(RHSA-2014:0037) Moderate: jasperreports-server-pro security, bug fix, and enhancement update

The Red Hat Enterprise Virtualization reports package provides a suite of
pre-configured reports and dashboards that enable you to monitor the
system. The reports module is based on JasperReports and JasperServer, and
can also be used to create ad-hoc reports.

Apache Axis did not verify that the server hostname matched the domain name
in the subject’s Common Name (CN) or subjectAltName field in X.509
certificates. This could allow a man-in-the-middle attacker to spoof an SSL
server if they had a certificate that was valid for any domain name.
(CVE-2012-5784)

A flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle
attacker could possibly use this flaw to unilaterally disable bidirectional
authentication between a client and a server, forcing a downgrade to simple
(unidirectional) authentication. This flaw only affects users who have
enabled Hadoop’s Kerberos security features. (CVE-2013-2192)

This update fixes several bugs and adds multiple enhancements.
Documentation for these changes will be available shortly from the
Technical Notes document linked to in the References section.

All jasperreports-server-pro users are advised to upgrade to this updated
package, which contains backported patches to correct these issues and add
these enhancements.