(RHSA-2007:0950) Moderate: JBoss Enterprise Application Platform security update

2007-11-0500:00:00

access.redhat.com

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.015 Low

EPSS

Percentile

85.7%

JSON

The updated packages address the following security vulnerabilities:

Tomcat incorrectly treated a single quote character (') in a cookie value
as a delimiter. In some circumstances this lead to the leaking of
information such as session ID to an attacker (CVE-2007-3382).

Tomcat incorrectly handled the character sequence " in a cookie value. In
some circumstances this lead to the leaking of information such as session
ID to an attacker (CVE-2007-3385).

In addition to these security fixes, this update also fixes several bugs in
JBoss Enterprise Application Platform. Please see the referenced release
notes for the list of bugs fixed.

Users of JBoss Enterprise Application Platform should upgrade to these
updated packages which contain fixes to correct these issues.

For users of Red Hat Application Stack v1, installation of this errata will
automatically bring the system up to V.1.2. Please note the following
changes that may affect you:

Stacks V.1.2 has a new version of JBoss Application Server which
requires Java version 1.5 to run.
Unless the JBOSS_IP variable is explicitly set in the configuration
file, JBoss Application Server services are now bound to localhost.
Unless the JBOSSCONF variable is explicitly set in the configuration
file, JBoss Application Server will start with the production config
when started via the init script.

Refer to the release notes for more information on how to set the
JBOSS_IP and JBOSSCONF variables.

OSVersionArchitecturePackageVersionFilename
RedHat5noarchjcommon< 0.9.7-1jpp.ep1.1.el5jcommon-0.9.7-1jpp.ep1.1.el5.noarch.rpm
RedHatanynoarchjboss-seam-docs< 1.2.1-1.ep1.2jboss-seam-docs-1.2.1-1.ep1.2.noarch.rpm
RedHat5noarchjboss-seam-docs< 1.2.1-1.ep1.2.el5jboss-seam-docs-1.2.1-1.ep1.2.el5.noarch.rpm
RedHat5noarchjbossweb< 2.0.0-2.CP01.0jpp.ep1.4.el5jbossweb-2.0.0-2.CP01.0jpp.ep1.4.el5.noarch.rpm
RedHat5noarchhibernate3-annotations-javadoc< 3.2.1-1.patch01.1jpp.ep1.3.el5hibernate3-annotations-javadoc-3.2.1-1.patch01.1jpp.ep1.3.el5.noarch.rpm
RedHatanynoarchjbossxb< 1.0.0-1.CP01.0jpp.ep1.1jbossxb-1.0.0-1.CP01.0jpp.ep1.1.noarch.rpm
RedHat5noarchjboss-cache< 1.4.1-1.SP3.1jpp.ep1.1.el5jboss-cache-1.4.1-1.SP3.1jpp.ep1.1.el5.noarch.rpm
RedHat5noarchjbossxb< 1.0.0-1.CP01.0jpp.ep1.2.el5jbossxb-1.0.0-1.CP01.0jpp.ep1.2.el5.noarch.rpm
RedHatanynoarchjboss-cache< 1.4.1-1.SP3.1jpp.ep1.1jboss-cache-1.4.1-1.SP3.1jpp.ep1.1.noarch.rpm
RedHatanynoarchjboss-remoting< 2.2.2-1jpp.ep1.4jboss-remoting-2.2.2-1jpp.ep1.4.noarch.rpm

OS	Version	Architecture	Package	Version	Filename
RedHat	5	noarch	jcommon	< 0.9.7-1jpp.ep1.1.el5	jcommon-0.9.7-1jpp.ep1.1.el5.noarch.rpm
RedHat	any	noarch	jboss-seam-docs	< 1.2.1-1.ep1.2	jboss-seam-docs-1.2.1-1.ep1.2.noarch.rpm
RedHat	5	noarch	jboss-seam-docs	< 1.2.1-1.ep1.2.el5	jboss-seam-docs-1.2.1-1.ep1.2.el5.noarch.rpm
RedHat	5	noarch	jbossweb	< 2.0.0-2.CP01.0jpp.ep1.4.el5	jbossweb-2.0.0-2.CP01.0jpp.ep1.4.el5.noarch.rpm
RedHat	5	noarch	hibernate3-annotations-javadoc	< 3.2.1-1.patch01.1jpp.ep1.3.el5	hibernate3-annotations-javadoc-3.2.1-1.patch01.1jpp.ep1.3.el5.noarch.rpm
RedHat	any	noarch	jbossxb	< 1.0.0-1.CP01.0jpp.ep1.1	jbossxb-1.0.0-1.CP01.0jpp.ep1.1.noarch.rpm
RedHat	5	noarch	jboss-cache	< 1.4.1-1.SP3.1jpp.ep1.1.el5	jboss-cache-1.4.1-1.SP3.1jpp.ep1.1.el5.noarch.rpm
RedHat	5	noarch	jbossxb	< 1.0.0-1.CP01.0jpp.ep1.2.el5	jbossxb-1.0.0-1.CP01.0jpp.ep1.2.el5.noarch.rpm
RedHat	any	noarch	jboss-cache	< 1.4.1-1.SP3.1jpp.ep1.1	jboss-cache-1.4.1-1.SP3.1jpp.ep1.1.noarch.rpm
RedHat	any	noarch	jboss-remoting	< 2.2.2-1jpp.ep1.4	jboss-remoting-2.2.2-1jpp.ep1.4.noarch.rpm