From bugzilla at redhat.com Wed Aug 10 18:53:31 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 10 Aug 2016 14:53:31 -0400 Subject: [RHSA-2016:1592-01] Moderate: Red Hat JBoss BRMS 6.3.2 security and bug fix update Message-ID: <201608101853.u7AIrVmr017557@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss BRMS 6.3.2 security and bug fix update Advisory ID: RHSA-2016:1592-01 Product: Red Hat JBoss BRMS Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1592.html Issue date: 2016-08-10 CVE Names: CVE-2015-3192 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss BRMS. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules. Security Fix(es): * A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192) 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1239002 - CVE-2015-3192 Spring Framework: denial-of-service attack with XML input 5. References: https://access.redhat.com/security/cve/CVE-2015-3192 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.3 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXq3gpXlSAg2UNWIIRAu4JAKC4QLcMDYUiTUYMQl19QMZ2duKSTgCfcgOz wpNBzoNGqCaQLJ4KZBpf+04= =Wsxv -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Aug 10 18:53:43 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 10 Aug 2016 14:53:43 -0400 Subject: [RHSA-2016:1593-01] Moderate: Red Hat JBoss BPM Suite 6.3.2 security and bug fix update Message-ID: <201608101853.u7AIrhNN000577@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss BPM Suite 6.3.2 security and bug fix update Advisory ID: RHSA-2016:1593-01 Product: Red Hat JBoss BPM Suite Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1593.html Issue date: 2016-08-10 CVE Names: CVE-2015-3192 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss BPM Suite. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes. Security Fix(es): * A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192) 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process. 4. Bugs fixed (https://bugzilla.redhat.com/): 1239002 - CVE-2015-3192 Spring Framework: denial-of-service attack with XML input 5. References: https://access.redhat.com/security/cve/CVE-2015-3192 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.3 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXq3g2XlSAg2UNWIIRAtqIAKCewx7CbCRy6fNudEQnXNxj8zFUvgCghGAN nAzR/teb/u8NuwxguiUD7X0= =3k/N -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Aug 17 19:42:32 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 17 Aug 2016 15:42:32 -0400 Subject: [RHSA-2016:1624-01] Important: Red Hat JBoss Web Server 3.0.3 Service Pack 1 security update Message-ID: <201608171942.u7HJgWCq000543@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 3.0.3 Service Pack 1 security update Advisory ID: RHSA-2016:1624-01 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1624.html Issue date: 2016-08-17 CVE Names: CVE-2016-5387 CVE-2016-5388 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Web Server 3.0.3 Service Pack 1 and fixes two security issues and a bug with ajp processors are now available for Solaris, and Microsoft Windows from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: This release of Red Hat JBoss Web Server 3.0.3 Service Pack 1 serves as a update for Red Hat JBoss Web Server 3.0.3 httpd and tomcat. Security Fix(es): * It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5387) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) Note: After this update, httpd will no longer pass the value of the Proxy request header to scripts via the HTTP_PROXY environment variable. Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). After installing the updated packages, the httpd daemon will be restarted automatically. After installing the updated packages, follow the instructions in this knowledgebase article to configure Tomcat: https://access.redhat.com/solutions/2435491 4. Bugs fixed (https://bugzilla.redhat.com/): 1353755 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header 1353809 - CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header 5. References: https://access.redhat.com/security/cve/CVE-2016-5387 https://access.redhat.com/security/cve/CVE-2016-5388 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=3.0.3 https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Web_Server/3/html-single/3.0.3_Release_Notes/index.html https://access.redhat.com/security/vulnerabilities/httpoxy https://access.redhat.com/solutions/2435491 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXtL4nXlSAg2UNWIIRAssaAJwKY8rKzx7FGT8Fo51yqJjCGFWNBACdGkYY 8ong/5/WUO1t/Xpa7KN0UJ0= =rpLL -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Aug 17 19:42:39 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 17 Aug 2016 15:42:39 -0400 Subject: [RHSA-2016:1625-02] Important: Red Hat JBoss Core Services Apache HTTP 2.4.6 Service Pack 1 security update Message-ID: <201608171942.u7HJgdBm017041@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Core Services Apache HTTP 2.4.6 Service Pack 1 security update Advisory ID: RHSA-2016:1625-02 Product: Red Hat JBoss Core Services Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1625.html Issue date: 2016-08-17 CVE Names: CVE-2016-5387 ===================================================================== 1. Summary: Red Hat JBoss Core Services Service Pack 1 is now available from the Red Hat Customer Portal for Solaris and Microsoft Windows systems. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: This release of Red Hat JBoss Core Services Service Pack 1 serves as a replacement for JBoss Core Services Apache HTTP Server. Security Fix(es): * It was discovered that Apache HTTP Server used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5387) Note: After this update, Apache HTTP Server will no longer pass the value of the Proxy request header to scripts via the HTTP_PROXY environment variable. Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). After installing the updated packages, the httpd daemon will be restarted automatically. 4. Bugs fixed (https://bugzilla.redhat.com/): 1353755 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header 5. References: https://access.redhat.com/security/cve/CVE-2016-5387 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.apachehttp&downloadType=securityPatches&version=2.4.6 https://access.redhat.com/security/vulnerabilities/httpoxy 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXtL4tXlSAg2UNWIIRArwEAJ9y6bOXAixHyIsxXAoemLeL+Sc6kACffk7q juMwStxc+LbMEMn5wgVfs3o= =u7ql -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Aug 18 18:59:50 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 18 Aug 2016 14:59:50 -0400 Subject: [RHSA-2016:1635-01] Important: Red Hat JBoss Web Server 3.0.3 Service Pack 1 security update Message-ID: <201608181859.u7IIxoBC022694@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 3.0.3 Service Pack 1 security update Advisory ID: RHSA-2016:1635-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2016:1635 Issue date: 2016-07-22 Updated on: 2016-08-18 CVE Names: CVE-2016-5387 CVE-2016-5388 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Web Server 3.0.3 Service Pack 1 and fixes two security issues and a bug with ajp processors are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 3.0 for RHEL 7 - noarch, x86_64 3. Description: This release of Red Hat JBoss Web Server 3.0.3 Service Pack 1 serves as a update for Red Hat JBoss Web Server 3.0.3 httpd and tomcat. Security Fix(es): * It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5387) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) Note: After this update, httpd will no longer pass the value of the Proxy request header to scripts via the HTTP_PROXY environment variable. Red Hat would like to thank Scott Geary (VendHQ) for reporting these issues. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the updated packages, the httpd daemon will be restarted automatically. After installing the updated packages, follow the instructions in this knowledgebase article to configure Tomcat: https://access.redhat.com/solutions/2435491 5. Bugs fixed (https://bugzilla.redhat.com/): 1353755 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header 1353809 - CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header 6. Package List: Red Hat JBoss Web Server 3.0 for RHEL 7: Source: httpd24-2.4.6-62.ep7.el7.src.rpm tomcat7-7.0.59-51_patch_01.ep7.el7.src.rpm tomcat8-8.0.18-62_patch_01.ep7.el7.src.rpm noarch: httpd24-manual-2.4.6-62.ep7.el7.noarch.rpm tomcat7-7.0.59-51_patch_01.ep7.el7.noarch.rpm tomcat7-admin-webapps-7.0.59-51_patch_01.ep7.el7.noarch.rpm tomcat7-docs-webapp-7.0.59-51_patch_01.ep7.el7.noarch.rpm tomcat7-el-2.2-api-7.0.59-51_patch_01.ep7.el7.noarch.rpm tomcat7-javadoc-7.0.59-51_patch_01.ep7.el7.noarch.rpm tomcat7-jsp-2.2-api-7.0.59-51_patch_01.ep7.el7.noarch.rpm tomcat7-lib-7.0.59-51_patch_01.ep7.el7.noarch.rpm tomcat7-log4j-7.0.59-51_patch_01.ep7.el7.noarch.rpm tomcat7-servlet-3.0-api-7.0.59-51_patch_01.ep7.el7.noarch.rpm tomcat7-webapps-7.0.59-51_patch_01.ep7.el7.noarch.rpm tomcat8-8.0.18-62_patch_01.ep7.el7.noarch.rpm tomcat8-admin-webapps-8.0.18-62_patch_01.ep7.el7.noarch.rpm tomcat8-docs-webapp-8.0.18-62_patch_01.ep7.el7.noarch.rpm tomcat8-el-2.2-api-8.0.18-62_patch_01.ep7.el7.noarch.rpm tomcat8-javadoc-8.0.18-62_patch_01.ep7.el7.noarch.rpm tomcat8-jsp-2.3-api-8.0.18-62_patch_01.ep7.el7.noarch.rpm tomcat8-lib-8.0.18-62_patch_01.ep7.el7.noarch.rpm tomcat8-log4j-8.0.18-62_patch_01.ep7.el7.noarch.rpm tomcat8-servlet-3.1-api-8.0.18-62_patch_01.ep7.el7.noarch.rpm tomcat8-webapps-8.0.18-62_patch_01.ep7.el7.noarch.rpm x86_64: httpd24-2.4.6-62.ep7.el7.x86_64.rpm httpd24-debuginfo-2.4.6-62.ep7.el7.x86_64.rpm httpd24-devel-2.4.6-62.ep7.el7.x86_64.rpm httpd24-tools-2.4.6-62.ep7.el7.x86_64.rpm mod_ldap24-2.4.6-62.ep7.el7.x86_64.rpm mod_proxy24_html-2.4.6-62.ep7.el7.x86_64.rpm mod_session24-2.4.6-62.ep7.el7.x86_64.rpm mod_ssl24-2.4.6-62.ep7.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-5387 https://access.redhat.com/security/cve/CVE-2016-5388 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Web_Server/3/html-single/3.0.3_Release_Notes/index.html https://access.redhat.com/security/vulnerabilities/httpoxy https://access.redhat.com/solutions/2435491 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXtgWkXlSAg2UNWIIRArDRAKCyoYkfUXihG1L/KRBp+UYEUc1NjgCeMzMB 2imMYz5gU32vqurToeuw4u0= =zDzz -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Aug 18 19:00:01 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 18 Aug 2016 15:00:01 -0400 Subject: [RHSA-2016:1636-01] Important: Red Hat JBoss Web Server 3.0.3 Service Pack 1 security update Message-ID: <201608181900.u7IJ01Tp031196@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 3.0.3 Service Pack 1 security update Advisory ID: RHSA-2016:1636-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2016:1636 Issue date: 2016-07-22 Updated on: 2016-08-18 CVE Names: CVE-2016-5387 CVE-2016-5388 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Web Server 3.0.3 Service Pack 1 and fixes two security issues and a bug with ajp processors are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 3.0 for RHEL 6 - i386, noarch, x86_64 3. Description: This release of Red Hat JBoss Web Server 3.0.3 Service Pack 1 serves as a update for Red Hat JBoss Web Server 3.0.3 httpd and tomcat. Security Fix(es): * It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5387) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) Note: After this update, httpd will no longer pass the value of the Proxy request header to scripts via the HTTP_PROXY environment variable. Red Hat would like to thank Scott Geary (VendHQ) for reporting these issues. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the updated packages, the httpd daemon will be restarted automatically. After installing the updated packages, follow the instructions in this knowledgebase article to configure Tomcat: https://access.redhat.com/solutions/2435491 5. Bugs fixed (https://bugzilla.redhat.com/): 1353755 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header 1353809 - CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header 6. Package List: Red Hat JBoss Web Server 3.0 for RHEL 6: Source: httpd24-2.4.6-62.ep7.el6.src.rpm tomcat7-7.0.59-51_patch_01.ep7.el6.src.rpm tomcat8-8.0.18-62_patch_01.ep7.el6.src.rpm i386: httpd24-2.4.6-62.ep7.el6.i686.rpm httpd24-debuginfo-2.4.6-62.ep7.el6.i686.rpm httpd24-devel-2.4.6-62.ep7.el6.i686.rpm httpd24-tools-2.4.6-62.ep7.el6.i686.rpm mod_ldap24-2.4.6-62.ep7.el6.i686.rpm mod_proxy24_html-2.4.6-62.ep7.el6.i686.rpm mod_session24-2.4.6-62.ep7.el6.i686.rpm mod_ssl24-2.4.6-62.ep7.el6.i686.rpm noarch: httpd24-manual-2.4.6-62.ep7.el6.noarch.rpm tomcat7-7.0.59-51_patch_01.ep7.el6.noarch.rpm tomcat7-admin-webapps-7.0.59-51_patch_01.ep7.el6.noarch.rpm tomcat7-docs-webapp-7.0.59-51_patch_01.ep7.el6.noarch.rpm tomcat7-el-2.2-api-7.0.59-51_patch_01.ep7.el6.noarch.rpm tomcat7-javadoc-7.0.59-51_patch_01.ep7.el6.noarch.rpm tomcat7-jsp-2.2-api-7.0.59-51_patch_01.ep7.el6.noarch.rpm tomcat7-lib-7.0.59-51_patch_01.ep7.el6.noarch.rpm tomcat7-log4j-7.0.59-51_patch_01.ep7.el6.noarch.rpm tomcat7-servlet-3.0-api-7.0.59-51_patch_01.ep7.el6.noarch.rpm tomcat7-webapps-7.0.59-51_patch_01.ep7.el6.noarch.rpm tomcat8-8.0.18-62_patch_01.ep7.el6.noarch.rpm tomcat8-admin-webapps-8.0.18-62_patch_01.ep7.el6.noarch.rpm tomcat8-docs-webapp-8.0.18-62_patch_01.ep7.el6.noarch.rpm tomcat8-el-2.2-api-8.0.18-62_patch_01.ep7.el6.noarch.rpm tomcat8-javadoc-8.0.18-62_patch_01.ep7.el6.noarch.rpm tomcat8-jsp-2.3-api-8.0.18-62_patch_01.ep7.el6.noarch.rpm tomcat8-lib-8.0.18-62_patch_01.ep7.el6.noarch.rpm tomcat8-log4j-8.0.18-62_patch_01.ep7.el6.noarch.rpm tomcat8-servlet-3.1-api-8.0.18-62_patch_01.ep7.el6.noarch.rpm tomcat8-webapps-8.0.18-62_patch_01.ep7.el6.noarch.rpm x86_64: httpd24-2.4.6-62.ep7.el6.x86_64.rpm httpd24-debuginfo-2.4.6-62.ep7.el6.x86_64.rpm httpd24-devel-2.4.6-62.ep7.el6.x86_64.rpm httpd24-tools-2.4.6-62.ep7.el6.x86_64.rpm mod_ldap24-2.4.6-62.ep7.el6.x86_64.rpm mod_proxy24_html-2.4.6-62.ep7.el6.x86_64.rpm mod_session24-2.4.6-62.ep7.el6.x86_64.rpm mod_ssl24-2.4.6-62.ep7.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-5387 https://access.redhat.com/security/cve/CVE-2016-5388 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Web_Server/3/html-single/3.0.3_Release_Notes/index.html https://access.redhat.com/security/vulnerabilities/httpoxy https://access.redhat.com/solutions/2435491 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXtgWwXlSAg2UNWIIRAmYtAKCt1GMyj/1saSBI4Trbvo4+tEo+zwCgqpfw YHcp8NBXB62jrNUt/AFvxis= =Blrv -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Aug 22 18:08:49 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 22 Aug 2016 14:08:49 -0400 Subject: [RHSA-2016:1648-01] Important: Red Hat JBoss Web Server 2.1.1 security update on RHEL 7 Message-ID: <201608221808.u7MI8no2014202@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 2.1.1 security update on RHEL 7 Advisory ID: RHSA-2016:1648-01 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1648.html Issue date: 2016-08-22 CVE Names: CVE-2016-2105 CVE-2016-2106 CVE-2016-3110 CVE-2016-5387 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Web Server 2.1 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Server - noarch, x86_64 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release serves as a replacement for Red Hat JBoss Web Server 2.1.0, and includes several bug fixes. Refer to the Red Hat JBoss Web Server 2.1.1 Release Notes for information on the most significant of these changes, available shortly from https://access.redhat.com/site/documentation/ All users of Red Hat JBoss Web Server 2.1.0 on Red Hat Enterprise Linux 7 are advised to upgrade to Red Hat JBoss Web Server 2.1.1. The JBoss server process must be restarted for this update to take effect. Security Fix(es): * It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5387) * An integer overflow flaw, leading to a buffer overflow, was found in the way the EVP_EncodeUpdate() function of OpenSSL parsed very large amounts of input data. A remote attacker could use this flaw to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application. (CVE-2016-2105) * An integer overflow flaw, leading to a buffer overflow, was found in the way the EVP_EncryptUpdate() function of OpenSSL parsed very large amounts of input data. A remote attacker could use this flaw to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application. (CVE-2016-2106) * It was discovered that it is possible to remotely Segfault Apache http server with a specially crafted string sent to the mod_cluster via service messages (MCMP). (CVE-2016-3110) Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-5387; the OpenSSL project for reporting CVE-2016-2105 and CVE-2016-2106; and Michal Karm Babacek for reporting CVE-2016-3110. Upstream acknowledges Guido Vranken as the original reporter of CVE-2016-2105 and CVE-2016-2106. 4. Solution: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). Note: Do not install Red Hat JBoss Web Server 2 on a host which has Red Hat JBoss Web Server 1 installed. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. After installing the updated packages, the httpd daemon will be restarted automatically. Refer to the Red Hat JBoss Enterprise Web Server 2.1.1 Release Notes for a list of non security related fixes.. 5. Bugs fixed (https://bugzilla.redhat.com/): 1326320 - CVE-2016-3110 mod_cluster: remotely Segfault Apache http server 1331441 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow 1331536 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow 1337151 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow [jbews-2.1.0] 1337155 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow [jbews-2.1.0] 1337397 - EWS 2.1.1 Tracker Bug for EL7 1353755 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header 1358118 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header [jbews-2.1.0] 6. Package List: Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Server: Source: httpd22-2.2.26-56.ep6.el7.src.rpm jbcs-httpd24-openssl-1.0.2h-4.jbcs.el7.src.rpm mod_cluster-1.2.13-1.Final_redhat_1.1.ep6.el7.src.rpm mod_cluster-native-1.2.13-3.Final_redhat_2.ep6.el7.src.rpm mod_jk-1.2.41-2.redhat_3.ep6.el7.src.rpm tomcat-native-1.1.34-5.redhat_1.ep6.el7.src.rpm noarch: mod_cluster-1.2.13-1.Final_redhat_1.1.ep6.el7.noarch.rpm mod_cluster-tomcat6-1.2.13-1.Final_redhat_1.1.ep6.el7.noarch.rpm mod_cluster-tomcat7-1.2.13-1.Final_redhat_1.1.ep6.el7.noarch.rpm x86_64: httpd22-2.2.26-56.ep6.el7.x86_64.rpm httpd22-debuginfo-2.2.26-56.ep6.el7.x86_64.rpm httpd22-devel-2.2.26-56.ep6.el7.x86_64.rpm httpd22-manual-2.2.26-56.ep6.el7.x86_64.rpm httpd22-tools-2.2.26-56.ep6.el7.x86_64.rpm jbcs-httpd24-openssl-1.0.2h-4.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-debuginfo-1.0.2h-4.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el7.x86_64.rpm mod_cluster-native-1.2.13-3.Final_redhat_2.ep6.el7.x86_64.rpm mod_cluster-native-debuginfo-1.2.13-3.Final_redhat_2.ep6.el7.x86_64.rpm mod_jk-ap22-1.2.41-2.redhat_3.ep6.el7.x86_64.rpm mod_jk-debuginfo-1.2.41-2.redhat_3.ep6.el7.x86_64.rpm mod_jk-manual-1.2.41-2.redhat_3.ep6.el7.x86_64.rpm mod_ssl22-2.2.26-56.ep6.el7.x86_64.rpm tomcat-native-1.1.34-5.redhat_1.ep6.el7.x86_64.rpm tomcat-native-debuginfo-1.1.34-5.redhat_1.ep6.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-2105 https://access.redhat.com/security/cve/CVE-2016-2106 https://access.redhat.com/security/cve/CVE-2016-3110 https://access.redhat.com/security/cve/CVE-2016-5387 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Web_Server/2.1/html/2.1.1_Release_Notes/index.html https://access.redhat.com/site/documentation/ https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Web_Server/2/html-single/Installation_Guide/index.html https://access.redhat.com/security/vulnerabilities/httpoxy 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXuz+uXlSAg2UNWIIRAmoiAKCh/4rsAl2PV/JYzyLri9ec4irISgCffoQK JQJZAKRQLk7zyrQN3s/xHCI= =bQDQ -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Aug 22 18:08:59 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 22 Aug 2016 14:08:59 -0400 Subject: [RHSA-2016:1649-01] Important: Red Hat JBoss Web Server 2.1.1 security update on RHEL 6 Message-ID: <201608221809.u7MI8xm7024376@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 2.1.1 security update on RHEL 6 Advisory ID: RHSA-2016:1649-01 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1649.html Issue date: 2016-08-22 CVE Names: CVE-2016-2105 CVE-2016-2106 CVE-2016-3110 CVE-2016-5387 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Web Server 2.1 for RHEL 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server - i386, noarch, x86_64 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release serves as a replacement for Red Hat JBoss Web Server 2.1.0, and includes several bug fixes. Refer to the Red Hat JBoss Web Server 2.1.1 Release Notes, linked to in the References section, for information on the most significant of these changes. All users of Red Hat JBoss Web Server 2.1.0 on Red Hat Enterprise Linux 6 are advised to upgrade to Red Hat JBoss Web Server 2.1.1. The JBoss server process must be restarted for this update to take effect. Security Fix(es): * It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5387) * An integer overflow flaw, leading to a buffer overflow, was found in the way the EVP_EncodeUpdate() function of OpenSSL parsed very large amounts of input data. A remote attacker could use this flaw to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application. (CVE-2016-2105) * An integer overflow flaw, leading to a buffer overflow, was found in the way the EVP_EncryptUpdate() function of OpenSSL parsed very large amounts of input data. A remote attacker could use this flaw to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application. (CVE-2016-2106) * It was discovered that it is possible to remotely Segfault Apache http server with a specially crafted string sent to the mod_cluster via service messages (MCMP). (CVE-2016-3110) Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-5387; the OpenSSL project for reporting CVE-2016-2105 and CVE-2016-2106; and Michal Karm Babacek for reporting CVE-2016-3110. Upstream acknowledges Guido Vranken as the original reporter of CVE-2016-2105 and CVE-2016-2106. 4. Solution: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. After installing the updated packages, the httpd daemon will be restarted automatically. Refer to the Red Hat JBoss Enterprise Web Server 2.1.1 Release Notes for a list of non security related fixes. 5. Bugs fixed (https://bugzilla.redhat.com/): 1326320 - CVE-2016-3110 mod_cluster: remotely Segfault Apache http server 1331441 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow 1331536 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow 1337151 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow [jbews-2.1.0] 1337155 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow [jbews-2.1.0] 1337396 - EWS 2.1.1 Tracker Bug for EL6 1353755 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header 1358118 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header [jbews-2.1.0] 1366541 - RPM: RHEL6: httpd service is not starting, LD_LIBRARY_PATH needs to be set 6. Package List: Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server: Source: httpd-2.2.26-54.ep6.el6.src.rpm jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.src.rpm mod_cluster-1.2.13-1.Final_redhat_1.1.ep6.el6.src.rpm mod_cluster-native-1.2.13-3.Final_redhat_2.ep6.el6.src.rpm mod_jk-1.2.41-2.redhat_3.ep6.el6.src.rpm tomcat-native-1.1.34-5.redhat_1.ep6.el6.src.rpm i386: httpd-2.2.26-54.ep6.el6.i386.rpm httpd-debuginfo-2.2.26-54.ep6.el6.i386.rpm httpd-devel-2.2.26-54.ep6.el6.i386.rpm httpd-manual-2.2.26-54.ep6.el6.i386.rpm httpd-tools-2.2.26-54.ep6.el6.i386.rpm jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.i686.rpm jbcs-httpd24-openssl-debuginfo-1.0.2h-4.jbcs.el6.i686.rpm jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el6.i686.rpm jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el6.i686.rpm jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el6.i686.rpm jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el6.i686.rpm mod_cluster-native-1.2.13-3.Final_redhat_2.ep6.el6.i386.rpm mod_cluster-native-debuginfo-1.2.13-3.Final_redhat_2.ep6.el6.i386.rpm mod_jk-ap22-1.2.41-2.redhat_3.ep6.el6.i386.rpm mod_jk-debuginfo-1.2.41-2.redhat_3.ep6.el6.i386.rpm mod_jk-manual-1.2.41-2.redhat_3.ep6.el6.i386.rpm mod_ssl-2.2.26-54.ep6.el6.i386.rpm tomcat-native-1.1.34-5.redhat_1.ep6.el6.i386.rpm tomcat-native-debuginfo-1.1.34-5.redhat_1.ep6.el6.i386.rpm noarch: mod_cluster-1.2.13-1.Final_redhat_1.1.ep6.el6.noarch.rpm mod_cluster-tomcat6-1.2.13-1.Final_redhat_1.1.ep6.el6.noarch.rpm mod_cluster-tomcat7-1.2.13-1.Final_redhat_1.1.ep6.el6.noarch.rpm x86_64: httpd-2.2.26-54.ep6.el6.x86_64.rpm httpd-debuginfo-2.2.26-54.ep6.el6.x86_64.rpm httpd-devel-2.2.26-54.ep6.el6.x86_64.rpm httpd-manual-2.2.26-54.ep6.el6.x86_64.rpm httpd-tools-2.2.26-54.ep6.el6.x86_64.rpm jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.x86_64.rpm jbcs-httpd24-openssl-debuginfo-1.0.2h-4.jbcs.el6.x86_64.rpm jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el6.x86_64.rpm jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el6.x86_64.rpm jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el6.x86_64.rpm jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el6.x86_64.rpm mod_cluster-native-1.2.13-3.Final_redhat_2.ep6.el6.x86_64.rpm mod_cluster-native-debuginfo-1.2.13-3.Final_redhat_2.ep6.el6.x86_64.rpm mod_jk-ap22-1.2.41-2.redhat_3.ep6.el6.x86_64.rpm mod_jk-debuginfo-1.2.41-2.redhat_3.ep6.el6.x86_64.rpm mod_jk-manual-1.2.41-2.redhat_3.ep6.el6.x86_64.rpm mod_ssl-2.2.26-54.ep6.el6.x86_64.rpm tomcat-native-1.1.34-5.redhat_1.ep6.el6.x86_64.rpm tomcat-native-debuginfo-1.1.34-5.redhat_1.ep6.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-2105 https://access.redhat.com/security/cve/CVE-2016-2106 https://access.redhat.com/security/cve/CVE-2016-3110 https://access.redhat.com/security/cve/CVE-2016-5387 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Web_Server/2.1/html/2.1.1_Release_Notes/index.html https://access.redhat.com/site/documentation/ https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Web_Server/2/html-single/Installation_Guide/index.html https://access.redhat.com/security/vulnerabilities/httpoxy 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXuz+5XlSAg2UNWIIRAoHgAJwMIjZPWn4S8MjNMPw/nLebQhV8rACgk7Bj HqFnESgPgEMVgJ88uek9OXo= =DaZn -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Aug 22 18:09:05 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 22 Aug 2016 14:09:05 -0400 Subject: [RHSA-2016:1650-01] Important: Red Hat JBoss Web Server 2.1.1 security update Message-ID: <201608221809.u7MI959u004585@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 2.1.1 security update Advisory ID: RHSA-2016:1650-01 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1650.html Issue date: 2016-08-22 CVE Names: CVE-2014-3570 CVE-2015-0204 CVE-2016-2105 CVE-2016-2106 CVE-2016-3110 CVE-2016-5387 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Web Server. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release serves as a replacement for Red Hat JBoss Web Server 2.1.0, and includes several bug fixes. Refer to the Red Hat JBoss Web Server 2.1.1 Release Notes, linked to in the References section, for information on the most significant of these changes. Security Fix(es): * It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5387) * It was discovered that OpenSSL would accept ephemeral RSA keys when using non-export RSA cipher suites. A malicious server could make a TLS/SSL client using OpenSSL use a weaker key exchange method. (CVE-2015-0204) * An integer overflow flaw, leading to a buffer overflow, was found in the way the EVP_EncodeUpdate() function of OpenSSL parsed very large amounts of input data. A remote attacker could use this flaw to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application. (CVE-2016-2105) * An integer overflow flaw, leading to a buffer overflow, was found in the way the EVP_EncryptUpdate() function of OpenSSL parsed very large amounts of input data. A remote attacker could use this flaw to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application. (CVE-2016-2106) * It was discovered that it is possible to remotely Segfault Apache http server with a specially crafted string sent to the mod_cluster via service messages (MCMP). (CVE-2016-3110) * It was found that OpenSSL's BigNumber Squaring implementation could produce incorrect results under certain special conditions. This flaw could possibly affect certain OpenSSL library functionality, such as RSA blinding. Note that this issue occurred rarely and with a low probability, and there is currently no known way of exploiting it. (CVE-2014-3570) Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-5387; the OpenSSL project for reporting CVE-2016-2105 and CVE-2016-2106; and Michal Karm Babacek for reporting CVE-2016-3110. Upstream acknowledges Guido Vranken as the original reporter of CVE-2016-2105 and CVE-2016-2106. 3. Solution: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). The References section of this erratum contains a download link (you must log in to download the update). Refer to the Red Hat JBoss Enterprise Web Server 2.1.1 Release Notes for a list of non security related fixes. 4. Bugs fixed (https://bugzilla.redhat.com/): 1180184 - CVE-2015-0204 openssl: only allow ephemeral RSA keys in export ciphersuites (FREAK) 1180240 - CVE-2014-3570 openssl: Bignum squaring may produce incorrect results 1326320 - CVE-2016-3110 mod_cluster: remotely Segfault Apache http server 1331441 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow 1331536 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow 1337151 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow [jbews-2.1.0] 1337155 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow [jbews-2.1.0] 1353755 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header 1358118 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header [jbews-2.1.0] 5. References: https://access.redhat.com/security/cve/CVE-2014-3570 https://access.redhat.com/security/cve/CVE-2015-0204 https://access.redhat.com/security/cve/CVE-2016-2105 https://access.redhat.com/security/cve/CVE-2016-2106 https://access.redhat.com/security/cve/CVE-2016-3110 https://access.redhat.com/security/cve/CVE-2016-5387 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=distributions&version=2.1.1 https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Web_Server/2.1/html/2.1.1_Release_Notes/index.html https://access.redhat.com/site/documentation/ https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Web_Server/2/html-single/Installation_Guide/index.html https://access.redhat.com/security/vulnerabilities/httpoxy 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXuz/AXlSAg2UNWIIRAnGKAJ9OG0AmFsej7cbv8xXILF5Lo7krOACdHUkC VkvGRKSu76E7WPtB8TOdqyw= =7UQL -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Aug 31 17:03:23 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 31 Aug 2016 13:03:23 -0400 Subject: [RHSA-2016:1785-01] Moderate: Red Hat JBoss Operations Network 3.3.7 security and bug fix update Message-ID: <201608311703.u7VH3Nei027747@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Operations Network 3.3.7 security and bug fix update Advisory ID: RHSA-2016:1785-01 Product: Red Hat JBoss Operations Network Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1785.html Issue date: 2016-08-31 CVE Names: CVE-2016-5422 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Operations Network. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Operations Network is a Middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services. This JBoss Operations Network 3.3.7 release serves as a replacement for JBoss Operations Network 3.3.6, and includes several bug fixes. Refer to the Customer Portal page linked in the References section for information on the most significant of these changes. Security Fix(es): * It was found that JBoss Operations Network allowed regular users to add a new super user by sending a specially crafted request to the web console. This attacks allows escalation of privileges. (CVE-2016-5422) This issue was discovered by Jeremy Choi (Red Hat Product Security). Before applying this update, back up your existing JBoss Operations Network installation (including its databases, applications, configuration files, the JBoss Operations Network server's file system directory, and so on). 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Operations Network installation (including its databases, applications, configuration files, the JBoss Operations Network server's file system directory, and so on). Refer to the JBoss Operations Network 3.3.7 Release Notes for installation information. 4. Bugs fixed (https://bugzilla.redhat.com/): 1301970 - Some secure-socket-protocol properties are not ready for list of protocols 1359002 - Remove unsupported Python scripting module 1361933 - CVE-2016-5422 JON3: privilege escalation via improper authorization 5. References: https://access.redhat.com/security/cve/CVE-2016-5422 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em&downloadType=securityPatches&version=3.3 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXxw3aXlSAg2UNWIIRApN3AJ0Y5fyc6nb97cAPY8PWoo5AQW2hpQCgqOWL DlH/RR3nh9HUeP8IQJWo62c= =7dNq -----END PGP SIGNATURE-----