From bugzilla at redhat.com Thu Oct 6 16:19:06 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 6 Oct 2016 12:19:06 -0400 Subject: [RHSA-2016:2035-01] Important: Red Hat JBoss Fuse 6.3 security update Message-ID: <201610061619.u96GJ6pR025208@int-mx10.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Fuse 6.3 security update Advisory ID: RHSA-2016:2035-01 Product: Red Hat JBoss Fuse Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2035.html Issue date: 2016-10-06 CVE Names: CVE-2015-3192 CVE-2015-5344 CVE-2015-5348 CVE-2015-7940 CVE-2016-2141 CVE-2016-2510 CVE-2016-4437 ===================================================================== 1. Summary: Red Hat JBoss Fuse 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss Fuse 6.3 is a minor product release that updates Red Hat JBoss Fuse 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes. Security Fix(es): It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks. (CVE-2016-2141) A deserialization flaw allowing remote code execution was found in the BeanShell library. If BeanShell was on the classpath, it could permit code execution if another part of the application deserialized objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the BeanShell library. (CVE-2016-2510) It was found that Apache Shiro uses a default cipher key for its "remember me" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437) A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192) It was found that Apache Camel's camel-xstream component was vulnerable to Java object deserialization. This vulnerability permits deserialization of data which could lead to information disclosure, code execution, or other possible attacks. (CVE-2015-5344) It was found that Apache Camel's Jetty/Servlet permitted object deserialization. If using camel-jetty or camel-servlet as a consumer in Camel routes, then Camel will automatically deserialize HTTP requests that use the content-header: application/x-java-serialized-object. An attacker could use this vulnerability to gain access to unauthorized information or conduct further attacks. (CVE-2015-5348) It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940) The CVE-2016-2141 issue was discovered by Dennis Reed (Red Hat). Refer to the Product Documentation link in the References section for installation instructions. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1239002 - CVE-2015-3192 Spring Framework: denial-of-service attack with XML input 1276272 - CVE-2015-7940 bouncycastle: Invalid curve attack allowing to extract private keys 1292849 - CVE-2015-5348 Camel: Java object deserialisation in Jetty/Servlet 1303609 - CVE-2015-5344 camel-xstream: Java object de-serialization vulnerability leads to RCE 1310647 - CVE-2016-2510 bsh2: remote code execution via deserialization 1313589 - CVE-2016-2141 Authorization bypass in JGroups 1343346 - CVE-2016-4437 shiro: Security constraint bypass 5. References: https://access.redhat.com/security/cve/CVE-2015-3192 https://access.redhat.com/security/cve/CVE-2015-5344 https://access.redhat.com/security/cve/CVE-2015-5348 https://access.redhat.com/security/cve/CVE-2015-7940 https://access.redhat.com/security/cve/CVE-2016-2141 https://access.redhat.com/security/cve/CVE-2016-2510 https://access.redhat.com/security/cve/CVE-2016-4437 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.3.0 https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFX9nl4XlSAg2UNWIIRAjzuAJ9IjZsuMRzFPBfv/AW1xXlo9AHHNwCeNayc X467FkxtKPz7MAU5sEu9U/c= =tF7y -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu Oct 6 16:19:12 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 6 Oct 2016 12:19:12 -0400 Subject: [RHSA-2016:2036-01] Important: Red Hat JBoss A-MQ 6.3 security update Message-ID: <201610061619.u96GJCTV024336@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss A-MQ 6.3 security update Advisory ID: RHSA-2016:2036-01 Product: Red Hat JBoss A-MQ Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2036.html Issue date: 2016-10-06 CVE Names: CVE-2015-3192 CVE-2015-7940 CVE-2016-4437 ===================================================================== 1. Summary: Red Hat JBoss A-MQ 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant messaging system that is tailored for use in mission critical applications. Red Hat JBoss A-MQ 6.3 is a minor product release that updates Red Hat JBoss A-MQ 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes. Security Fix(es): It was found that Apache Shiro uses a default cipher key for its "remember me" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437) A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192) It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940) Refer to the Product Documentation link in the References section for installation instructions. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1239002 - CVE-2015-3192 Spring Framework: denial-of-service attack with XML input 1276272 - CVE-2015-7940 bouncycastle: Invalid curve attack allowing to extract private keys 1343346 - CVE-2016-4437 shiro: Security constraint bypass 5. References: https://access.redhat.com/security/cve/CVE-2015-3192 https://access.redhat.com/security/cve/CVE-2015-7940 https://access.redhat.com/security/cve/CVE-2016-4437 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.3.0 https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFX9nl/XlSAg2UNWIIRAn5DAKCeqOJhy3a+EAGO1sG/lNuo/JWFgQCfQRGS 3jDFUUI5eQBAO6ioMdCl8mQ= =CjkF -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Oct 12 17:19:45 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 12 Oct 2016 13:19:45 -0400 Subject: [RHSA-2016:2054-01] Important: Red Hat JBoss Enterprise Application Platform 6.4.10 natives update on RHEL 7 Message-ID: <201610121719.u9CHJj5S004509@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.10 natives update on RHEL 7 Advisory ID: RHSA-2016:2054-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2054.html Issue date: 2016-10-12 CVE Names: CVE-2015-3183 CVE-2015-3195 CVE-2015-4000 CVE-2016-2105 CVE-2016-2106 CVE-2016-2108 CVE-2016-2109 CVE-2016-3110 CVE-2016-4459 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.10 natives, fix several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server - noarch, ppc64, x86_64 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release includes bug fixes and enhancements, as well as a new release of OpenSSL that addresses a number of outstanding security flaws. For further information, see the knowledge base article linked to in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 7 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. Security Fix(es): * A flaw was found in the way OpenSSL encoded certain ASN.1 data structures. An attacker could use this flaw to create a specially crafted certificate which, when verified or re-encoded by OpenSSL, could cause it to crash, or execute arbitrary code using the permissions of the user running an application compiled against the OpenSSL library. (CVE-2016-2108) * Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. (CVE-2015-3183) * A memory leak vulnerability was found in the way OpenSSL parsed PKCS#7 and CMS data. A remote attacker could use this flaw to cause an application that parses PKCS#7 or CMS data from untrusted sources to use an excessive amount of memory and possibly crash. (CVE-2015-3195) * A flaw was found in the way the TLS protocol composes the Diffie-Hellman exchange (for both export and non-export grade cipher suites). An attacker could use this flaw to downgrade a DHE connection to use export-grade key sizes, which could then be broken by sufficient pre-computation. This can lead to a passive man-in-the-middle attack in which the attacker is able to decrypt all traffic. (CVE-2015-4000) * An integer overflow flaw, leading to a buffer overflow, was found in the way the EVP_EncodeUpdate() function of OpenSSL parsed very large amounts of input data. A remote attacker could use this flaw to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application. (CVE-2016-2105) * An integer overflow flaw, leading to a buffer overflow, was found in the way the EVP_EncryptUpdate() function of OpenSSL parsed very large amounts of input data. A remote attacker could use this flaw to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application. (CVE-2016-2106) * It was discovered that it is possible to remotely Segfault Apache http server with a specially crafted string sent to the mod_cluster via service messages (MCMP). (CVE-2016-3110) * A denial of service flaw was found in the way OpenSSL parsed certain ASN.1-encoded data from BIO (OpenSSL's I/O abstraction) inputs. An application using OpenSSL that accepts untrusted ASN.1 BIO input could be forced to allocate an excessive amount of data. (CVE-2016-2109) * It was discovered that specifying configuration with a JVMRoute path longer than 80 characters will cause segmentation fault leading to a server crash. (CVE-2016-4459) Red Hat would like to thank the OpenSSL project for reporting CVE-2016-2108, CVE-2016-2105, and CVE-2016-2106 and Michal Karm Babacek for reporting CVE-2016-3110. The CVE-2016-4459 issue was discovered by Robert Bost (Red Hat). Upstream acknowledges Huzaifa Sidhpurwala (Red Hat), Hanno B?ck, and David Benjamin (Google) as the original reporters of CVE-2016-2108; and Guido Vranken as the original reporter of CVE-2016-2105 and CVE-2016-2106. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. 5. Bugs fixed (https://bugzilla.redhat.com/): 1223211 - CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks 1243887 - CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser 1288322 - CVE-2015-3195 OpenSSL: X509_ATTRIBUTE memory leak 1326320 - CVE-2016-3110 mod_cluster: remotely Segfault Apache http server 1330101 - CVE-2016-2109 openssl: ASN.1 BIO handling of large amounts of data 1331402 - CVE-2016-2108 openssl: Memory corruption in the ASN.1 encoder 1331441 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow 1331536 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow 1341583 - CVE-2016-4459 mod_cluster: Buffer overflow in mod_manager when sending request with long JVMRoute 1345989 - RHEL7 RPMs: Upgrade mod_cluster-native to 1.2.13.Final-redhat-1 1345993 - RHEL7 RPMs: Upgrade mod_jk to 1.2.41.redhat-1 1345997 - RHEL7 RPMs: Upgrade tomcat-native to 1.1.34 6. Package List: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server: Source: hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el7.src.rpm httpd22-2.2.26-56.ep6.el7.src.rpm jbcs-httpd24-openssl-1.0.2h-4.jbcs.el7.src.rpm mod_jk-1.2.41-2.redhat_4.ep6.el7.src.rpm tomcat-native-1.1.34-5.redhat_1.ep6.el7.src.rpm noarch: jbcs-httpd24-1-3.jbcs.el7.noarch.rpm jbcs-httpd24-runtime-1-3.jbcs.el7.noarch.rpm ppc64: hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el7.ppc64.rpm hornetq-native-debuginfo-2.3.25-4.SP11_redhat_1.ep6.el7.ppc64.rpm httpd22-2.2.26-56.ep6.el7.ppc64.rpm httpd22-debuginfo-2.2.26-56.ep6.el7.ppc64.rpm httpd22-devel-2.2.26-56.ep6.el7.ppc64.rpm httpd22-manual-2.2.26-56.ep6.el7.ppc64.rpm httpd22-tools-2.2.26-56.ep6.el7.ppc64.rpm jbcs-httpd24-openssl-1.0.2h-4.jbcs.el7.ppc64.rpm jbcs-httpd24-openssl-debuginfo-1.0.2h-4.jbcs.el7.ppc64.rpm jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el7.ppc64.rpm jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el7.ppc64.rpm jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el7.ppc64.rpm jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el7.ppc64.rpm jbossas-hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el7.ppc64.rpm jbossas-jbossweb-native-1.1.34-5.redhat_1.ep6.el7.ppc64.rpm mod_jk-ap22-1.2.41-2.redhat_4.ep6.el7.ppc64.rpm mod_jk-debuginfo-1.2.41-2.redhat_4.ep6.el7.ppc64.rpm mod_ldap22-2.2.26-56.ep6.el7.ppc64.rpm mod_ssl22-2.2.26-56.ep6.el7.ppc64.rpm tomcat-native-1.1.34-5.redhat_1.ep6.el7.ppc64.rpm tomcat-native-debuginfo-1.1.34-5.redhat_1.ep6.el7.ppc64.rpm x86_64: hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el7.x86_64.rpm hornetq-native-debuginfo-2.3.25-4.SP11_redhat_1.ep6.el7.x86_64.rpm httpd22-2.2.26-56.ep6.el7.x86_64.rpm httpd22-debuginfo-2.2.26-56.ep6.el7.x86_64.rpm httpd22-devel-2.2.26-56.ep6.el7.x86_64.rpm httpd22-manual-2.2.26-56.ep6.el7.x86_64.rpm httpd22-tools-2.2.26-56.ep6.el7.x86_64.rpm jbcs-httpd24-openssl-1.0.2h-4.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-debuginfo-1.0.2h-4.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el7.x86_64.rpm jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el7.x86_64.rpm jbossas-hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el7.x86_64.rpm jbossas-jbossweb-native-1.1.34-5.redhat_1.ep6.el7.x86_64.rpm mod_jk-ap22-1.2.41-2.redhat_4.ep6.el7.x86_64.rpm mod_jk-debuginfo-1.2.41-2.redhat_4.ep6.el7.x86_64.rpm mod_ldap22-2.2.26-56.ep6.el7.x86_64.rpm mod_ssl22-2.2.26-56.ep6.el7.x86_64.rpm tomcat-native-1.1.34-5.redhat_1.ep6.el7.x86_64.rpm tomcat-native-debuginfo-1.1.34-5.redhat_1.ep6.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-3183 https://access.redhat.com/security/cve/CVE-2015-3195 https://access.redhat.com/security/cve/CVE-2015-4000 https://access.redhat.com/security/cve/CVE-2016-2105 https://access.redhat.com/security/cve/CVE-2016-2106 https://access.redhat.com/security/cve/CVE-2016-2108 https://access.redhat.com/security/cve/CVE-2016-2109 https://access.redhat.com/security/cve/CVE-2016-3110 https://access.redhat.com/security/cve/CVE-2016-4459 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/articles/2688611 https://access.redhat.com/solutions/222023 https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.4 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFX/nCuXlSAg2UNWIIRAq6gAKCk3O4+LVrC6nN6yUHOOzpm8GB7NQCcDcA0 n7n6E5uqbAY0W1AG5Z+9yy8= =6ET2 -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Oct 12 17:19:53 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 12 Oct 2016 13:19:53 -0400 Subject: [RHSA-2016:2055-01] Important: Red Hat JBoss Enterprise Application Platform 6.4.10 natives update on RHEL 6 Message-ID: <201610121719.u9CHJr6Q004589@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.10 natives update on RHEL 6 Advisory ID: RHSA-2016:2055-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2055.html Issue date: 2016-10-12 CVE Names: CVE-2015-3183 CVE-2015-3195 CVE-2015-4000 CVE-2016-2105 CVE-2016-2106 CVE-2016-2108 CVE-2016-2109 CVE-2016-3110 CVE-2016-4459 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.10 natives, fix several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server - i386, noarch, ppc64, x86_64 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release includes bug fixes and enhancements, as well as a new release of OpenSSL that addresses a number of outstanding security flaws. For further information, see the knowledge base article linked to in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. Security Fix(es): * A flaw was found in the way OpenSSL encoded certain ASN.1 data structures. An attacker could use this flaw to create a specially crafted certificate which, when verified or re-encoded by OpenSSL, could cause it to crash, or execute arbitrary code using the permissions of the user running an application compiled against the OpenSSL library. (CVE-2016-2108) * Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. (CVE-2015-3183) * A memory leak vulnerability was found in the way OpenSSL parsed PKCS#7 and CMS data. A remote attacker could use this flaw to cause an application that parses PKCS#7 or CMS data from untrusted sources to use an excessive amount of memory and possibly crash. (CVE-2015-3195) * A flaw was found in the way the TLS protocol composes the Diffie-Hellman exchange (for both export and non-export grade cipher suites). An attacker could use this flaw to downgrade a DHE connection to use export-grade key sizes, which could then be broken by sufficient pre-computation. This can lead to a passive man-in-the-middle attack in which the attacker is able to decrypt all traffic. (CVE-2015-4000) * An integer overflow flaw, leading to a buffer overflow, was found in the way the EVP_EncodeUpdate() function of OpenSSL parsed very large amounts of input data. A remote attacker could use this flaw to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application. (CVE-2016-2105) * An integer overflow flaw, leading to a buffer overflow, was found in the way the EVP_EncryptUpdate() function of OpenSSL parsed very large amounts of input data. A remote attacker could use this flaw to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application. (CVE-2016-2106) * It was discovered that it is possible to remotely Segfault Apache http server with a specially crafted string sent to the mod_cluster via service messages (MCMP). (CVE-2016-3110) * A denial of service flaw was found in the way OpenSSL parsed certain ASN.1-encoded data from BIO (OpenSSL's I/O abstraction) inputs. An application using OpenSSL that accepts untrusted ASN.1 BIO input could be forced to allocate an excessive amount of data. (CVE-2016-2109) * It was discovered that specifying configuration with a JVMRoute path longer than 80 characters will cause segmentation fault leading to a server crash. (CVE-2016-4459) Red Hat would like to thank the OpenSSL project for reporting CVE-2016-2108, CVE-2016-2105, and CVE-2016-2106 and Michal Karm Babacek for reporting CVE-2016-3110. The CVE-2016-4459 issue was discovered by Robert Bost (Red Hat). Upstream acknowledges Huzaifa Sidhpurwala (Red Hat), Hanno B?ck, and David Benjamin (Google) as the original reporters of CVE-2016-2108; and Guido Vranken as the original reporter of CVE-2016-2105 and CVE-2016-2106. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. 5. Bugs fixed (https://bugzilla.redhat.com/): 1223211 - CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks 1243887 - CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser 1288322 - CVE-2015-3195 OpenSSL: X509_ATTRIBUTE memory leak 1326320 - CVE-2016-3110 mod_cluster: remotely Segfault Apache http server 1330101 - CVE-2016-2109 openssl: ASN.1 BIO handling of large amounts of data 1331402 - CVE-2016-2108 openssl: Memory corruption in the ASN.1 encoder 1331441 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow 1331536 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow 1341583 - CVE-2016-4459 mod_cluster: Buffer overflow in mod_manager when sending request with long JVMRoute 1345987 - RHEL6 RPMs: Upgrade mod_cluster-native to 1.2.13.Final-redhat-1 1345991 - RHEL6 RPMs: Upgrade mod_jk to 1.2.41.redhat-1 1345995 - RHEL6 RPMs: Upgrade tomcat-native to 1.1.34 6. Package List: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server: Source: hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.src.rpm httpd-2.2.26-54.ep6.el6.src.rpm jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.src.rpm mod_jk-1.2.41-2.redhat_4.ep6.el6.src.rpm tomcat-native-1.1.34-5.redhat_1.ep6.el6.src.rpm i386: hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.i386.rpm hornetq-native-debuginfo-2.3.25-4.SP11_redhat_1.ep6.el6.i386.rpm httpd-2.2.26-54.ep6.el6.i386.rpm httpd-debuginfo-2.2.26-54.ep6.el6.i386.rpm httpd-devel-2.2.26-54.ep6.el6.i386.rpm httpd-manual-2.2.26-54.ep6.el6.i386.rpm httpd-tools-2.2.26-54.ep6.el6.i386.rpm jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.i686.rpm jbcs-httpd24-openssl-debuginfo-1.0.2h-4.jbcs.el6.i686.rpm jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el6.i686.rpm jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el6.i686.rpm jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el6.i686.rpm jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el6.i686.rpm jbossas-hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.i386.rpm jbossas-jbossweb-native-1.1.34-5.redhat_1.ep6.el6.i386.rpm mod_jk-ap22-1.2.41-2.redhat_4.ep6.el6.i386.rpm mod_jk-debuginfo-1.2.41-2.redhat_4.ep6.el6.i386.rpm mod_ldap-2.2.26-54.ep6.el6.i386.rpm mod_ssl-2.2.26-54.ep6.el6.i386.rpm tomcat-native-1.1.34-5.redhat_1.ep6.el6.i386.rpm tomcat-native-debuginfo-1.1.34-5.redhat_1.ep6.el6.i386.rpm noarch: jbcs-httpd24-1-3.jbcs.el6.noarch.rpm jbcs-httpd24-runtime-1-3.jbcs.el6.noarch.rpm ppc64: hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.ppc64.rpm hornetq-native-debuginfo-2.3.25-4.SP11_redhat_1.ep6.el6.ppc64.rpm httpd-2.2.26-54.ep6.el6.ppc64.rpm httpd-debuginfo-2.2.26-54.ep6.el6.ppc64.rpm httpd-devel-2.2.26-54.ep6.el6.ppc64.rpm httpd-manual-2.2.26-54.ep6.el6.ppc64.rpm httpd-tools-2.2.26-54.ep6.el6.ppc64.rpm jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.ppc64.rpm jbcs-httpd24-openssl-debuginfo-1.0.2h-4.jbcs.el6.ppc64.rpm jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el6.ppc64.rpm jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el6.ppc64.rpm jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el6.ppc64.rpm jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el6.ppc64.rpm jbossas-hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.ppc64.rpm jbossas-jbossweb-native-1.1.34-5.redhat_1.ep6.el6.ppc64.rpm mod_jk-ap22-1.2.41-2.redhat_4.ep6.el6.ppc64.rpm mod_jk-debuginfo-1.2.41-2.redhat_4.ep6.el6.ppc64.rpm mod_ldap-2.2.26-54.ep6.el6.ppc64.rpm mod_ssl-2.2.26-54.ep6.el6.ppc64.rpm tomcat-native-1.1.34-5.redhat_1.ep6.el6.ppc64.rpm tomcat-native-debuginfo-1.1.34-5.redhat_1.ep6.el6.ppc64.rpm x86_64: hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.x86_64.rpm hornetq-native-debuginfo-2.3.25-4.SP11_redhat_1.ep6.el6.x86_64.rpm httpd-2.2.26-54.ep6.el6.x86_64.rpm httpd-debuginfo-2.2.26-54.ep6.el6.x86_64.rpm httpd-devel-2.2.26-54.ep6.el6.x86_64.rpm httpd-manual-2.2.26-54.ep6.el6.x86_64.rpm httpd-tools-2.2.26-54.ep6.el6.x86_64.rpm jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.x86_64.rpm jbcs-httpd24-openssl-debuginfo-1.0.2h-4.jbcs.el6.x86_64.rpm jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el6.x86_64.rpm jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el6.x86_64.rpm jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el6.x86_64.rpm jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el6.x86_64.rpm jbossas-hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.x86_64.rpm jbossas-jbossweb-native-1.1.34-5.redhat_1.ep6.el6.x86_64.rpm mod_jk-ap22-1.2.41-2.redhat_4.ep6.el6.x86_64.rpm mod_jk-debuginfo-1.2.41-2.redhat_4.ep6.el6.x86_64.rpm mod_ldap-2.2.26-54.ep6.el6.x86_64.rpm mod_ssl-2.2.26-54.ep6.el6.x86_64.rpm tomcat-native-1.1.34-5.redhat_1.ep6.el6.x86_64.rpm tomcat-native-debuginfo-1.1.34-5.redhat_1.ep6.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-3183 https://access.redhat.com/security/cve/CVE-2015-3195 https://access.redhat.com/security/cve/CVE-2015-4000 https://access.redhat.com/security/cve/CVE-2016-2105 https://access.redhat.com/security/cve/CVE-2016-2106 https://access.redhat.com/security/cve/CVE-2016-2108 https://access.redhat.com/security/cve/CVE-2016-2109 https://access.redhat.com/security/cve/CVE-2016-3110 https://access.redhat.com/security/cve/CVE-2016-4459 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/articles/2688611 https://access.redhat.com/solutions/222023 https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.4 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFX/nC3XlSAg2UNWIIRAl73AJwMWQGEz9iZUcT7H8h4DJigvv8JtgCdHdCf 4sZxcVqDWWAwzVeNvxo3kSk= =hA1L -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Oct 12 17:19:59 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 12 Oct 2016 13:19:59 -0400 Subject: [RHSA-2016:2056-01] Important: Red Hat JBoss Enterprise Application Platform 6.4.10 update Message-ID: <201610121719.u9CHJxCw010967@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.10 update Advisory ID: RHSA-2016:2056-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2056.html Issue date: 2016-10-12 CVE Names: CVE-2015-3183 CVE-2015-3195 CVE-2015-4000 CVE-2016-2105 CVE-2016-2106 CVE-2016-2108 CVE-2016-2109 CVE-2016-3110 CVE-2016-4459 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release includes bug fixes and enhancements, as well as a new release of OpenSSL that addresses a number of outstanding security flaws. For further information, see the knowledge base article linked to in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. Security Fix(es): * A flaw was found in the way OpenSSL encoded certain ASN.1 data structures. An attacker could use this flaw to create a specially crafted certificate which, when verified or re-encoded by OpenSSL, could cause it to crash, or execute arbitrary code using the permissions of the user running an application compiled against the OpenSSL library. (CVE-2016-2108) * Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. (CVE-2015-3183) * A memory leak vulnerability was found in the way OpenSSL parsed PKCS#7 and CMS data. A remote attacker could use this flaw to cause an application that parses PKCS#7 or CMS data from untrusted sources to use an excessive amount of memory and possibly crash. (CVE-2015-3195) * A flaw was found in the way the TLS protocol composes the Diffie-Hellman exchange (for both export and non-export grade cipher suites). An attacker could use this flaw to downgrade a DHE connection to use export-grade key sizes, which could then be broken by sufficient pre-computation. This can lead to a passive man-in-the-middle attack in which the attacker is able to decrypt all traffic. (CVE-2015-4000) * An integer overflow flaw, leading to a buffer overflow, was found in the way the EVP_EncodeUpdate() function of OpenSSL parsed very large amounts of input data. A remote attacker could use this flaw to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application. (CVE-2016-2105) * An integer overflow flaw, leading to a buffer overflow, was found in the way the EVP_EncryptUpdate() function of OpenSSL parsed very large amounts of input data. A remote attacker could use this flaw to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application. (CVE-2016-2106) * It was discovered that it is possible to remotely Segfault Apache http server with a specially crafted string sent to the mod_cluster via service messages (MCMP). (CVE-2016-3110) * A denial of service flaw was found in the way OpenSSL parsed certain ASN.1-encoded data from BIO (OpenSSL's I/O abstraction) inputs. An application using OpenSSL that accepts untrusted ASN.1 BIO input could be forced to allocate an excessive amount of data. (CVE-2016-2109) * It was discovered that specifying configuration with a JVMRoute path longer than 80 characters will cause segmentation fault leading to a server crash. (CVE-2016-4459) Red Hat would like to thank the OpenSSL project for reporting CVE-2016-2108, CVE-2016-2105, and CVE-2016-2106 and Michal Karm Babacek for reporting CVE-2016-3110. The CVE-2016-4459 issue was discovered by Robert Bost (Red Hat). Upstream acknowledges Huzaifa Sidhpurwala (Red Hat), Hanno B?ck, and David Benjamin (Google) as the original reporters of CVE-2016-2108; and Guido Vranken as the original reporter of CVE-2016-2105 and CVE-2016-2106. 3. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1223211 - CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks 1243887 - CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser 1288322 - CVE-2015-3195 OpenSSL: X509_ATTRIBUTE memory leak 1326320 - CVE-2016-3110 mod_cluster: remotely Segfault Apache http server 1330101 - CVE-2016-2109 openssl: ASN.1 BIO handling of large amounts of data 1331402 - CVE-2016-2108 openssl: Memory corruption in the ASN.1 encoder 1331441 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow 1331536 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow 1341583 - CVE-2016-4459 mod_cluster: Buffer overflow in mod_manager when sending request with long JVMRoute 5. References: https://access.redhat.com/security/cve/CVE-2015-3183 https://access.redhat.com/security/cve/CVE-2015-3195 https://access.redhat.com/security/cve/CVE-2015-4000 https://access.redhat.com/security/cve/CVE-2016-2105 https://access.redhat.com/security/cve/CVE-2016-2106 https://access.redhat.com/security/cve/CVE-2016-2108 https://access.redhat.com/security/cve/CVE-2016-2109 https://access.redhat.com/security/cve/CVE-2016-3110 https://access.redhat.com/security/cve/CVE-2016-4459 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/articles/2688611 https://access.redhat.com/solutions/222023 https://access.redhat.com/documentation/en/jboss-enterprise-application-platform/ https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.4 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFX/nC9XlSAg2UNWIIRAnxyAJ9e/4EllYuokmkD6tLkfhHL3pZ0mQCgh8zG yB8E4qH53UH71bMzQwek8yU= =eQHg -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Oct 17 19:16:12 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 17 Oct 2016 15:16:12 -0400 Subject: [RHSA-2016:2068-01] Moderate: Red Hat JBoss Enterprise Application Platform 6.4.11 update on RHEL 6 Message-ID: <201610171916.u9HJGCQ8016252@int-mx14.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 6.4.11 update on RHEL 6 Advisory ID: RHSA-2016:2068-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2068.html Issue date: 2016-10-17 CVE Names: CVE-2016-3092 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.11, fix several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.10. It includes bug fixes and enhancements. Documentation for these changes will be available shortly from the Red Hat JBoss Enterprise Application Platform 6.4.11 Release Notes, linked to in the References. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. Security Fix(es): * A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092) 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1349468 - CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service 1375625 - RHEL6 RPMs: Upgrade jbossts to 4.17.35.Final-redhat-1 1376065 - RHEL6 RPMs: Upgrade jboss-remote-naming to 1.0.13.Final-redhat-1 1376185 - RHEL6 RPMs: Upgrade jbossweb to 7.5.19.Final-redhat-1 6. Package List: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server: Source: apache-cxf-2.7.18-4.SP3_redhat_1.1.ep6.el6.src.rpm hornetq-2.3.25-16.SP14_redhat_1.1.ep6.el6.src.rpm jboss-as-appclient-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-cli-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-client-all-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-clustering-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-cmp-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-configadmin-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-connector-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-controller-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-controller-client-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-core-security-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-deployment-repository-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-deployment-scanner-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-domain-http-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-domain-management-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-ee-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-ee-deployment-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-ejb3-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-embedded-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-host-controller-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-jacorb-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-jaxr-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-jaxrs-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-jdr-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-jmx-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-jpa-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-jsf-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-jsr77-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-logging-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-mail-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-management-client-content-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-messaging-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-modcluster-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-naming-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-network-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-osgi-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-osgi-configadmin-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-osgi-service-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-picketlink-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-platform-mbean-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-pojo-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-process-controller-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-protocol-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-remoting-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-sar-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-security-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-server-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-system-jmx-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-threads-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-transactions-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-version-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-web-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-webservices-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-weld-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-as-xts-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-remote-naming-1.0.13-1.Final_redhat_1.1.ep6.el6.src.rpm jbossas-appclient-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jbossas-bundles-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jbossas-core-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jbossas-domain-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jbossas-javadocs-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jbossas-modules-eap-7.5.11-2.Final_redhat_1.1.ep6.el6.src.rpm jbossas-product-eap-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jbossas-standalone-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jbossas-welcome-content-eap-7.5.11-1.Final_redhat_1.1.ep6.el6.src.rpm jbossts-4.17.35-1.Final_redhat_1.1.ep6.el6.src.rpm jbossweb-7.5.19-1.Final_redhat_1.1.ep6.el6.src.rpm picketlink-bindings-2.5.4-13.SP11_redhat_1.1.ep6.el6.src.rpm picketlink-federation-2.5.4-13.SP11_redhat_1.1.ep6.el6.src.rpm noarch: apache-cxf-2.7.18-4.SP3_redhat_1.1.ep6.el6.noarch.rpm hornetq-2.3.25-16.SP14_redhat_1.1.ep6.el6.noarch.rpm jboss-as-appclient-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-cli-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-client-all-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-clustering-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-cmp-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-configadmin-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-connector-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-controller-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-controller-client-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-core-security-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-deployment-repository-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-deployment-scanner-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-domain-http-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-domain-management-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-ee-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-ee-deployment-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-ejb3-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-embedded-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-host-controller-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-jacorb-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-jaxr-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-jaxrs-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-jdr-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-jmx-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-jpa-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-jsf-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-jsr77-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-logging-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-mail-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-management-client-content-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-messaging-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-modcluster-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-naming-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-network-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-osgi-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-osgi-configadmin-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-osgi-service-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-picketlink-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-platform-mbean-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-pojo-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-process-controller-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-protocol-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-remoting-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-sar-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-security-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-server-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-system-jmx-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-threads-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-transactions-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-version-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-web-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-webservices-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-weld-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-as-xts-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-remote-naming-1.0.13-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossas-appclient-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossas-bundles-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossas-core-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossas-domain-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossas-javadocs-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossas-modules-eap-7.5.11-2.Final_redhat_1.1.ep6.el6.noarch.rpm jbossas-product-eap-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossas-standalone-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossas-welcome-content-eap-7.5.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossts-4.17.35-1.Final_redhat_1.1.ep6.el6.noarch.rpm jbossweb-7.5.19-1.Final_redhat_1.1.ep6.el6.noarch.rpm picketlink-bindings-2.5.4-13.SP11_redhat_1.1.ep6.el6.noarch.rpm picketlink-federation-2.5.4-13.SP11_redhat_1.1.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-3092 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYBSN6XlSAg2UNWIIRAr7bAKCrpeiUIaXG9IW2HeaZT5Qh9ytMiwCeK/u+ h0ha5RBzjfmhdpbPx58yVYM= =u9ZC -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Oct 17 19:16:23 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 17 Oct 2016 15:16:23 -0400 Subject: [RHSA-2016:2069-01] Moderate: Red Hat JBoss Enterprise Application Platform 6.4.11 update on RHEL 7 Message-ID: <201610171916.u9HJGNwm002724@int-mx09.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 6.4.11 update on RHEL 7 Advisory ID: RHSA-2016:2069-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2069.html Issue date: 2016-10-17 CVE Names: CVE-2016-3092 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.11, fix several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.10. It includes bug fixes and enhancements. Documentation for these changes will be available shortly from the Red Hat JBoss Enterprise Application Platform 6.4.11 Release Notes, linked to in the References. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 7 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. Security Fix(es): * A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092) 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1349468 - CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service 1375627 - RHEL7 RPMs: Upgrade jbossts to 4.17.35.Final-redhat-1 1376067 - RHEL7 RPMs: Upgrade jboss-remote-naming to 1.0.13.Final-redhat-1 1376187 - RHEL7 RPMs: Upgrade jbossweb to 7.5.19.Final-redhat-1 6. Package List: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server: Source: apache-cxf-2.7.18-4.SP3_redhat_1.1.ep6.el7.src.rpm hornetq-2.3.25-16.SP14_redhat_1.1.ep6.el7.src.rpm jboss-as-appclient-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-cli-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-client-all-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-clustering-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-cmp-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-configadmin-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-connector-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-controller-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-controller-client-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-core-security-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-deployment-repository-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-deployment-scanner-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-domain-http-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-domain-management-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-ee-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-ee-deployment-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-ejb3-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-embedded-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-host-controller-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-jacorb-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-jaxr-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-jaxrs-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-jdr-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-jmx-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-jpa-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-jsf-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-jsr77-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-logging-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-mail-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-management-client-content-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-messaging-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-modcluster-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-naming-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-network-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-osgi-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-osgi-configadmin-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-osgi-service-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-picketlink-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-platform-mbean-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-pojo-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-process-controller-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-protocol-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-remoting-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-sar-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-security-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-server-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-system-jmx-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-threads-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-transactions-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-version-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-web-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-webservices-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-weld-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-as-xts-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-remote-naming-1.0.13-1.Final_redhat_1.1.ep6.el7.src.rpm jbossas-appclient-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jbossas-bundles-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jbossas-core-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jbossas-domain-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jbossas-javadocs-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jbossas-modules-eap-7.5.11-2.Final_redhat_1.1.ep6.el7.src.rpm jbossas-product-eap-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jbossas-standalone-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jbossas-welcome-content-eap-7.5.11-1.Final_redhat_1.1.ep6.el7.src.rpm jbossts-4.17.35-1.Final_redhat_1.1.ep6.el7.src.rpm jbossweb-7.5.19-1.Final_redhat_1.1.ep6.el7.src.rpm picketlink-bindings-2.5.4-13.SP11_redhat_1.1.ep6.el7.src.rpm picketlink-federation-2.5.4-13.SP11_redhat_1.1.ep6.el7.src.rpm noarch: apache-cxf-2.7.18-4.SP3_redhat_1.1.ep6.el7.noarch.rpm hornetq-2.3.25-16.SP14_redhat_1.1.ep6.el7.noarch.rpm jboss-as-appclient-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-cli-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-client-all-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-clustering-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-cmp-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-configadmin-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-connector-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-controller-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-controller-client-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-core-security-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-deployment-repository-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-deployment-scanner-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-domain-http-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-domain-management-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-ee-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-ee-deployment-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-ejb3-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-embedded-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-host-controller-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-jacorb-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-jaxr-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-jaxrs-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-jdr-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-jmx-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-jpa-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-jsf-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-jsr77-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-logging-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-mail-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-management-client-content-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-messaging-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-modcluster-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-naming-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-network-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-osgi-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-osgi-configadmin-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-osgi-service-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-picketlink-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-platform-mbean-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-pojo-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-process-controller-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-protocol-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-remoting-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-sar-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-security-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-server-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-system-jmx-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-threads-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-transactions-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-version-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-web-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-webservices-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-weld-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-as-xts-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-remote-naming-1.0.13-1.Final_redhat_1.1.ep6.el7.noarch.rpm jbossas-appclient-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jbossas-bundles-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jbossas-core-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jbossas-domain-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jbossas-javadocs-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jbossas-modules-eap-7.5.11-2.Final_redhat_1.1.ep6.el7.noarch.rpm jbossas-product-eap-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jbossas-standalone-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jbossas-welcome-content-eap-7.5.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm jbossts-4.17.35-1.Final_redhat_1.1.ep6.el7.noarch.rpm jbossweb-7.5.19-1.Final_redhat_1.1.ep6.el7.noarch.rpm picketlink-bindings-2.5.4-13.SP11_redhat_1.1.ep6.el7.noarch.rpm picketlink-federation-2.5.4-13.SP11_redhat_1.1.ep6.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-3092 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYBSOFXlSAg2UNWIIRAkk7AJsE9KUYVPPUdXdCOR8K72QBIoMYkACggUyT 3u7Y7wckQruSLsvnKcY4ixc= =7ayW -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Oct 17 19:16:33 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 17 Oct 2016 15:16:33 -0400 Subject: [RHSA-2016:2070-01] Moderate: Red Hat JBoss Enterprise Application Platform 6.4.11 update on RHEL 5 Message-ID: <201610171916.u9HJGXJD023756@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 6.4.11 update on RHEL 5 Advisory ID: RHSA-2016:2070-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2070.html Issue date: 2016-10-17 CVE Names: CVE-2016-3092 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.11, fix several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.10. It includes bug fixes and enhancements. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 5 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. Security Fix(es): * A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092) 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1349468 - CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service 1375626 - RHEL5 RPMs: Upgrade jbossts to 4.17.35.Final-redhat-1 1376066 - RHEL5 RPMs: Upgrade jboss-remote-naming to 1.0.13.Final-redhat-1 1376186 - RHEL5 RPMs: Upgrade jbossweb to 7.5.19.Final-redhat-1 6. Package List: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Server: Source: apache-cxf-2.7.18-4.SP3_redhat_1.1.ep6.el5.src.rpm hornetq-2.3.25-16.SP14_redhat_1.1.ep6.el5.src.rpm jboss-as-appclient-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-cli-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-client-all-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-clustering-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-cmp-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-configadmin-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-connector-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-controller-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-controller-client-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-core-security-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-deployment-repository-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-deployment-scanner-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-domain-http-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-domain-management-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-ee-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-ee-deployment-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-ejb3-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-embedded-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-host-controller-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-jacorb-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-jaxr-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-jaxrs-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-jdr-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-jmx-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-jpa-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-jsf-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-jsr77-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-logging-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-mail-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-management-client-content-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-messaging-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-modcluster-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-naming-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-network-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-osgi-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-osgi-configadmin-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-osgi-service-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-picketlink-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-platform-mbean-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-pojo-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-process-controller-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-protocol-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-remoting-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-sar-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-security-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-server-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-system-jmx-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-threads-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-transactions-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-version-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-web-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-webservices-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-weld-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-xts-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-remote-naming-1.0.13-1.Final_redhat_1.1.ep6.el5.src.rpm jbossas-appclient-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jbossas-bundles-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jbossas-core-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jbossas-domain-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jbossas-javadocs-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jbossas-modules-eap-7.5.11-2.Final_redhat_1.1.ep6.el5.src.rpm jbossas-product-eap-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jbossas-standalone-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jbossas-welcome-content-eap-7.5.11-1.Final_redhat_1.1.ep6.el5.src.rpm jbossts-4.17.35-1.Final_redhat_1.1.ep6.el5.src.rpm jbossweb-7.5.19-1.Final_redhat_1.1.ep6.el5.src.rpm picketlink-bindings-2.5.4-13.SP11_redhat_1.1.ep6.el5.src.rpm picketlink-federation-2.5.4-13.SP11_redhat_1.1.ep6.el5.src.rpm noarch: apache-cxf-2.7.18-4.SP3_redhat_1.1.ep6.el5.noarch.rpm hornetq-2.3.25-16.SP14_redhat_1.1.ep6.el5.noarch.rpm jboss-as-appclient-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-cli-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-client-all-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-clustering-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-cmp-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-configadmin-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-connector-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-controller-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-controller-client-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-core-security-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-deployment-repository-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-deployment-scanner-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-domain-http-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-domain-management-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-ee-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-ee-deployment-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-ejb3-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-embedded-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-host-controller-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-jacorb-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-jaxr-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-jaxrs-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-jdr-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-jmx-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-jpa-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-jsf-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-jsr77-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-logging-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-mail-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-management-client-content-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-messaging-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-modcluster-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-naming-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-network-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-osgi-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-osgi-configadmin-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-osgi-service-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-picketlink-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-platform-mbean-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-pojo-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-process-controller-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-protocol-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-remoting-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-sar-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-security-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-server-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-system-jmx-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-threads-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-transactions-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-version-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-web-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-webservices-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-weld-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-xts-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-remote-naming-1.0.13-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-appclient-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-bundles-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-core-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-domain-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-javadocs-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-modules-eap-7.5.11-2.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-product-eap-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-standalone-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-welcome-content-eap-7.5.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossts-4.17.35-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossweb-7.5.19-1.Final_redhat_1.1.ep6.el5.noarch.rpm picketlink-bindings-2.5.4-13.SP11_redhat_1.1.ep6.el5.noarch.rpm picketlink-federation-2.5.4-13.SP11_redhat_1.1.ep6.el5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-3092 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYBSOPXlSAg2UNWIIRAuQqAJ48ma/TR3BrxbhYbm20TCDch3WkJQCeOWJB G21axKhguVWzIbH/KaSgzD4= =2Ju0 -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Oct 17 19:16:38 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 17 Oct 2016 15:16:38 -0400 Subject: [RHSA-2016:2071-01] Moderate: Red Hat JBoss Enterprise Application Platform 6.4.11 update Message-ID: <201610171916.u9HJGcKO023797@int-mx11.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 6.4.11 update Advisory ID: RHSA-2016:2071-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2071.html Issue date: 2016-10-17 CVE Names: CVE-2016-3092 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release of Red Hat JBoss Enterprise Application Platform 6.4.11 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.10, and includes bug fixes and enhancements. Documentation for these changes will be available shortly from the Red Hat JBoss Enterprise Application Platform 6.4.11 Release Notes, linked to in the References. Security Fix(es): * A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092) 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. The JBoss server process must be restarted for the update to take effect. 4. Bugs fixed (https://bugzilla.redhat.com/): 1349468 - CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service 5. References: https://access.redhat.com/security/cve/CVE-2016-3092 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en/jboss-enterprise-application-platform/ https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.4 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYBSOVXlSAg2UNWIIRAj01AKC2dvSHU3ADWUFLtlqCPVk2wsBHHQCbBuWG l9DpEceBjBNaj2S7Mq6R3rw= =GNm+ -----END PGP SIGNATURE----- From bugzilla at redhat.com Mon Oct 17 19:16:46 2016 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 17 Oct 2016 15:16:46 -0400 Subject: [RHSA-2016:2072-01] Moderate: jboss-ec2-eap security and enhancement update for EAP 6.4.11 Message-ID: <201610171916.u9HJGkjX010681@int-mx13.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: jboss-ec2-eap security and enhancement update for EAP 6.4.11 Advisory ID: RHSA-2016:2072-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2072.html Issue date: 2016-10-17 CVE Names: CVE-2016-3092 ===================================================================== 1. Summary: An update for jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java EE applications. It is based on JBoss Application Server 7 and incorporates multiple open-source projects to provide a complete Java EE platform solution. Security Fix(es): * A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092) Enhancement(s): * The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the packages have been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.11. Users of EAP 6.4.10 jboss-ec2-eap are advised to upgrade to these updated packages, which add this enhancement. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1349468 - CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service 6. Package List: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server: Source: jboss-ec2-eap-7.5.11-1.Final_redhat_1.ep6.el6.src.rpm noarch: jboss-ec2-eap-7.5.11-1.Final_redhat_1.ep6.el6.noarch.rpm jboss-ec2-eap-samples-7.5.11-1.Final_redhat_1.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-3092 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYBSOcXlSAg2UNWIIRAvIlAJ97RdclsnFq8m+cuLkkbFznTkF3uQCgjPEI iv1Q+LAn6YoMWaAWttrRLqs= =grd+ -----END PGP SIGNATURE-----