(RHSA-2015:1551) Important: Red Hat JBoss Fuse Service Works 6.0.0 security update

Red Hat JBoss Fuse Service Works is the next-generation ESB and business
process automation infrastructure.

This roll up patch serves as a cumulative upgrade for Red Hat JBoss Fuse
Service Works 6.0.0. It includes various bug fixes, which are listed in the
README file included with the patch files.

The following security issues are also fixed with this release:

It was found that async-http-client would disable SSL/TLS certificate
verification under certain conditions, for example if HTTPS communication
also used client certificates. A man-in-the-middle (MITM) attacker could
use this flaw to spoof a valid certificate. (CVE-2013-7397)

It was found that async-http-client did not verify that the server hostname
matched the domain name in the subject’s Common Name (CN) or subjectAltName
field in X.509 certificates. This could allow a man-in-the-middle attacker
to spoof an SSL server if they had a certificate that was valid for any
domain name. (CVE-2013-7398)

All users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the
Red Hat Customer Portal are advised to apply this roll up patch.