.2.40-4.redhat_2.ep6.el6.src.rpm i386: mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el6.i386.rpm mod_cluster-native-debuginfo-1.2.9-4.Final_redhat_2.ep6.el6.i386.rpm mod_jk-ap22-1.2.40-4.redhat_2.ep6.el6.i386.rpm mod_jk-debuginfo-1.2.40-4.redhat_2.ep6.el6.i386.rpm mod_jk-manual-1.2.40-4.redhat_2.ep6.el6.i386.rpm x86_64: mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el6.x86_64.rpm mod_cluster-native-debuginfo-1.2.9-4.Final_redhat_2.ep6.el6.x86_64.rpm mod_jk-ap22-1.2.40-4.redhat_2.ep6.el6.x86_64.rpm mod_jk-debuginfo-1.2.40-4.redhat_2.ep6.el6.x86_64.rpm mod_jk-manual-1.2.40-4.redhat_2.ep6.el6.x86_64.rpm Red Hat JBoss Web Server 2 for RHEL 7 Server: Source: mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el7.src.rpm mod_jk-1.2.40-4.redhat_2.ep6.el7.src.rpm x86_64: mod_cluster-native-1.2.9-4.Final_redhat_2.ep6.el7.x86_64.rpm mod_cluster-native-debuginfo-1.2.9-4.Final_redhat_2.ep6.el7.x86_64.rpm mod_jk-ap22-1.2.40-4.redhat_2.ep6.el7.x86_64.rpm mod_jk-debuginfo-1.2.40-4.redhat_2.ep6.el7.x86_64.rpm mod_jk-manual-1.2.40-4.redhat_2.ep6.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-8111 https://access.redhat.com/security/cve/CVE-2015-0298 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFV04JXXlSAg2UNWIIRAobWAJ4r5HJEKoBR5VhYKxZSnUqdM6DdRACffNn0 TYxsVdrkepuKkGVOeHIGsvw= =+xyj -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Aug 24 18:48:46 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 24 Aug 2015 14:48:46 -0400 Subject: [RHSA-2015:1669-01] Moderate: Red Hat JBoss Enterprise Application Platform security update Message-ID: <201508241848.t7OImkTp017970@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform security update Advisory ID: RHSA-2015:1669-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1669.html Issue date: 2015-08-24 CVE Names: CVE-2015-3158 ===================================================================== 1. Summary: An updated Red Hat JBoss Enterprise Application Platform 6.4.3 package that fixes a security issue, several bugs and adds various enhancements is now available for Red Hat Enterprise Linux 5. 2. Relevant releases/architectures: Red Hat JBoss EAP 6.4 for RHEL 5 - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.2 and includes bug fixes and enhancements. Documentation for these changes is available from the Red Hat JBoss Enterprise Application Platform 6.4.3 Release Notes, linked to in the References. The following security issue is also fixed with this release: It was discovered that under specific conditions that PicketLink IDP ignores role based authorization. This could lead to an authenticated user being able to access application resources that are not permitted for a given role. (CVE-2015-3158) All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 5 are advised to upgrade to this updated package, which fixes these bugs and adds these enhancements. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1216123 - CVE-2015-3158 PicketLink: PicketLink IDP ignores role based authorization 1247692 - RHEL5 RPMs: Upgrade hibernate4-eap6 to 4.2.20.Final-redhat-1 1247696 - RHEL5 RPMs: Upgrade jboss-modules to 1.3.7.Final-redhat-1 1247700 - RHEL5 RPMs: Upgrade jbossts to 4.17.30.Final-redhat-1 1247705 - RHEL5 RPMs: Upgrade jbossweb to 7.5.10.Final-redhat-1 1247709 - RHEL5 RPMs: Upgrade resteasy to 2.3.12.Final-redhat-1 6. Package List: Red Hat JBoss EAP 6.4 for RHEL 5: Source: glassfish-jsf-eap6-2.1.28-9.redhat_10.1.ep6.el5.src.rpm hibernate4-eap6-4.2.20-1.Final_redhat_1.1.ep6.el5.src.rpm hornetq-2.3.25-4.SP3_redhat_1.1.ep6.el5.src.rpm jboss-as-appclient-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-cli-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-client-all-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-clustering-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-cmp-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-configadmin-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-connector-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-console-2.5.6-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-controller-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-controller-client-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-core-security-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-deployment-repository-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-deployment-scanner-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-domain-http-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-domain-management-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-ee-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-ee-deployment-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-ejb3-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-embedded-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-host-controller-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jacorb-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jaxr-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jaxrs-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jdr-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jmx-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jpa-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jsf-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-jsr77-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-logging-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-mail-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-management-client-content-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-messaging-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-modcluster-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-naming-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-network-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-osgi-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-osgi-configadmin-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-osgi-service-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-picketlink-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-platform-mbean-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-pojo-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-process-controller-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-protocol-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-remoting-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-sar-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-security-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-server-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-system-jmx-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-threads-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-transactions-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-version-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-web-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-webservices-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-weld-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-xts-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jboss-hal-2.5.6-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-modules-1.3.7-1.Final_redhat_1.1.ep6.el5.src.rpm jbossas-appclient-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jbossas-bundles-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jbossas-core-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jbossas-domain-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jbossas-javadocs-7.5.3-2.Final_redhat_2.1.ep6.el5.src.rpm jbossas-modules-eap-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jbossas-product-eap-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jbossas-standalone-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jbossas-welcome-content-eap-7.5.3-1.Final_redhat_2.1.ep6.el5.src.rpm jbossts-4.17.30-1.Final_redhat_1.1.ep6.el5.src.rpm jbossweb-7.5.10-1.Final_redhat_1.1.ep6.el5.src.rpm picketlink-bindings-2.5.4-8.SP7_redhat_1.1.ep6.el5.src.rpm picketlink-federation-2.5.4-8.SP7_redhat_1.1.ep6.el5.src.rpm resteasy-2.3.12-1.Final_redhat_1.1.ep6.el5.src.rpm noarch: glassfish-jsf-eap6-2.1.28-9.redhat_10.1.ep6.el5.noarch.rpm hibernate4-core-eap6-4.2.20-1.Final_redhat_1.1.ep6.el5.noarch.rpm hibernate4-eap6-4.2.20-1.Final_redhat_1.1.ep6.el5.noarch.rpm hibernate4-entitymanager-eap6-4.2.20-1.Final_redhat_1.1.ep6.el5.noarch.rpm hibernate4-envers-eap6-4.2.20-1.Final_redhat_1.1.ep6.el5.noarch.rpm hibernate4-infinispan-eap6-4.2.20-1.Final_redhat_1.1.ep6.el5.noarch.rpm hornetq-2.3.25-4.SP3_redhat_1.1.ep6.el5.noarch.rpm jboss-as-appclient-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-cli-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-client-all-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-clustering-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-cmp-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-configadmin-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-connector-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-console-2.5.6-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-controller-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-controller-client-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-core-security-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-deployment-repository-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-deployment-scanner-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-domain-http-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-domain-management-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-ee-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-ee-deployment-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-ejb3-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-embedded-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-host-controller-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jacorb-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jaxr-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jaxrs-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jdr-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jmx-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jpa-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jsf-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-jsr77-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-logging-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-mail-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-management-client-content-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-messaging-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-modcluster-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-naming-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-network-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-osgi-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-osgi-configadmin-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-osgi-service-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-picketlink-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-platform-mbean-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-pojo-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-process-controller-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-protocol-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-remoting-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-sar-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-security-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-server-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-system-jmx-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-threads-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-transactions-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-version-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-web-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-webservices-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-weld-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-xts-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-hal-2.5.6-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-modules-1.3.7-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-appclient-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-bundles-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-core-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-domain-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-javadocs-7.5.3-2.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-modules-eap-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-product-eap-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-standalone-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jbossas-welcome-content-eap-7.5.3-1.Final_redhat_2.1.ep6.el5.noarch.rpm jbossts-4.17.30-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossweb-7.5.10-1.Final_redhat_1.1.ep6.el5.noarch.rpm picketlink-bindings-2.5.4-8.SP7_redhat_1.1.ep6.el5.noarch.rpm picketlink-federation-2.5.4-8.SP7_redhat_1.1.ep6.el5.noarch.rpm resteasy-2.3.12-1.Final_redhat_1.1.ep6.el5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-3158 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFV22cNXlSAg2UNWIIRAv8gAJ9JPGS1WFhIoca4QsKeQvAYr0sshwCcCgTN xeH5AnqenrbMVYtKIXJ4Teo= =KLSP -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Aug 24 18:49:25 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 24 Aug 2015 14:49:25 -0400 Subject: [RHSA-2015:1670-01] Moderate: Red Hat JBoss Enterprise Application Platform security update Message-ID: <201508241849.t7OInPHA018219@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform security update Advisory ID: RHSA-2015:1670-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1670.html Issue date: 2015-08-24 CVE Names: CVE-2015-3158 ===================================================================== 1. Summary: An updated Red Hat JBoss Enterprise Application Platform 6.4.3 package that fixes a security issue, several bugs and adds various enhancements is now available for Red Hat Enterprise Linux 6. 2. Relevant releases/architectures: Red Hat JBoss EAP 6.4 for RHEL 6 - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.2 and includes bug fixes and enhancements. Documentation for these changes is available from the Red Hat JBoss Enterprise Application Platform 6.4.3 Release Notes, linked to in the References. The following security issue is also fixed with this release: It was discovered that under specific conditions that PicketLink IDP ignores role based authorization. This could lead to an authenticated user being able to access application resources that are not permitted for a given role. (CVE-2015-3158) All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to this updated package, which fixes these bugs and adds these enhancements. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1216123 - CVE-2015-3158 PicketLink: PicketLink IDP ignores role based authorization 1247691 - RHEL6 RPMs: Upgrade hibernate4-eap6 to 4.2.20.Final-redhat-1 1247695 - RHEL6 RPMs: Upgrade jboss-modules to 1.3.7.Final-redhat-1 1247697 - RHEL6 RPMs: Upgrade jbossts to 4.17.30.Final-redhat-1 1247702 - RHEL6 RPMs: Upgrade jbossweb to 7.5.10.Final-redhat-1 1247707 - RHEL6 RPMs: Upgrade resteasy to 2.3.12.Final-redhat-1 6. Package List: Red Hat JBoss EAP 6.4 for RHEL 6: Source: glassfish-jsf-eap6-2.1.28-9.redhat_10.1.ep6.el6.src.rpm hibernate4-eap6-4.2.20-1.Final_redhat_1.1.ep6.el6.src.rpm hornetq-2.3.25-4.SP3_redhat_1.1.ep6.el6.src.rpm jboss-as-appclient-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-cli-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-client-all-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-clustering-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-cmp-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-configadmin-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-connector-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-console-2.5.6-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-controller-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-controller-client-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-core-security-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-deployment-repository-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-deployment-scanner-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-domain-http-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-domain-management-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-ee-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-ee-deployment-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-ejb3-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-embedded-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-host-controller-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jacorb-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jaxr-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jaxrs-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jdr-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jmx-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jpa-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jsf-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-jsr77-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-logging-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-mail-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-management-client-content-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-messaging-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-modcluster-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-naming-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-network-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-osgi-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-osgi-configadmin-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-osgi-service-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-picketlink-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-platform-mbean-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-pojo-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-process-controller-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-protocol-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-remoting-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-sar-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-security-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-server-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-system-jmx-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-threads-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-transactions-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-version-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-web-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-webservices-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-weld-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-as-xts-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jboss-hal-2.5.6-2.Final_redhat_2.1.ep6.el6.src.rpm jboss-modules-1.3.7-1.Final_redhat_1.1.ep6.el6.src.rpm jbossas-appclient-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jbossas-bundles-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jbossas-core-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jbossas-domain-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jbossas-javadocs-7.5.3-2.Final_redhat_2.1.ep6.el6.src.rpm jbossas-modules-eap-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jbossas-product-eap-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jbossas-standalone-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jbossas-welcome-content-eap-7.5.3-1.Final_redhat_2.1.ep6.el6.src.rpm jbossts-4.17.30-1.Final_redhat_1.1.ep6.el6.src.rpm jbossweb-7.5.10-1.Final_redhat_1.1.ep6.el6.src.rpm picketlink-bindings-2.5.4-8.SP7_redhat_1.1.ep6.el6.src.rpm picketlink-federation-2.5.4-8.SP7_redhat_1.1.ep6.el6.src.rpm resteasy-2.3.12-1.Final_redhat_1.1.ep6.el6.src.rpm noarch: glassfish-jsf-eap6-2.1.28-9.redhat_10.1.ep6.el6.noarch.rpm hibernate4-core-eap6-4.2.20-1.Final_redhat_1.1.ep6.el6.noarch.rpm hibernate4-eap6-4.2.20-1.Final_redhat_1.1.ep6.el6.noarch.rpm hibernate4-entitymanager-eap6-4.2.20-1.Final_redhat_1.1.ep6.el6.noarch.rpm hibernate4-envers-eap6-4.2.20-1.Final_redhat_1.1.ep6.el6.noarch.rpm hibernate4-infinispan-eap6-4.2.20-1.Final_redhat_1.1.ep6.el6.noarch.rpm hornetq-2.3.25-4.SP3_redhat_1.1.ep6.el6.noarch.rpm jboss-as-appclient-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-cli-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-client-all-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-clustering-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-cmp-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-configadmin-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-connector-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-console-2.5.6-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-controller-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-controller-client-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-core-security-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-deployment-repository-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-deployment-scanner-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-domain-http-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-domain-management-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-ee-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-ee-deployment-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-ejb3-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-embedded-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-host-controller-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jacorb-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jaxr-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jaxrs-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jdr-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jmx-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jpa-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jsf-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-jsr77-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-logging-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-mail-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-management-client-content-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-messaging-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-modcluster-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-naming-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-network-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-osgi-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-osgi-configadmin-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-osgi-service-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-picketlink-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-platform-mbean-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-pojo-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-process-controller-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-protocol-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-remoting-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-sar-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-security-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-server-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-system-jmx-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-threads-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-transactions-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-version-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-web-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-webservices-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-weld-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-as-xts-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-hal-2.5.6-2.Final_redhat_2.1.ep6.el6.noarch.rpm jboss-modules-1.3.7-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossas-appclient-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-bundles-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-core-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-domain-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-javadocs-7.5.3-2.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-modules-eap-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-product-eap-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-standalone-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jbossas-welcome-content-eap-7.5.3-1.Final_redhat_2.1.ep6.el6.noarch.rpm jbossts-4.17.30-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossweb-7.5.10-1.Final_redhat_1.1.ep6.el6.noarch.rpm picketlink-bindings-2.5.4-8.SP7_redhat_1.1.ep6.el6.noarch.rpm picketlink-federation-2.5.4-8.SP7_redhat_1.1.ep6.el6.noarch.rpm resteasy-2.3.12-1.Final_redhat_1.1.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-3158 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFV22c0XlSAg2UNWIIRAn1sAJ0b+offIPp75W3TcCxfdW0B6erBwwCgizmm IJAVVeEqXHKWN1begc15zR8= =+CD2 -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Aug 24 18:49:57 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 24 Aug 2015 14:49:57 -0400 Subject: [RHSA-2015:1671-01] Moderate: Red Hat JBoss Enterprise Application Platform security update Message-ID: <201508241849.t7OInv3x018375@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform security update Advisory ID: RHSA-2015:1671-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1671.html Issue date: 2015-08-24 CVE Names: CVE-2015-3158 ===================================================================== 1. Summary: An updated Red Hat JBoss Enterprise Application Platform 6.4.3 package that fixes a security issue, several bugs and adds various enhancements is now available for Red Hat Enterprise Linux 7. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6 for RHEL 7 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.2 and includes bug fixes and enhancements. Documentation for these changes is available from the Red Hat JBoss Enterprise Application Platform 6.4.3 Release Notes, linked to in the References. It was discovered that under specific conditions that PicketLink IDP ignores role based authorization. This could lead to an authenticated user being able to access application resources that are not permitted for a given role. (CVE-2015-3158) All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 7 are advised to upgrade to this updated package, which fixes these bugs and adds these enhancements. The JBoss server process must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1216123 - CVE-2015-3158 PicketLink: PicketLink IDP ignores role based authorization 1247693 - RHEL7 RPMs: Upgrade hibernate4-eap6 to 4.2.20.Final-redhat-1 1247698 - RHEL7 RPMs: Upgrade jboss-modules to 1.3.7.Final-redhat-1 1247703 - RHEL7 RPMs: Upgrade jbossts to 4.17.30.Final-redhat-1 1247706 - RHEL7 RPMs: Upgrade jbossweb to 7.5.10.Final-redhat-1 1247710 - RHEL7 RPMs: Upgrade resteasy to 2.3.12.Final-redhat-1 6. Package List: Red Hat JBoss Enterprise Application Platform 6 for RHEL 7 Server: Source: glassfish-jsf-eap6-2.1.28-9.redhat_10.1.ep6.el7.src.rpm hibernate4-eap6-4.2.20-1.Final_redhat_1.1.ep6.el7.src.rpm hornetq-2.3.25-4.SP3_redhat_1.1.ep6.el7.src.rpm jboss-as-appclient-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-cli-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-client-all-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-clustering-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-cmp-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-configadmin-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-connector-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-console-2.5.6-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-controller-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-controller-client-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-core-security-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-deployment-repository-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-deployment-scanner-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-domain-http-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-domain-management-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-ee-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-ee-deployment-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-ejb3-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-embedded-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-host-controller-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jacorb-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jaxr-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jaxrs-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jdr-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jmx-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jpa-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jsf-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-jsr77-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-logging-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-mail-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-management-client-content-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-messaging-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-modcluster-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-naming-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-network-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-osgi-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-osgi-configadmin-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-osgi-service-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-picketlink-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-platform-mbean-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-pojo-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-process-controller-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-protocol-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-remoting-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-sar-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-security-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-server-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-system-jmx-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-threads-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-transactions-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-version-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-web-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-webservices-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-weld-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-as-xts-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jboss-hal-2.5.6-2.Final_redhat_2.1.ep6.el7.src.rpm jboss-modules-1.3.7-1.Final_redhat_1.1.ep6.el7.src.rpm jbossas-appclient-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jbossas-bundles-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jbossas-core-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jbossas-domain-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jbossas-javadocs-7.5.3-2.Final_redhat_2.1.ep6.el7.src.rpm jbossas-modules-eap-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jbossas-product-eap-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jbossas-standalone-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jbossas-welcome-content-eap-7.5.3-1.Final_redhat_2.1.ep6.el7.src.rpm jbossts-4.17.30-1.Final_redhat_1.1.ep6.el7.src.rpm jbossweb-7.5.10-1.Final_redhat_1.1.ep6.el7.src.rpm picketlink-bindings-2.5.4-8.SP7_redhat_1.1.ep6.el7.src.rpm picketlink-federation-2.5.4-8.SP7_redhat_1.1.ep6.el7.src.rpm resteasy-2.3.12-1.Final_redhat_1.1.ep6.el7.src.rpm noarch: glassfish-jsf-eap6-2.1.28-9.redhat_10.1.ep6.el7.noarch.rpm hibernate4-core-eap6-4.2.20-1.Final_redhat_1.1.ep6.el7.noarch.rpm hibernate4-eap6-4.2.20-1.Final_redhat_1.1.ep6.el7.noarch.rpm hibernate4-entitymanager-eap6-4.2.20-1.Final_redhat_1.1.ep6.el7.noarch.rpm hibernate4-envers-eap6-4.2.20-1.Final_redhat_1.1.ep6.el7.noarch.rpm hibernate4-infinispan-eap6-4.2.20-1.Final_redhat_1.1.ep6.el7.noarch.rpm hornetq-2.3.25-4.SP3_redhat_1.1.ep6.el7.noarch.rpm jboss-as-appclient-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-cli-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-client-all-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-clustering-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-cmp-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-configadmin-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-connector-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-console-2.5.6-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-controller-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-controller-client-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-core-security-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-deployment-repository-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-deployment-scanner-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-domain-http-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-domain-management-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-ee-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-ee-deployment-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-ejb3-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-embedded-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-host-controller-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jacorb-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jaxr-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jaxrs-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jdr-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jmx-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jpa-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jsf-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-jsr77-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-logging-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-mail-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-management-client-content-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-messaging-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-modcluster-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-naming-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-network-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-osgi-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-osgi-configadmin-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-osgi-service-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-picketlink-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-platform-mbean-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-pojo-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-process-controller-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-protocol-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-remoting-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-sar-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-security-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-server-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-system-jmx-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-threads-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-transactions-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-version-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-web-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-webservices-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-weld-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-as-xts-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-hal-2.5.6-2.Final_redhat_2.1.ep6.el7.noarch.rpm jboss-modules-1.3.7-1.Final_redhat_1.1.ep6.el7.noarch.rpm jbossas-appclient-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-bundles-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-core-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-domain-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-javadocs-7.5.3-2.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-modules-eap-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-product-eap-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-standalone-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jbossas-welcome-content-eap-7.5.3-1.Final_redhat_2.1.ep6.el7.noarch.rpm jbossts-4.17.30-1.Final_redhat_1.1.ep6.el7.noarch.rpm jbossweb-7.5.10-1.Final_redhat_1.1.ep6.el7.noarch.rpm picketlink-bindings-2.5.4-8.SP7_redhat_1.1.ep6.el7.noarch.rpm picketlink-federation-2.5.4-8.SP7_redhat_1.1.ep6.el7.noarch.rpm resteasy-2.3.12-1.Final_redhat_1.1.ep6.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-3158 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFV22dTXlSAg2UNWIIRAtZEAJ9pM02hVUN4z4/+TqBxRWbvuHj53ACgtVjK v88UTzI1T1O94q1BIZlzrrE= =Rexc -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Aug 24 18:50:03 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 24 Aug 2015 14:50:03 -0400 Subject: [RHSA-2015:1672-01] Moderate: Red Hat JBoss Enterprise Application Platform security update Message-ID: <201508241850.t7OIo3PS021690@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform security update Advisory ID: RHSA-2015:1672-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1672.html Issue date: 2015-08-24 CVE Names: CVE-2015-3158 ===================================================================== 1. Summary: An updated Red Hat JBoss Enterprise Application Platform 6.4.3 package that fixes a security issue, several bugs and adds various enhancements is now available for Red Hat Enterprise Linux 6. 2. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.2 and includes bug fixes and enhancements. Documentation for these changes is available from the Red Hat JBoss Enterprise Application Platform 6.4.3 Release Notes, linked to in the References. The following security issue is also fixed with this release: It was discovered that under specific conditions that PicketLink IDP ignores role based authorization. This could lead to an authenticated user being able to access application resources that are not permitted for a given role. (CVE-2015-3158) All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to this updated package, which fixes these bugs and adds these enhancements. The JBoss server process must be restarted for the update to take effect. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1216123 - CVE-2015-3158 PicketLink: PicketLink IDP ignores role based authorization 1247691 - RHEL6 RPMs: Upgrade hibernate4-eap6 to 4.2.20.Final-redhat-1 1247695 - RHEL6 RPMs: Upgrade jboss-modules to 1.3.7.Final-redhat-1 1247697 - RHEL6 RPMs: Upgrade jbossts to 4.17.30.Final-redhat-1 1247702 - RHEL6 RPMs: Upgrade jbossweb to 7.5.10.Final-redhat-1 1247707 - RHEL6 RPMs: Upgrade resteasy to 2.3.12.Final-redhat-1 5. References: https://access.redhat.com/security/cve/CVE-2015-3158 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.4 https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFV22daXlSAg2UNWIIRAgmkAJ0WKBA61ZETsa3+RlOF9qBA13alWgCghZV0 aIyNHSdNGH4NbC/hUB8pjd0= =Aa8K -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Aug 24 18:50:12 2015 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 24 Aug 2015 14:50:12 -0400 Subject: [RHSA-2015:1673-01] Moderate: jboss-ec2-eap bug fix security update Message-ID: <201508241850.t7OIoCkr017548@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: jboss-ec2-eap bug fix security update Advisory ID: RHSA-2015:1673-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1673.html Issue date: 2015-08-24 CVE Names: CVE-2015-3158 ===================================================================== 1. Summary: An updated jboss-ec2-eap package that that fixes a security issue, fixes several bugs and adds various enhancements is now available for Red Hat JBoss Enterprise Application Platform 6.4.3 on Red Hat Enterprise Linux 6. 2. Relevant releases/architectures: Red Hat JBoss EAP 6.4 for RHEL 6 - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java EE applications. It is based on JBoss Application Server 7 and incorporates multiple open-source projects to provide a complete Java EE platform solution. * The jboss-ec2-eap package provides scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.3. (BZ#1228766) The following security issue is also fixed with this release: It was discovered that under specific conditions that PicketLink IDP ignores role based authorization. This could lead to an authenticated user being able to access application resources that are not permitted for a given role. (CVE-2015-3158) Users of Red Hat JBoss Enterprise Application Platform 6.4.2 jboss-ec2-eap are advised to upgrade to this updated package, which fixes these bugs and adds these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Also, make sure to back up any modified configuration files, deployments, and all user data. After applying the update, restart the instance of Red Hat JBoss Enterprise Application Platform for the changes to take effect. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1216123 - CVE-2015-3158 PicketLink: PicketLink IDP ignores role based authorization 6. Package List: Red Hat JBoss EAP 6.4 for RHEL 6: Source: jboss-ec2-eap-7.5.3-1.Final_redhat_2.ep6.el6.src.rpm noarch: jboss-ec2-eap-7.5.3-1.Final_redhat_2.ep6.el6.noarch.rpm jboss-ec2-eap-samples-7.5.3-1.Final_redhat_2.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-3158 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFV22diXlSAg2UNWIIRAsusAJ9D4dwOTHxDbMONIF5Z+Z2++s69oQCfS3aM AYjT7Ue0cheeZ7aH+u/wd8s= =uNd/ -----END PGP SIGNATURE-----