(RHSA-2014:0195) Moderate: Red Hat JBoss Portal 6.1.1 update

Red Hat JBoss Portal is the open source implementation of the Java EE suite
of services and Portal services running atop Red Hat JBoss Enterprise
Application Platform.

This Red Hat JBoss Portal 6.1.1 release serves as a replacement for 6.1.0.
Refer to the 6.1.1 Release Notes for further information, available shortly
from https://access.redhat.com/site/documentation/en-US/

It was found that the ParserPool and Decrypter classes in the OpenSAML Java
implementation resolved external entities, permitting XML External Entity
(XXE) attacks. A remote attacker could use this flaw to read files
accessible to the user running the application server, and potentially
perform other more advanced XXE attacks. (CVE-2013-6440)

It was discovered that the Apache Santuario XML Security for Java project
allowed Document Type Definitions (DTDs) to be processed when applying
Transforms even when secure validation was enabled. A remote attacker could
use this flaw to exhaust all available memory on the system, causing a
denial of service. (CVE-2013-4517)

All users of Red Hat JBoss Portal 6.1.0 as provided from the Red Hat
Customer Portal are advised to upgrade to Red Hat JBoss Portal 6.1.1.