From bugzilla at redhat.com Tue May 9 17:15:56 2017 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 9 May 2017 13:15:56 -0400 Subject: [RHSA-2017:1217-01] Moderate: Red Hat JBoss BRMS security update Message-ID: <201705091715.v49HFu9H019029@lists01.pubmisc.prod.ext.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss BRMS security update Advisory ID: RHSA-2017:1217-01 Product: Red Hat JBoss BRMS Advisory URL: https://access.redhat.com/errata/RHSA-2017:1217 Issue date: 2017-05-09 CVE Names: CVE-2017-2674 CVE-2017-7463 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss BRMS. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules. This release of Red Hat JBoss BRMS 6.4.3 serves as a replacement for Red Hat JBoss BRMS 6.4.2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via several lists in Business Central. The flaw is due to lack of sanitation of user input when creating new lists. Remote, authenticated attackers that have privileges to create lists can store scripts in them, which are not properly sanitized before showing to other users, including admins. (CVE-2017-2674) * JBoss BRMS 6 and BPM Suite 6 are vulnerable to a reflected XSS via artifact upload. A malformed XML file, if uploaded, causes an error message to appear that includes part of the bad XML code verbatim without filtering out scripts. Successful exploitation would allow execution of script code within the context of the affected user. (CVE-2017-7463) Red Hat would like to thank Chris Hebert, Vikas Pandey, Harold Schliesske, and Ryan Stanley (Noblis) for reporting these issues. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1439819 - CVE-2017-2674 business-central: Multiple stored XSS in task and process filters 1439823 - CVE-2017-7463 business-central: Reflected XSS in artifact upload error message 5. References: https://access.redhat.com/security/cve/CVE-2017-2674 https://access.redhat.com/security/cve/CVE-2017-7463 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.4 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFZEflBXlSAg2UNWIIRAq5JAJ9I9k4V5ORtRYFi7vxKGsPxVrMxAgCfc9vO rvyzyTlt8x7VwFqWFWctm0U= =TUOP -----END PGP SIGNATURE----- From bugzilla at redhat.com Tue May 9 17:16:07 2017 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 9 May 2017 13:16:07 -0400 Subject: [RHSA-2017:1218-01] Moderate: Red Hat JBoss BPM Suite security update Message-ID: <201705091716.v49HG7og019041@lists01.pubmisc.prod.ext.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss BPM Suite security update Advisory ID: RHSA-2017:1218-01 Product: Red Hat JBoss BPM Suite Advisory URL: https://access.redhat.com/errata/RHSA-2017:1218 Issue date: 2017-05-09 CVE Names: CVE-2017-2674 CVE-2017-7463 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss BPM Suite. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes. This release of Red Hat JBoss BPM Suite 6.4.3 serves as a replacement for Red Hat JBoss BPM Suite 6.4.2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via several lists in Business Central. The flaw is due to lack of sanitation of user input when creating new lists. Remote, authenticated attackers that have privileges to create lists can store scripts in them, which are not properly sanitized before showing to other users, including admins. (CVE-2017-2674) * JBoss BRMS 6 and BPM Suite 6 are vulnerable to a reflected XSS via artifact upload. A malformed XML file, if uploaded, causes an error message to appear that includes part of the bad XML code verbatim without filtering out scripts. Successful exploitation would allow execution of script code within the context of the affected user. (CVE-2017-7463) Red Hat would like to thank Chris Hebert, Vikas Pandey, Harold Schliesske, and Ryan Stanley (Noblis) for reporting these issues. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1439819 - CVE-2017-2674 business-central: Multiple stored XSS in task and process filters 1439823 - CVE-2017-7463 business-central: Reflected XSS in artifact upload error message 5. JIRA issues fixed (https://issues.jboss.org/): RHBPMS-4625 - CVE-2017-2674 business-central: Multiple stored XSS in task and process filters [bpms-6.4.x] RHBPMS-4627 - CVE-2017-7463 business-central: Reflected XSS in artifact upload error message [bpms-6.4.x] 6. References: https://access.redhat.com/security/cve/CVE-2017-2674 https://access.redhat.com/security/cve/CVE-2017-7463 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.4 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFZEflOXlSAg2UNWIIRAn0tAJwKkyWpytSgM0fxN0CJaekKhF67nwCfZakk flE5oBe2HvxFG2PleCOy8XM= =BBWq -----END PGP SIGNATURE----- From fleite at redhat.com Wed May 17 19:49:44 2017 From: fleite at redhat.com (Fabio Olive Leite) Date: Wed, 17 May 2017 16:49:44 -0300 Subject: MAILING LIST SHUTDOWN NOTIFICATION Message-ID: <0926a0de-e951-78ef-57ee-1a517a855c17@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ERRATA MAILING LIST SHUTDOWN NOTIFICATION This is a notification to inform all subscribers that on May 31st 2017 the rhev-watch-list, enterprise-watch-list and jboss-watch-list mailing lists will be disabled by Red Hat Product Security, and no additional Security Advisory notifications will be sent to them. The blog post linked below contains information about this change and the many alternatives available for receiving security errata notifications. https://access.redhat.com/blogs/product-security/posts/rhsa-announce In summary, the rhsa-announce mailing list will remain operational and has been enhanced with Topics support, so that it can provide the same level of granularity for the advisories delivered to subscribers as the individual lists being disabled, with benefits. For any concerns regarding the shutdown of these mailing lists, please reach out to Red Hat Product Security at . Fabio Olive Leite Red Hat Product Security -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFZHKajXlSAg2UNWIIRApryAKCQVRnghMBJe4xjNkUY82Mr9vDD0wCgwcOc qwqVW3KUeLd82EkQnbV125c= =f6hd -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu May 18 22:58:52 2017 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 18 May 2017 18:58:52 -0400 Subject: [RHSA-2017:1253-01] Moderate: Red Hat JBoss Enterprise Application Platform 6.4.15 update on RHEL 7 Message-ID: <201705182258.v4IMwqfX003165@lists01.pubmisc.prod.ext.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 6.4.15 update on RHEL 7 Advisory ID: RHSA-2017:1253-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2017:1253 Issue date: 2017-05-18 CVE Names: CVE-2016-9606 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release of Red Hat JBoss Enterprise Application Platform 6.4.15 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.14, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * It was discovered that under certain conditions RESTEasy could be forced to parse a request with YamlProvider, resulting in unmarshalling of potentially untrusted data. An attacker could possibly use this flaw execute arbitrary code with the permissions of the application using RESTEasy. (CVE-2016-9606) Red Hat would like to thank Moritz Bechler (AgNO3 GmbH & Co. KG) for reporting these issues. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1400644 - CVE-2016-9606 Resteasy: Yaml unmarshalling vulnerable to RCE 1437094 - RHEL7 RPMs: Upgrade resteasy to 2.3.19.Final-redhat-1 1437097 - RHEL7 RPMs: Upgrade ironjacamar-eap6 to 1.0.38.Final-redhat-3 6. Package List: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server: Source: hibernate4-eap6-4.2.26-1.Final_redhat_1.1.ep6.el7.src.rpm hornetq-2.3.25-20.SP18_redhat_1.1.ep6.el7.src.rpm httpserver-1.0.8-1.Final_redhat_1.1.ep6.el7.src.rpm ironjacamar-eap6-1.0.38-3.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-appclient-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-cli-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-client-all-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-clustering-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-cmp-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-configadmin-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-connector-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-controller-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-controller-client-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-core-security-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-deployment-repository-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-deployment-scanner-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-domain-http-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-domain-management-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-ee-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-ee-deployment-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-ejb3-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-embedded-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-host-controller-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-jacorb-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-jaxr-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-jaxrs-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-jdr-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-jmx-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-jpa-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-jsf-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-jsr77-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-logging-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-mail-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-management-client-content-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-messaging-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-modcluster-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-naming-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-network-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-osgi-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-osgi-configadmin-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-osgi-service-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-picketlink-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-platform-mbean-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-pojo-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-process-controller-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-protocol-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-remoting-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-sar-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-security-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-server-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-system-jmx-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-threads-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-transactions-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-version-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-web-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-webservices-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-weld-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-as-xts-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jboss-ejb-client-1.0.39-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-security-negotiation-2.3.13-1.Final_redhat_1.1.ep6.el7.src.rpm jboss-xnio-base-3.0.16-1.GA_redhat_1.1.ep6.el7.src.rpm jbossas-appclient-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jbossas-bundles-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jbossas-core-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jbossas-domain-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jbossas-javadocs-7.5.15-3.Final_redhat_3.1.ep6.el7.src.rpm jbossas-modules-eap-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jbossas-product-eap-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jbossas-standalone-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jbossas-welcome-content-eap-7.5.15-1.Final_redhat_3.1.ep6.el7.src.rpm jbossweb-7.5.22-1.Final_redhat_1.1.ep6.el7.src.rpm picketbox-4.1.5-1.Final_redhat_1.1.ep6.el7.src.rpm picketlink-bindings-2.5.4-14.SP12_redhat_1.1.ep6.el7.src.rpm picketlink-federation-2.5.4-14.SP12_redhat_1.1.ep6.el7.src.rpm resteasy-2.3.19-1.Final_redhat_1.1.ep6.el7.src.rpm noarch: hibernate4-core-eap6-4.2.26-1.Final_redhat_1.1.ep6.el7.noarch.rpm hibernate4-eap6-4.2.26-1.Final_redhat_1.1.ep6.el7.noarch.rpm hibernate4-entitymanager-eap6-4.2.26-1.Final_redhat_1.1.ep6.el7.noarch.rpm hibernate4-envers-eap6-4.2.26-1.Final_redhat_1.1.ep6.el7.noarch.rpm hibernate4-infinispan-eap6-4.2.26-1.Final_redhat_1.1.ep6.el7.noarch.rpm hornetq-2.3.25-20.SP18_redhat_1.1.ep6.el7.noarch.rpm httpserver-1.0.8-1.Final_redhat_1.1.ep6.el7.noarch.rpm ironjacamar-common-api-eap6-1.0.38-3.Final_redhat_3.1.ep6.el7.noarch.rpm ironjacamar-common-impl-eap6-1.0.38-3.Final_redhat_3.1.ep6.el7.noarch.rpm ironjacamar-common-spi-eap6-1.0.38-3.Final_redhat_3.1.ep6.el7.noarch.rpm ironjacamar-core-api-eap6-1.0.38-3.Final_redhat_3.1.ep6.el7.noarch.rpm ironjacamar-core-impl-eap6-1.0.38-3.Final_redhat_3.1.ep6.el7.noarch.rpm ironjacamar-deployers-common-eap6-1.0.38-3.Final_redhat_3.1.ep6.el7.noarch.rpm ironjacamar-eap6-1.0.38-3.Final_redhat_3.1.ep6.el7.noarch.rpm ironjacamar-jdbc-eap6-1.0.38-3.Final_redhat_3.1.ep6.el7.noarch.rpm ironjacamar-spec-api-eap6-1.0.38-3.Final_redhat_3.1.ep6.el7.noarch.rpm ironjacamar-validator-eap6-1.0.38-3.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-appclient-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-cli-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-client-all-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-clustering-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-cmp-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-configadmin-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-connector-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-controller-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-controller-client-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-core-security-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-deployment-repository-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-deployment-scanner-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-domain-http-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-domain-management-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-ee-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-ee-deployment-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-ejb3-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-embedded-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-host-controller-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-jacorb-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-jaxr-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-jaxrs-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-jdr-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-jmx-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-jpa-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-jsf-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-jsr77-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-logging-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-mail-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-management-client-content-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-messaging-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-modcluster-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-naming-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-network-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-osgi-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-osgi-configadmin-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-osgi-service-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-picketlink-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-platform-mbean-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-pojo-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-process-controller-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-protocol-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-remoting-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-sar-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-security-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-server-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-system-jmx-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-threads-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-transactions-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-version-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-web-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-webservices-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-weld-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-as-xts-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jboss-ejb-client-1.0.39-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-security-negotiation-2.3.13-1.Final_redhat_1.1.ep6.el7.noarch.rpm jboss-xnio-base-3.0.16-1.GA_redhat_1.1.ep6.el7.noarch.rpm jbossas-appclient-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jbossas-bundles-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jbossas-core-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jbossas-domain-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jbossas-javadocs-7.5.15-3.Final_redhat_3.1.ep6.el7.noarch.rpm jbossas-modules-eap-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jbossas-product-eap-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jbossas-standalone-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jbossas-welcome-content-eap-7.5.15-1.Final_redhat_3.1.ep6.el7.noarch.rpm jbossweb-7.5.22-1.Final_redhat_1.1.ep6.el7.noarch.rpm picketbox-4.1.5-1.Final_redhat_1.1.ep6.el7.noarch.rpm picketlink-bindings-2.5.4-14.SP12_redhat_1.1.ep6.el7.noarch.rpm picketlink-federation-2.5.4-14.SP12_redhat_1.1.ep6.el7.noarch.rpm resteasy-2.3.19-1.Final_redhat_1.1.ep6.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-9606 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFZHic0XlSAg2UNWIIRAmSvAJ9ijV9PLPzH/fvYCrjs+seFRP1EBACfexbX W0gP3foncW1t1D6crooUJO4= =g3sC -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu May 18 22:59:10 2017 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 18 May 2017 18:59:10 -0400 Subject: [RHSA-2017:1254-01] Moderate: Red Hat JBoss Enterprise Application Platform 6.4.15 update on RHEL 6 Message-ID: <201705182259.v4IMxAeU003183@lists01.pubmisc.prod.ext.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 6.4.15 update on RHEL 6 Advisory ID: RHSA-2017:1254-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2017:1254 Issue date: 2017-05-18 CVE Names: CVE-2016-9606 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release of Red Hat JBoss Enterprise Application Platform 6.4.15 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.14, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * It was discovered that under certain conditions RESTEasy could be forced to parse a request with YamlProvider, resulting in unmarshalling of potentially untrusted data. An attacker could possibly use this flaw execute arbitrary code with the permissions of the application using RESTEasy. (CVE-2016-9606) Red Hat would like to thank Moritz Bechler (AgNO3 GmbH & Co. KG) for reporting these issues. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1400644 - CVE-2016-9606 Resteasy: Yaml unmarshalling vulnerable to RCE 1437092 - RHEL6 RPMs: Upgrade resteasy to 2.3.19.Final-redhat-1 1437095 - RHEL6 RPMs: Upgrade ironjacamar-eap6 to 1.0.38.Final-redhat-3 6. Package List: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server: Source: hibernate4-eap6-4.2.26-1.Final_redhat_1.1.ep6.el6.src.rpm hornetq-2.3.25-20.SP18_redhat_1.1.ep6.el6.src.rpm httpserver-1.0.8-1.Final_redhat_1.1.ep6.el6.src.rpm ironjacamar-eap6-1.0.38-3.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-appclient-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-cli-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-client-all-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-clustering-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-cmp-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-configadmin-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-connector-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-controller-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-controller-client-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-core-security-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-deployment-repository-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-deployment-scanner-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-domain-http-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-domain-management-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-ee-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-ee-deployment-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-ejb3-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-embedded-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-host-controller-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-jacorb-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-jaxr-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-jaxrs-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-jdr-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-jmx-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-jpa-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-jsf-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-jsr77-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-logging-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-mail-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-management-client-content-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-messaging-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-modcluster-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-naming-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-network-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-osgi-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-osgi-configadmin-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-osgi-service-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-picketlink-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-platform-mbean-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-pojo-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-process-controller-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-protocol-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-remoting-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-sar-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-security-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-server-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-system-jmx-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-threads-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-transactions-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-version-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-web-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-webservices-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-weld-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-as-xts-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jboss-ejb-client-1.0.39-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-security-negotiation-2.3.13-1.Final_redhat_1.1.ep6.el6.src.rpm jboss-xnio-base-3.0.16-1.GA_redhat_1.1.ep6.el6.src.rpm jbossas-appclient-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jbossas-bundles-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jbossas-core-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jbossas-domain-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jbossas-javadocs-7.5.15-3.Final_redhat_3.1.ep6.el6.src.rpm jbossas-modules-eap-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jbossas-product-eap-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jbossas-standalone-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jbossas-welcome-content-eap-7.5.15-1.Final_redhat_3.1.ep6.el6.src.rpm jbossweb-7.5.22-1.Final_redhat_1.1.ep6.el6.src.rpm picketbox-4.1.5-1.Final_redhat_1.1.ep6.el6.src.rpm picketlink-bindings-2.5.4-14.SP12_redhat_1.1.ep6.el6.src.rpm picketlink-federation-2.5.4-14.SP12_redhat_1.1.ep6.el6.src.rpm resteasy-2.3.19-1.Final_redhat_1.1.ep6.el6.src.rpm noarch: hibernate4-core-eap6-4.2.26-1.Final_redhat_1.1.ep6.el6.noarch.rpm hibernate4-eap6-4.2.26-1.Final_redhat_1.1.ep6.el6.noarch.rpm hibernate4-entitymanager-eap6-4.2.26-1.Final_redhat_1.1.ep6.el6.noarch.rpm hibernate4-envers-eap6-4.2.26-1.Final_redhat_1.1.ep6.el6.noarch.rpm hibernate4-infinispan-eap6-4.2.26-1.Final_redhat_1.1.ep6.el6.noarch.rpm hornetq-2.3.25-20.SP18_redhat_1.1.ep6.el6.noarch.rpm httpserver-1.0.8-1.Final_redhat_1.1.ep6.el6.noarch.rpm ironjacamar-common-api-eap6-1.0.38-3.Final_redhat_3.1.ep6.el6.noarch.rpm ironjacamar-common-impl-eap6-1.0.38-3.Final_redhat_3.1.ep6.el6.noarch.rpm ironjacamar-common-spi-eap6-1.0.38-3.Final_redhat_3.1.ep6.el6.noarch.rpm ironjacamar-core-api-eap6-1.0.38-3.Final_redhat_3.1.ep6.el6.noarch.rpm ironjacamar-core-impl-eap6-1.0.38-3.Final_redhat_3.1.ep6.el6.noarch.rpm ironjacamar-deployers-common-eap6-1.0.38-3.Final_redhat_3.1.ep6.el6.noarch.rpm ironjacamar-eap6-1.0.38-3.Final_redhat_3.1.ep6.el6.noarch.rpm ironjacamar-jdbc-eap6-1.0.38-3.Final_redhat_3.1.ep6.el6.noarch.rpm ironjacamar-spec-api-eap6-1.0.38-3.Final_redhat_3.1.ep6.el6.noarch.rpm ironjacamar-validator-eap6-1.0.38-3.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-appclient-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-cli-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-client-all-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-clustering-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-cmp-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-configadmin-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-connector-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-controller-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-controller-client-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-core-security-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-deployment-repository-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-deployment-scanner-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-domain-http-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-domain-management-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-ee-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-ee-deployment-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-ejb3-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-embedded-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-host-controller-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-jacorb-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-jaxr-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-jaxrs-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-jdr-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-jmx-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-jpa-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-jsf-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-jsr77-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-logging-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-mail-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-management-client-content-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-messaging-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-modcluster-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-naming-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-network-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-osgi-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-osgi-configadmin-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-osgi-service-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-picketlink-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-platform-mbean-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-pojo-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-process-controller-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-protocol-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-remoting-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-sar-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-security-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-server-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-system-jmx-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-threads-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-transactions-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-version-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-web-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-webservices-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-weld-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-as-xts-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jboss-ejb-client-1.0.39-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-security-negotiation-2.3.13-1.Final_redhat_1.1.ep6.el6.noarch.rpm jboss-xnio-base-3.0.16-1.GA_redhat_1.1.ep6.el6.noarch.rpm jbossas-appclient-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jbossas-bundles-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jbossas-core-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jbossas-domain-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jbossas-javadocs-7.5.15-3.Final_redhat_3.1.ep6.el6.noarch.rpm jbossas-modules-eap-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jbossas-product-eap-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jbossas-standalone-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jbossas-welcome-content-eap-7.5.15-1.Final_redhat_3.1.ep6.el6.noarch.rpm jbossweb-7.5.22-1.Final_redhat_1.1.ep6.el6.noarch.rpm picketbox-4.1.5-1.Final_redhat_1.1.ep6.el6.noarch.rpm picketlink-bindings-2.5.4-14.SP12_redhat_1.1.ep6.el6.noarch.rpm picketlink-federation-2.5.4-14.SP12_redhat_1.1.ep6.el6.noarch.rpm resteasy-2.3.19-1.Final_redhat_1.1.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-9606 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFZHidGXlSAg2UNWIIRAoftAKCG/VTltkeJytkhnDtUwrbOjSc0awCgr/mY YTbYRo0eYJYY9a6pN+dzipA= =EuDN -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu May 18 22:59:28 2017 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 18 May 2017 18:59:28 -0400 Subject: [RHSA-2017:1256-01] Moderate: Red Hat JBoss Enterprise Application Platform 6.4.15 update on RHEL 5 Message-ID: <201705182259.v4IMxSIh003211@lists01.pubmisc.prod.ext.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 6.4.15 update on RHEL 5 Advisory ID: RHSA-2017:1256-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2017:1256 Issue date: 2017-05-18 CVE Names: CVE-2016-9606 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release of Red Hat JBoss Enterprise Application Platform 6.4.15 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.14, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * It was discovered that under certain conditions RESTEasy could be forced to parse a request with YamlProvider, resulting in unmarshalling of potentially untrusted data. An attacker could possibly use this flaw execute arbitrary code with the permissions of the application using RESTEasy. (CVE-2016-9606) Red Hat would like to thank Moritz Bechler (AgNO3 GmbH & Co. KG) for reporting these issues. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1400644 - CVE-2016-9606 Resteasy: Yaml unmarshalling vulnerable to RCE 1437093 - RHEL5 RPMs: Upgrade resteasy to 2.3.19.Final-redhat-1 1437096 - RHEL5 RPMs: Upgrade ironjacamar-eap6 to 1.0.38.Final-redhat-3 6. Package List: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Server: Source: hibernate4-eap6-4.2.26-1.Final_redhat_1.1.ep6.el5.src.rpm hornetq-2.3.25-20.SP18_redhat_1.1.ep6.el5.src.rpm httpserver-1.0.8-1.Final_redhat_1.1.ep6.el5.src.rpm ironjacamar-eap6-1.0.38-3.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-appclient-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-cli-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-client-all-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-clustering-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-cmp-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-configadmin-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-connector-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-controller-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-controller-client-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-core-security-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-deployment-repository-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-deployment-scanner-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-domain-http-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-domain-management-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-ee-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-ee-deployment-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-ejb3-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-embedded-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-host-controller-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-jacorb-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-jaxr-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-jaxrs-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-jdr-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-jmx-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-jpa-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-jsf-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-jsr77-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-logging-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-mail-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-management-client-content-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-messaging-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-modcluster-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-naming-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-network-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-osgi-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-osgi-configadmin-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-osgi-service-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-picketlink-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-platform-mbean-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-pojo-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-process-controller-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-protocol-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-remoting-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-sar-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-security-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-server-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-system-jmx-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-threads-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-transactions-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-version-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-web-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-webservices-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-weld-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-as-xts-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jboss-ejb-client-1.0.39-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-security-negotiation-2.3.13-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-xnio-base-3.0.16-1.GA_redhat_1.1.ep6.el5.src.rpm jbossas-appclient-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jbossas-bundles-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jbossas-core-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jbossas-domain-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jbossas-javadocs-7.5.15-3.Final_redhat_3.1.ep6.el5.src.rpm jbossas-modules-eap-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jbossas-product-eap-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jbossas-standalone-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jbossas-welcome-content-eap-7.5.15-1.Final_redhat_3.1.ep6.el5.src.rpm jbossweb-7.5.22-1.Final_redhat_1.1.ep6.el5.src.rpm picketbox-4.1.5-1.Final_redhat_1.1.ep6.el5.src.rpm picketlink-bindings-2.5.4-14.SP12_redhat_1.1.ep6.el5.src.rpm picketlink-federation-2.5.4-14.SP12_redhat_1.1.ep6.el5.src.rpm resteasy-2.3.19-1.Final_redhat_1.1.ep6.el5.src.rpm noarch: hibernate4-core-eap6-4.2.26-1.Final_redhat_1.1.ep6.el5.noarch.rpm hibernate4-eap6-4.2.26-1.Final_redhat_1.1.ep6.el5.noarch.rpm hibernate4-entitymanager-eap6-4.2.26-1.Final_redhat_1.1.ep6.el5.noarch.rpm hibernate4-envers-eap6-4.2.26-1.Final_redhat_1.1.ep6.el5.noarch.rpm hibernate4-infinispan-eap6-4.2.26-1.Final_redhat_1.1.ep6.el5.noarch.rpm hornetq-2.3.25-20.SP18_redhat_1.1.ep6.el5.noarch.rpm httpserver-1.0.8-1.Final_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-common-api-eap6-1.0.38-3.Final_redhat_3.1.ep6.el5.noarch.rpm ironjacamar-common-impl-eap6-1.0.38-3.Final_redhat_3.1.ep6.el5.noarch.rpm ironjacamar-common-spi-eap6-1.0.38-3.Final_redhat_3.1.ep6.el5.noarch.rpm ironjacamar-core-api-eap6-1.0.38-3.Final_redhat_3.1.ep6.el5.noarch.rpm ironjacamar-core-impl-eap6-1.0.38-3.Final_redhat_3.1.ep6.el5.noarch.rpm ironjacamar-deployers-common-eap6-1.0.38-3.Final_redhat_3.1.ep6.el5.noarch.rpm ironjacamar-eap6-1.0.38-3.Final_redhat_3.1.ep6.el5.noarch.rpm ironjacamar-jdbc-eap6-1.0.38-3.Final_redhat_3.1.ep6.el5.noarch.rpm ironjacamar-spec-api-eap6-1.0.38-3.Final_redhat_3.1.ep6.el5.noarch.rpm ironjacamar-validator-eap6-1.0.38-3.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-appclient-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-cli-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-client-all-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-clustering-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-cmp-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-configadmin-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-connector-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-controller-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-controller-client-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-core-security-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-deployment-repository-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-deployment-scanner-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-domain-http-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-domain-management-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-ee-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-ee-deployment-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-ejb3-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-embedded-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-host-controller-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-jacorb-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-jaxr-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-jaxrs-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-jdr-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-jmx-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-jpa-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-jsf-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-jsr77-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-logging-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-mail-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-management-client-content-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-messaging-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-modcluster-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-naming-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-network-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-osgi-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-osgi-configadmin-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-osgi-service-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-picketlink-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-platform-mbean-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-pojo-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-process-controller-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-protocol-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-remoting-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-sar-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-security-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-server-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-system-jmx-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-threads-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-transactions-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-version-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-web-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-webservices-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-weld-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-as-xts-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jboss-ejb-client-1.0.39-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-security-negotiation-2.3.13-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-xnio-base-3.0.16-1.GA_redhat_1.1.ep6.el5.noarch.rpm jbossas-appclient-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jbossas-bundles-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jbossas-core-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jbossas-domain-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jbossas-javadocs-7.5.15-3.Final_redhat_3.1.ep6.el5.noarch.rpm jbossas-modules-eap-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jbossas-product-eap-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jbossas-standalone-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jbossas-welcome-content-eap-7.5.15-1.Final_redhat_3.1.ep6.el5.noarch.rpm jbossweb-7.5.22-1.Final_redhat_1.1.ep6.el5.noarch.rpm picketbox-4.1.5-1.Final_redhat_1.1.ep6.el5.noarch.rpm picketlink-bindings-2.5.4-14.SP12_redhat_1.1.ep6.el5.noarch.rpm picketlink-federation-2.5.4-14.SP12_redhat_1.1.ep6.el5.noarch.rpm resteasy-2.3.19-1.Final_redhat_1.1.ep6.el5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-9606 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFZHidWXlSAg2UNWIIRAhSVAJ4s0ARUY2E5Yd0PCGzek7NTqknnhACfSpCk vYqnUeju9e7NvklPrmtQdAM= =wwKi -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu May 18 22:59:47 2017 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 18 May 2017 18:59:47 -0400 Subject: [RHSA-2017:1260-01] Moderate: jboss-ec2-eap security, bug fix, and enhancement update Message-ID: <201705182259.v4IMxllm003237@lists01.pubmisc.prod.ext.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: jboss-ec2-eap security, bug fix, and enhancement update Advisory ID: RHSA-2017:1260-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2017:1260 Issue date: 2017-05-18 CVE Names: CVE-2016-9606 ===================================================================== 1. Summary: An update for jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server - noarch 3. Description: The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.15. Security Fix(es): * It was discovered that under certain conditions RESTEasy could be forced to parse a request with YamlProvider, resulting in unmarshalling of potentially untrusted data. An attacker could possibly use this flaw execute arbitrary code with the permissions of the application using RESTEasy. (CVE-2016-9606) Red Hat would like to thank Moritz Bechler (AgNO3 GmbH & Co. KG) for reporting these issues. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1400644 - CVE-2016-9606 Resteasy: Yaml unmarshalling vulnerable to RCE 6. Package List: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server: Source: jboss-ec2-eap-7.5.15-3.Final_redhat_3.ep6.el6.src.rpm noarch: jboss-ec2-eap-7.5.15-3.Final_redhat_3.ep6.el6.noarch.rpm jboss-ec2-eap-samples-7.5.15-3.Final_redhat_3.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-9606 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFZHidlXlSAg2UNWIIRAk94AKCaWwvqUS50avFqP9/1c6ZtM6/oUQCfQjPJ ttEVW9VBZ8hxlAy4VxGq76E= =EbIP -----END PGP SIGNATURE----- From bugzilla at redhat.com Thu May 18 23:33:48 2017 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 18 May 2017 19:33:48 -0400 Subject: [RHSA-2017:1255-01] Moderate: Red Hat JBoss Enterprise Application Platform security update Message-ID: <201705182333.v4INXmU9008391@lists01.pubmisc.prod.ext.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform security update Advisory ID: RHSA-2017:1255-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-1255.html Issue date: 2017-05-18 CVE Names: CVE-2016-9606 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release of Red Hat JBoss Enterprise Application Platform 6.4.15 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.14, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * It was discovered that under certain conditions RESTEasy could be forced to parse a request with YamlProvider, resulting in unmarshalling of potentially untrusted data. An attacker could possibly use this flaw execute arbitrary code with the permissions of the application using RESTEasy. (CVE-2016-9606) Red Hat would like to thank Moritz Bechler (AgNO3 GmbH & Co. KG) for reporting these issues. 3. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1400644 - CVE-2016-9606 Resteasy: Yaml unmarshalling vulnerable to RCE 5. References: https://access.redhat.com/security/cve/CVE-2016-9606 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en/jboss-enterprise-application-platform/ https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.4 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFZHi9iXlSAg2UNWIIRAsqiAKCA1tHEALkZL6WTk3p03v7WXmNziQCfY6yO /zF8BAHHUwGJlYEBrcvWsT0= =cnVc -----END PGP SIGNATURE----- From fleite at redhat.com Wed May 24 22:35:22 2017 From: fleite at redhat.com (Fabio Olive Leite) Date: Wed, 24 May 2017 19:35:22 -0300 Subject: MAILING LIST SHUTDOWN NOTIFICATION Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ERRATA MAILING LIST SHUTDOWN NOTIFICATION This is a notification to inform all subscribers that on May 31st 2017 the rhev-watch-list, enterprise-watch-list and jboss-watch-list mailing lists will be disabled by Red Hat Product Security, and no additional Security Advisory notifications will be sent to them. The blog post linked below contains information about this change and the many alternatives available for receiving security errata notifications. https://access.redhat.com/blogs/product-security/posts/rhsa-announce In summary, the rhsa-announce mailing list will remain operational and has been enhanced with Topics support, so that it can provide the same level of granularity for the advisories delivered to subscribers as the individual lists being disabled, with benefits. For any concerns regarding the shutdown of these mailing lists, please reach out to Red Hat Product Security at . Fabio Olive Leite Red Hat Product Security -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFZHKajXlSAg2UNWIIRApryAKCQVRnghMBJe4xjNkUY82Mr9vDD0wCgwcOc qwqVW3KUeLd82EkQnbV125c= =f6hd -----END PGP SIGNATURE----- From fleite at redhat.com Wed May 31 19:53:03 2017 From: fleite at redhat.com (Fabio Olive Leite) Date: Wed, 31 May 2017 16:53:03 -0300 Subject: FINAL MAILING LIST SHUTDOWN NOTIFICATION Message-ID: <78856e41-8254-d4c0-8439-ecb5f85932f8@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ERRATA MAILING LIST SHUTDOWN NOTIFICATION This is a notification to inform all subscribers that on May 31st 2017 the rhev-watch-list, enterprise-watch-list and jboss-watch-list mailing lists will be disabled by Red Hat Product Security, and no additional Security Advisory notifications will be sent to them. The blog post linked below contains information about this change and the many alternatives available for receiving security errata notifications. https://access.redhat.com/blogs/product-security/posts/rhsa-announce In summary, the rhsa-announce mailing list will remain operational and has been enhanced with Topics support, so that it can provide the same level of granularity for the advisories delivered to subscribers as the individual lists being disabled, with benefits. For any concerns regarding the shutdown of these mailing lists, please reach out to Red Hat Product Security at . Fabio Olive Leite Red Hat Product Security -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFZHKajXlSAg2UNWIIRApryAKCQVRnghMBJe4xjNkUY82Mr9vDD0wCgwcOc qwqVW3KUeLd82EkQnbV125c= =f6hd -----END PGP SIGNATURE-----