You are here
Home > Preporuke > Sigurnosni nedostatak programskog paketa JBoss Web Server 5.3.1

Sigurnosni nedostatak programskog paketa JBoss Web Server 5.3.1

by Marina Dimic Vugec - 0
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LRH

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss Web Server 5.3.1 security update
Advisory ID: RHSA-2020:2509-01
Product: Red Hat JBoss Web Server
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2509
Issue date: 2020-06-10
CVE Names: CVE-2020-9484
=====================================================================

1. Summary:

Updated Red Hat JBoss Web Server 5.3.1 packages are now available for Red
Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise
Linux 8 and Windows.

Red Hat Product Security has rated this release as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the
PicketLink Vault extension for Apache Tomcat, and the Tomcat Native
library.

This release of Red Hat JBoss Web Server 5.3.1 serves as a replacement for
Red Hat JBoss Web Server 5.3.0, and includes bug fixes, enhancements, and
component upgrades, which are documented in the Release Notes, linked to in
the References.

Security Fix(es):

* tomcat: Apache Tomcat Remote Code Execution via session persistence
(CVE-2020-9484)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

The References section of this erratum contains a download link for the
update. You must be logged in to download the update.

4. Bugs fixed (https://bugzilla.redhat.com/):

1838332 – CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE

5. References:

https://access.redhat.com/security/cve/CVE-2020-9484
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=5.3
https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/5.3/

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXuETO9zjgjWX9erEAQjXxg//QS+8bTXNkhjQugj+b4Ak8DCjm0JrrGrg
fT+rPvu79dzjeooLZ18fnoPBZQ2xowu7gjIev8PlTlQNlj76CzzjRGvv77MlUy3G
JAw+gh/kYDUV8bX6Whs5fvj+9LOwcrs6lB3WeYVfFjj2na2Nr7mkKoL/mvzJMToH
jcZ7W7cnLECcWhtC+JIRT1mwpe1lXOkiWlfn6df+VBX6R0PiFdmz4ieyHWqV3Ryd
bdT+IMe1ubmHRpYnolx/4kHUbr84CNx+AwEcX9OI6jfzFMOKtEaOHcAPO83ZR7Pt
p5IcEdD1drwGjzhaER/bMR56+faFXPA31oZ4UMpXdDp6BhNzEh/3bV1VqaOgxd8o
MUuZhqTTPJgPnlWJ1jolv0ccKvcl6Nia7FPjyfYqBjo9YFIcXhGRlrOICu7ivn4X
qp86C9tejiNuq4C0jMODwvU4dfRLrKHRXZ9ZwnvJB+Og98CBS5RezmJXuauIBKT7
FJDqXtHOSMiLVOboXZnbhKj9KWHp37iAMSl+N/xuXLxJ/OD+LbBavTlCG/hXNnoJ
lyK10HaqJjO+59zJMLaGuOT2Bt4YmxH+GxZSR1u+yiXWuSXYJO9meOYeO9EpuqGU
7yeG/ZkSyi2iLI5wK0u6XNLradiCq1fPkvUUtXBNi8qjNxfYAxFjYUWRZAoRXlfL
9wyJATiOAwc=
=Qw56
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss Web Server 5.3.1 security update
Advisory ID: RHSA-2020:2506-01
Product: Red Hat JBoss Web Server
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2506
Issue date: 2020-06-10
CVE Names: CVE-2020-9484
=====================================================================

1. Summary:

Updated Red Hat JBoss Web Server 5.3.1 packages are now available for Red
Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, and Red Hat Enterprise
Linux 8.

Red Hat Product Security has rated this release as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat JBoss Web Server 5.3 for RHEL 6 Server – i386, noarch, x86_64
Red Hat JBoss Web Server 5.3 for RHEL 7 Server – noarch, x86_64
Red Hat JBoss Web Server 5.3 for RHEL 8 – noarch, x86_64

3. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the
PicketLink Vault extension for Apache Tomcat, and the Tomcat Native
library.

This release of Red Hat JBoss Web Server 5.3.1 serves as a replacement for
Red Hat JBoss Web Server 5.3.0, and includes bug fixes, enhancements, and
component upgrades, which are documented in the Release Notes, linked to in
the References.

Security Fix(es):

* tomcat: Apache Tomcat Remote Code Execution via session persistence
(CVE-2020-9484)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1838332 – CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE

6. Package List:

Red Hat JBoss Web Server 5.3 for RHEL 6 Server:

Source:
jws5-tomcat-9.0.30-4.redhat_5.1.el6jws.src.rpm
jws5-tomcat-native-1.2.23-5.redhat_5.el6jws.src.rpm

i386:
jws5-tomcat-native-1.2.23-5.redhat_5.el6jws.i686.rpm
jws5-tomcat-native-debuginfo-1.2.23-5.redhat_5.el6jws.i686.rpm

noarch:
jws5-tomcat-9.0.30-4.redhat_5.1.el6jws.noarch.rpm
jws5-tomcat-admin-webapps-9.0.30-4.redhat_5.1.el6jws.noarch.rpm
jws5-tomcat-docs-webapp-9.0.30-4.redhat_5.1.el6jws.noarch.rpm
jws5-tomcat-el-3.0-api-9.0.30-4.redhat_5.1.el6jws.noarch.rpm
jws5-tomcat-javadoc-9.0.30-4.redhat_5.1.el6jws.noarch.rpm
jws5-tomcat-jsp-2.3-api-9.0.30-4.redhat_5.1.el6jws.noarch.rpm
jws5-tomcat-lib-9.0.30-4.redhat_5.1.el6jws.noarch.rpm
jws5-tomcat-selinux-9.0.30-4.redhat_5.1.el6jws.noarch.rpm
jws5-tomcat-servlet-4.0-api-9.0.30-4.redhat_5.1.el6jws.noarch.rpm
jws5-tomcat-webapps-9.0.30-4.redhat_5.1.el6jws.noarch.rpm

x86_64:
jws5-tomcat-native-1.2.23-5.redhat_5.el6jws.x86_64.rpm
jws5-tomcat-native-debuginfo-1.2.23-5.redhat_5.el6jws.x86_64.rpm

Red Hat JBoss Web Server 5.3 for RHEL 7 Server:

Source:
jws5-tomcat-9.0.30-4.redhat_5.1.el7jws.src.rpm
jws5-tomcat-native-1.2.23-5.redhat_5.el7jws.src.rpm

noarch:
jws5-tomcat-9.0.30-4.redhat_5.1.el7jws.noarch.rpm
jws5-tomcat-admin-webapps-9.0.30-4.redhat_5.1.el7jws.noarch.rpm
jws5-tomcat-docs-webapp-9.0.30-4.redhat_5.1.el7jws.noarch.rpm
jws5-tomcat-el-3.0-api-9.0.30-4.redhat_5.1.el7jws.noarch.rpm
jws5-tomcat-javadoc-9.0.30-4.redhat_5.1.el7jws.noarch.rpm
jws5-tomcat-jsp-2.3-api-9.0.30-4.redhat_5.1.el7jws.noarch.rpm
jws5-tomcat-lib-9.0.30-4.redhat_5.1.el7jws.noarch.rpm
jws5-tomcat-selinux-9.0.30-4.redhat_5.1.el7jws.noarch.rpm
jws5-tomcat-servlet-4.0-api-9.0.30-4.redhat_5.1.el7jws.noarch.rpm
jws5-tomcat-webapps-9.0.30-4.redhat_5.1.el7jws.noarch.rpm

x86_64:
jws5-tomcat-native-1.2.23-5.redhat_5.el7jws.x86_64.rpm
jws5-tomcat-native-debuginfo-1.2.23-5.redhat_5.el7jws.x86_64.rpm

Red Hat JBoss Web Server 5.3 for RHEL 8:

Source:
jws5-tomcat-9.0.30-4.redhat_5.1.el8jws.src.rpm
jws5-tomcat-native-1.2.23-5.redhat_5.el8jws.src.rpm

noarch:
jws5-tomcat-9.0.30-4.redhat_5.1.el8jws.noarch.rpm
jws5-tomcat-admin-webapps-9.0.30-4.redhat_5.1.el8jws.noarch.rpm
jws5-tomcat-docs-webapp-9.0.30-4.redhat_5.1.el8jws.noarch.rpm
jws5-tomcat-el-3.0-api-9.0.30-4.redhat_5.1.el8jws.noarch.rpm
jws5-tomcat-javadoc-9.0.30-4.redhat_5.1.el8jws.noarch.rpm
jws5-tomcat-jsp-2.3-api-9.0.30-4.redhat_5.1.el8jws.noarch.rpm
jws5-tomcat-lib-9.0.30-4.redhat_5.1.el8jws.noarch.rpm
jws5-tomcat-selinux-9.0.30-4.redhat_5.1.el8jws.noarch.rpm
jws5-tomcat-servlet-4.0-api-9.0.30-4.redhat_5.1.el8jws.noarch.rpm
jws5-tomcat-webapps-9.0.30-4.redhat_5.1.el8jws.noarch.rpm

x86_64:
jws5-tomcat-native-1.2.23-5.redhat_5.el8jws.x86_64.rpm
jws5-tomcat-native-debuginfo-1.2.23-5.redhat_5.el8jws.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-9484
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXuEKEtzjgjWX9erEAQi1iQ//SgZKJnO4OosXeFQDYKXzx2+R2UHZJ8OJ
OaY6LKEjIb6wAY3QimRSxHL5s2G1dM51TdJUMPGVzW/ZC6WTph68mecpkB5xiQ90
knoAB7XdZoobkw9rdGupYBkNZGYsZah3mbQrU1WEMEcZIMNyO1ESw/qPlWHRxUDU
LI/cyTH78n6GWED0mUWhfcrMWmmweUjMxR+Ld5hgA0ZetjvC2DttqIMspBuwgzIF
krBvAv3eqx/mHQivtHSOkwoj+wfBIWS1ZTlv3xa5fu0A06CmzVfRrnMwxanajTMq
4wna5Kq+dNRe6MvlQ9YT4r5VciRXIf9ByxNHSwHthy30bXLmjDkOEbb6BtbegaQP
Pj1vmTrRlnZU9KQpdddVKLUhi2odZlEIig2P/6PH02lXvPiGvH7ozLbceNaq3yuP
x6ADb+ft+JPL3JVJzkggHUVgBN9/yu9f6OrrYDUEf6GQiXLbdjb0/q8jlUZKsgIi
BjnT7XHQwMHKxGTID1XFP7r7JoEv6/sHgsf7SM0PulZ93wLbR9nFJDAF4+ATAwcq
aDP/GPjsrAJ/TErnKNkDXADeTTVFf4PhLGWi9LQLey16/cnXuA7emv2pR0mcdg22
7uAELEj+ZojlS6qYukRYlWcM7fPlLz1kMB9f+rEe3k/5hGqWsr0PBri8sWSiFKMn
EMQ+iKEGQWY=
=UEGb
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss Web Server 3.1 Service Pack 9 security update
Advisory ID: RHSA-2020:2487-01
Product: Red Hat JBoss Web Server
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2487
Issue date: 2020-06-10
CVE Names: CVE-2020-9484
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Web Server 3.1, for RHEL 6,
RHEL 7 and Windows.

Red Hat Product Security has rated this release as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.

This release of Red Hat JBoss Web Server 3.1 Service Pack 9 serves as a
replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which
are documented in the Release Notes document linked to in the References.

Security Fix(es):

* tomcat: Apache Tomcat Remote Code Execution via session persistence
(CVE-2020-9484)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

The References section of this erratum contains a download link for the
update. You must be logged in to download the update.

4. Bugs fixed (https://bugzilla.redhat.com/):

1838332 – CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE

5. References:

https://access.redhat.com/security/cve/CVE-2020-9484
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=3.1
https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/3.1/

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXuD2ntzjgjWX9erEAQiMAw//ZNV2UOZjU2HbmhZH8To22tMoTLUyqk6u
HIL7C7BXc37vdJ/nD+AuM2ndZrjixNI12KbWz/VBYpwNdVI3DLNyUPQb9KxVdVVK
G9aGbHXTzA6lHcryYjjkXlCT6EEwQcutpI7SlJ5WmY/xhLR7AjM4Ve22tcqGSoib
WbSRQZnE06oHAK6Zo+d6DQRieLcaxW1eIR0j1OrEEGGueAwTnUfnyx0SH5enzsFp
80fClhNeERwOQyQh8ngqH4T2oC6j6x0CJ0ylGVJJBh75dGR/x6xi/9EvsC/crpSn
U2wXv5iltTjDPLJ2tu8o/hfVgpfFQg2glZesgjzBBfwpop7L9cyZoVcApFF2ujE3
g16QX1yZWvQS/82h+f9n3mnmoev7YC+Y77UjF8IcloHFh9JAXp2mFKpCCg/PKzJB
cn2wu7pKPRTPovyFUBVYUNEZ4HYzTzQGuIyJ4hRGfJyQvCU6WlvXm172EZvbejlq
3GnEYJplmlLa5k6OGMrV3Y65ZmgnHSU2nRc28wy/cODv+QrTxMYmZn2Ecp7niy2O
Cl2dytEHURjLouF92TZq3zBzOjAOOA4fbMcRjS6Po6LHvvQ/MIsoYhPbneXtwmi4
hCzC9rKAfvagypTEYrmkpNxrkR1WRJP/a7rRozDz6UGJ17Y0SdCFJePS+a8hcYn4
YH3uzGfUtXk=
=n5mX
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss Web Server 3.1 Service Pack 9 security update
Advisory ID: RHSA-2020:2483-01
Product: Red Hat JBoss Web Server
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2483
Issue date: 2020-06-10
CVE Names: CVE-2020-9484
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 6 and
RHEL 7.

Red Hat Product Security has rated this release as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat JBoss Web Server 3.1 for RHEL 6 – i386, noarch, x86_64
Red Hat JBoss Web Server 3.1 for RHEL 7 – noarch, x86_64

3. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.

This release of Red Hat JBoss Web Server 3.1 Service Pack 9 serves as a
replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which
are documented in the Release Notes document linked to in the References.

Security Fix(es):

* tomcat: Apache Tomcat Remote Code Execution via session persistence
(CVE-2020-9484)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1838332 – CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE

6. Package List:

Red Hat JBoss Web Server 3.1 for RHEL 6:

Source:
tomcat-native-1.2.23-22.redhat_22.ep7.el6.src.rpm
tomcat7-7.0.70-40.ep7.el6.src.rpm
tomcat8-8.0.36-44.ep7.el6.src.rpm

i386:
tomcat-native-1.2.23-22.redhat_22.ep7.el6.i686.rpm
tomcat-native-debuginfo-1.2.23-22.redhat_22.ep7.el6.i686.rpm

noarch:
tomcat7-7.0.70-40.ep7.el6.noarch.rpm
tomcat7-admin-webapps-7.0.70-40.ep7.el6.noarch.rpm
tomcat7-docs-webapp-7.0.70-40.ep7.el6.noarch.rpm
tomcat7-el-2.2-api-7.0.70-40.ep7.el6.noarch.rpm
tomcat7-javadoc-7.0.70-40.ep7.el6.noarch.rpm
tomcat7-jsp-2.2-api-7.0.70-40.ep7.el6.noarch.rpm
tomcat7-jsvc-7.0.70-40.ep7.el6.noarch.rpm
tomcat7-lib-7.0.70-40.ep7.el6.noarch.rpm
tomcat7-log4j-7.0.70-40.ep7.el6.noarch.rpm
tomcat7-selinux-7.0.70-40.ep7.el6.noarch.rpm
tomcat7-servlet-3.0-api-7.0.70-40.ep7.el6.noarch.rpm
tomcat7-webapps-7.0.70-40.ep7.el6.noarch.rpm
tomcat8-8.0.36-44.ep7.el6.noarch.rpm
tomcat8-admin-webapps-8.0.36-44.ep7.el6.noarch.rpm
tomcat8-docs-webapp-8.0.36-44.ep7.el6.noarch.rpm
tomcat8-el-2.2-api-8.0.36-44.ep7.el6.noarch.rpm
tomcat8-javadoc-8.0.36-44.ep7.el6.noarch.rpm
tomcat8-jsp-2.3-api-8.0.36-44.ep7.el6.noarch.rpm
tomcat8-jsvc-8.0.36-44.ep7.el6.noarch.rpm
tomcat8-lib-8.0.36-44.ep7.el6.noarch.rpm
tomcat8-log4j-8.0.36-44.ep7.el6.noarch.rpm
tomcat8-selinux-8.0.36-44.ep7.el6.noarch.rpm
tomcat8-servlet-3.1-api-8.0.36-44.ep7.el6.noarch.rpm
tomcat8-webapps-8.0.36-44.ep7.el6.noarch.rpm

x86_64:
tomcat-native-1.2.23-22.redhat_22.ep7.el6.x86_64.rpm
tomcat-native-debuginfo-1.2.23-22.redhat_22.ep7.el6.x86_64.rpm

Red Hat JBoss Web Server 3.1 for RHEL 7:

Source:
tomcat-native-1.2.23-22.redhat_22.ep7.el7.src.rpm
tomcat7-7.0.70-40.ep7.el7.src.rpm
tomcat8-8.0.36-44.ep7.el7.src.rpm

noarch:
tomcat7-7.0.70-40.ep7.el7.noarch.rpm
tomcat7-admin-webapps-7.0.70-40.ep7.el7.noarch.rpm
tomcat7-docs-webapp-7.0.70-40.ep7.el7.noarch.rpm
tomcat7-el-2.2-api-7.0.70-40.ep7.el7.noarch.rpm
tomcat7-javadoc-7.0.70-40.ep7.el7.noarch.rpm
tomcat7-jsp-2.2-api-7.0.70-40.ep7.el7.noarch.rpm
tomcat7-jsvc-7.0.70-40.ep7.el7.noarch.rpm
tomcat7-lib-7.0.70-40.ep7.el7.noarch.rpm
tomcat7-log4j-7.0.70-40.ep7.el7.noarch.rpm
tomcat7-selinux-7.0.70-40.ep7.el7.noarch.rpm
tomcat7-servlet-3.0-api-7.0.70-40.ep7.el7.noarch.rpm
tomcat7-webapps-7.0.70-40.ep7.el7.noarch.rpm
tomcat8-8.0.36-44.ep7.el7.noarch.rpm
tomcat8-admin-webapps-8.0.36-44.ep7.el7.noarch.rpm
tomcat8-docs-webapp-8.0.36-44.ep7.el7.noarch.rpm
tomcat8-el-2.2-api-8.0.36-44.ep7.el7.noarch.rpm
tomcat8-javadoc-8.0.36-44.ep7.el7.noarch.rpm
tomcat8-jsp-2.3-api-8.0.36-44.ep7.el7.noarch.rpm
tomcat8-jsvc-8.0.36-44.ep7.el7.noarch.rpm
tomcat8-lib-8.0.36-44.ep7.el7.noarch.rpm
tomcat8-log4j-8.0.36-44.ep7.el7.noarch.rpm
tomcat8-selinux-8.0.36-44.ep7.el7.noarch.rpm
tomcat8-servlet-3.1-api-8.0.36-44.ep7.el7.noarch.rpm
tomcat8-webapps-8.0.36-44.ep7.el7.noarch.rpm

x86_64:
tomcat-native-1.2.23-22.redhat_22.ep7.el7.x86_64.rpm
tomcat-native-debuginfo-1.2.23-22.redhat_22.ep7.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-9484
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXuDzktzjgjWX9erEAQgi/w//Xj/qCl98tBEg+2ffj+TA0Is16FtznlWO
xIScyhvleDsX7AZ/o+Fd/8bqePrC4fPYmrPwe29i6IkcbOK1oQY786YLZsD78KTV
0M4QIR5JserxNzylp29q2R6xQdH0mTLTK1BfYLSoi63Fx/XdFz8dnkWs6PxJLEan
mM0ioyWz3rPlA133UMX6gr6LEWNcV36+DeOuDt6xwtPCwFsG9Uh95XV0yYkPyUa+
k6N1bl0Z1gAb8CDA0Bb9ACT/wNIFj2Ops1d5gr0X6uxhhieGRYMKFqyJ7amEcpCW
WkiVL3Jr4cCI3JgVLJ+9VwK9ifqiFPT/uFBFqukodeUi4jt5B6MCutWjg5MMlyjk
zYJFaOtzpYdN94XLQliHpUnFcwgqNzl7D1aAhianL/SYC7im9embS+os0h8r0y/K
zh2FkLbtb+hrxGQKbaCJXlHhXbng6ke1xxnT6JeKIqFnJhl3WOisDSQBVwtJqTjW
gtdHIPSUVRaA1Q62xN+ERDAWKcXGh1r/B7RnX8e7mjmVBj8sw33rLJtz8XAIwztI
dQDrF6NZsO6sozXsd8tODjgTaXHRqXv4gDp2BqJRCYGf3CjlvCtRcEkgK7WN8B1o
Nbgz9YN9a5MRSU/tvViPZ97jtTi376HAxZb8hrEIq43CgKdGdYeD9nGp/PXrFT3Z
T4TlPOipQc8=
=m5kE
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss Web Server 3.1 Service Pack 9 security update
Advisory ID: RHSA-2020:2483-01
Product: Red Hat JBoss Web Server
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2483
Issue date: 2020-06-10
CVE Names: CVE-2020-9484
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 6 and
RHEL 7.

Red Hat Product Security has rated this release as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat JBoss Web Server 3.1 for RHEL 6 – i386, noarch, x86_64
Red Hat JBoss Web Server 3.1 for RHEL 7 – noarch, x86_64

3. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.

This release of Red Hat JBoss Web Server 3.1 Service Pack 9 serves as a
replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which
are documented in the Release Notes document linked to in the References.

Security Fix(es):

* tomcat: Apache Tomcat Remote Code Execution via session persistence
(CVE-2020-9484)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1838332 – CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE

6. Package List:

Red Hat JBoss Web Server 3.1 for RHEL 6:

Source:
tomcat-native-1.2.23-22.redhat_22.ep7.el6.src.rpm
tomcat7-7.0.70-40.ep7.el6.src.rpm
tomcat8-8.0.36-44.ep7.el6.src.rpm

i386:
tomcat-native-1.2.23-22.redhat_22.ep7.el6.i686.rpm
tomcat-native-debuginfo-1.2.23-22.redhat_22.ep7.el6.i686.rpm

noarch:
tomcat7-7.0.70-40.ep7.el6.noarch.rpm
tomcat7-admin-webapps-7.0.70-40.ep7.el6.noarch.rpm
tomcat7-docs-webapp-7.0.70-40.ep7.el6.noarch.rpm
tomcat7-el-2.2-api-7.0.70-40.ep7.el6.noarch.rpm
tomcat7-javadoc-7.0.70-40.ep7.el6.noarch.rpm
tomcat7-jsp-2.2-api-7.0.70-40.ep7.el6.noarch.rpm
tomcat7-jsvc-7.0.70-40.ep7.el6.noarch.rpm
tomcat7-lib-7.0.70-40.ep7.el6.noarch.rpm
tomcat7-log4j-7.0.70-40.ep7.el6.noarch.rpm
tomcat7-selinux-7.0.70-40.ep7.el6.noarch.rpm
tomcat7-servlet-3.0-api-7.0.70-40.ep7.el6.noarch.rpm
tomcat7-webapps-7.0.70-40.ep7.el6.noarch.rpm
tomcat8-8.0.36-44.ep7.el6.noarch.rpm
tomcat8-admin-webapps-8.0.36-44.ep7.el6.noarch.rpm
tomcat8-docs-webapp-8.0.36-44.ep7.el6.noarch.rpm
tomcat8-el-2.2-api-8.0.36-44.ep7.el6.noarch.rpm
tomcat8-javadoc-8.0.36-44.ep7.el6.noarch.rpm
tomcat8-jsp-2.3-api-8.0.36-44.ep7.el6.noarch.rpm
tomcat8-jsvc-8.0.36-44.ep7.el6.noarch.rpm
tomcat8-lib-8.0.36-44.ep7.el6.noarch.rpm
tomcat8-log4j-8.0.36-44.ep7.el6.noarch.rpm
tomcat8-selinux-8.0.36-44.ep7.el6.noarch.rpm
tomcat8-servlet-3.1-api-8.0.36-44.ep7.el6.noarch.rpm
tomcat8-webapps-8.0.36-44.ep7.el6.noarch.rpm

x86_64:
tomcat-native-1.2.23-22.redhat_22.ep7.el6.x86_64.rpm
tomcat-native-debuginfo-1.2.23-22.redhat_22.ep7.el6.x86_64.rpm

Red Hat JBoss Web Server 3.1 for RHEL 7:

Source:
tomcat-native-1.2.23-22.redhat_22.ep7.el7.src.rpm
tomcat7-7.0.70-40.ep7.el7.src.rpm
tomcat8-8.0.36-44.ep7.el7.src.rpm

noarch:
tomcat7-7.0.70-40.ep7.el7.noarch.rpm
tomcat7-admin-webapps-7.0.70-40.ep7.el7.noarch.rpm
tomcat7-docs-webapp-7.0.70-40.ep7.el7.noarch.rpm
tomcat7-el-2.2-api-7.0.70-40.ep7.el7.noarch.rpm
tomcat7-javadoc-7.0.70-40.ep7.el7.noarch.rpm
tomcat7-jsp-2.2-api-7.0.70-40.ep7.el7.noarch.rpm
tomcat7-jsvc-7.0.70-40.ep7.el7.noarch.rpm
tomcat7-lib-7.0.70-40.ep7.el7.noarch.rpm
tomcat7-log4j-7.0.70-40.ep7.el7.noarch.rpm
tomcat7-selinux-7.0.70-40.ep7.el7.noarch.rpm
tomcat7-servlet-3.0-api-7.0.70-40.ep7.el7.noarch.rpm
tomcat7-webapps-7.0.70-40.ep7.el7.noarch.rpm
tomcat8-8.0.36-44.ep7.el7.noarch.rpm
tomcat8-admin-webapps-8.0.36-44.ep7.el7.noarch.rpm
tomcat8-docs-webapp-8.0.36-44.ep7.el7.noarch.rpm
tomcat8-el-2.2-api-8.0.36-44.ep7.el7.noarch.rpm
tomcat8-javadoc-8.0.36-44.ep7.el7.noarch.rpm
tomcat8-jsp-2.3-api-8.0.36-44.ep7.el7.noarch.rpm
tomcat8-jsvc-8.0.36-44.ep7.el7.noarch.rpm
tomcat8-lib-8.0.36-44.ep7.el7.noarch.rpm
tomcat8-log4j-8.0.36-44.ep7.el7.noarch.rpm
tomcat8-selinux-8.0.36-44.ep7.el7.noarch.rpm
tomcat8-servlet-3.1-api-8.0.36-44.ep7.el7.noarch.rpm
tomcat8-webapps-8.0.36-44.ep7.el7.noarch.rpm

x86_64:
tomcat-native-1.2.23-22.redhat_22.ep7.el7.x86_64.rpm
tomcat-native-debuginfo-1.2.23-22.redhat_22.ep7.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-9484
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXuDzktzjgjWX9erEAQgi/w//Xj/qCl98tBEg+2ffj+TA0Is16FtznlWO
xIScyhvleDsX7AZ/o+Fd/8bqePrC4fPYmrPwe29i6IkcbOK1oQY786YLZsD78KTV
0M4QIR5JserxNzylp29q2R6xQdH0mTLTK1BfYLSoi63Fx/XdFz8dnkWs6PxJLEan
mM0ioyWz3rPlA133UMX6gr6LEWNcV36+DeOuDt6xwtPCwFsG9Uh95XV0yYkPyUa+
k6N1bl0Z1gAb8CDA0Bb9ACT/wNIFj2Ops1d5gr0X6uxhhieGRYMKFqyJ7amEcpCW
WkiVL3Jr4cCI3JgVLJ+9VwK9ifqiFPT/uFBFqukodeUi4jt5B6MCutWjg5MMlyjk
zYJFaOtzpYdN94XLQliHpUnFcwgqNzl7D1aAhianL/SYC7im9embS+os0h8r0y/K
zh2FkLbtb+hrxGQKbaCJXlHhXbng6ke1xxnT6JeKIqFnJhl3WOisDSQBVwtJqTjW
gtdHIPSUVRaA1Q62xN+ERDAWKcXGh1r/B7RnX8e7mjmVBj8sw33rLJtz8XAIwztI
dQDrF6NZsO6sozXsd8tODjgTaXHRqXv4gDp2BqJRCYGf3CjlvCtRcEkgK7WN8B1o
Nbgz9YN9a5MRSU/tvViPZ97jtTi376HAxZb8hrEIq43CgKdGdYeD9nGp/PXrFT3Z
T4TlPOipQc8=
=m5kE
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss Web Server 3.1 Service Pack 9 security update
Advisory ID: RHSA-2020:2487-01
Product: Red Hat JBoss Web Server
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2487
Issue date: 2020-06-10
CVE Names: CVE-2020-9484
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Web Server 3.1, for RHEL 6,
RHEL 7 and Windows.

Red Hat Product Security has rated this release as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.

This release of Red Hat JBoss Web Server 3.1 Service Pack 9 serves as a
replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which
are documented in the Release Notes document linked to in the References.

Security Fix(es):

* tomcat: Apache Tomcat Remote Code Execution via session persistence
(CVE-2020-9484)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

The References section of this erratum contains a download link for the
update. You must be logged in to download the update.

4. Bugs fixed (https://bugzilla.redhat.com/):

1838332 – CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE

5. References:

https://access.redhat.com/security/cve/CVE-2020-9484
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=3.1
https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/3.1/

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXuD2ntzjgjWX9erEAQiMAw//ZNV2UOZjU2HbmhZH8To22tMoTLUyqk6u
HIL7C7BXc37vdJ/nD+AuM2ndZrjixNI12KbWz/VBYpwNdVI3DLNyUPQb9KxVdVVK
G9aGbHXTzA6lHcryYjjkXlCT6EEwQcutpI7SlJ5WmY/xhLR7AjM4Ve22tcqGSoib
WbSRQZnE06oHAK6Zo+d6DQRieLcaxW1eIR0j1OrEEGGueAwTnUfnyx0SH5enzsFp
80fClhNeERwOQyQh8ngqH4T2oC6j6x0CJ0ylGVJJBh75dGR/x6xi/9EvsC/crpSn
U2wXv5iltTjDPLJ2tu8o/hfVgpfFQg2glZesgjzBBfwpop7L9cyZoVcApFF2ujE3
g16QX1yZWvQS/82h+f9n3mnmoev7YC+Y77UjF8IcloHFh9JAXp2mFKpCCg/PKzJB
cn2wu7pKPRTPovyFUBVYUNEZ4HYzTzQGuIyJ4hRGfJyQvCU6WlvXm172EZvbejlq
3GnEYJplmlLa5k6OGMrV3Y65ZmgnHSU2nRc28wy/cODv+QrTxMYmZn2Ecp7niy2O
Cl2dytEHURjLouF92TZq3zBzOjAOOA4fbMcRjS6Po6LHvvQ/MIsoYhPbneXtwmi4
hCzC9rKAfvagypTEYrmkpNxrkR1WRJP/a7rRozDz6UGJ17Y0SdCFJePS+a8hcYn4
YH3uzGfUtXk=
=n5mX
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss Web Server 5.3.1 security update
Advisory ID: RHSA-2020:2506-01
Product: Red Hat JBoss Web Server
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2506
Issue date: 2020-06-10
CVE Names: CVE-2020-9484
=====================================================================

1. Summary:

Updated Red Hat JBoss Web Server 5.3.1 packages are now available for Red
Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, and Red Hat Enterprise
Linux 8.

Red Hat Product Security has rated this release as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat JBoss Web Server 5.3 for RHEL 6 Server – i386, noarch, x86_64
Red Hat JBoss Web Server 5.3 for RHEL 7 Server – noarch, x86_64
Red Hat JBoss Web Server 5.3 for RHEL 8 – noarch, x86_64

3. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the
PicketLink Vault extension for Apache Tomcat, and the Tomcat Native
library.

This release of Red Hat JBoss Web Server 5.3.1 serves as a replacement for
Red Hat JBoss Web Server 5.3.0, and includes bug fixes, enhancements, and
component upgrades, which are documented in the Release Notes, linked to in
the References.

Security Fix(es):

* tomcat: Apache Tomcat Remote Code Execution via session persistence
(CVE-2020-9484)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1838332 – CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE

6. Package List:

Red Hat JBoss Web Server 5.3 for RHEL 6 Server:

Source:
jws5-tomcat-9.0.30-4.redhat_5.1.el6jws.src.rpm
jws5-tomcat-native-1.2.23-5.redhat_5.el6jws.src.rpm

i386:
jws5-tomcat-native-1.2.23-5.redhat_5.el6jws.i686.rpm
jws5-tomcat-native-debuginfo-1.2.23-5.redhat_5.el6jws.i686.rpm

noarch:
jws5-tomcat-9.0.30-4.redhat_5.1.el6jws.noarch.rpm
jws5-tomcat-admin-webapps-9.0.30-4.redhat_5.1.el6jws.noarch.rpm
jws5-tomcat-docs-webapp-9.0.30-4.redhat_5.1.el6jws.noarch.rpm
jws5-tomcat-el-3.0-api-9.0.30-4.redhat_5.1.el6jws.noarch.rpm
jws5-tomcat-javadoc-9.0.30-4.redhat_5.1.el6jws.noarch.rpm
jws5-tomcat-jsp-2.3-api-9.0.30-4.redhat_5.1.el6jws.noarch.rpm
jws5-tomcat-lib-9.0.30-4.redhat_5.1.el6jws.noarch.rpm
jws5-tomcat-selinux-9.0.30-4.redhat_5.1.el6jws.noarch.rpm
jws5-tomcat-servlet-4.0-api-9.0.30-4.redhat_5.1.el6jws.noarch.rpm
jws5-tomcat-webapps-9.0.30-4.redhat_5.1.el6jws.noarch.rpm

x86_64:
jws5-tomcat-native-1.2.23-5.redhat_5.el6jws.x86_64.rpm
jws5-tomcat-native-debuginfo-1.2.23-5.redhat_5.el6jws.x86_64.rpm

Red Hat JBoss Web Server 5.3 for RHEL 7 Server:

Source:
jws5-tomcat-9.0.30-4.redhat_5.1.el7jws.src.rpm
jws5-tomcat-native-1.2.23-5.redhat_5.el7jws.src.rpm

noarch:
jws5-tomcat-9.0.30-4.redhat_5.1.el7jws.noarch.rpm
jws5-tomcat-admin-webapps-9.0.30-4.redhat_5.1.el7jws.noarch.rpm
jws5-tomcat-docs-webapp-9.0.30-4.redhat_5.1.el7jws.noarch.rpm
jws5-tomcat-el-3.0-api-9.0.30-4.redhat_5.1.el7jws.noarch.rpm
jws5-tomcat-javadoc-9.0.30-4.redhat_5.1.el7jws.noarch.rpm
jws5-tomcat-jsp-2.3-api-9.0.30-4.redhat_5.1.el7jws.noarch.rpm
jws5-tomcat-lib-9.0.30-4.redhat_5.1.el7jws.noarch.rpm
jws5-tomcat-selinux-9.0.30-4.redhat_5.1.el7jws.noarch.rpm
jws5-tomcat-servlet-4.0-api-9.0.30-4.redhat_5.1.el7jws.noarch.rpm
jws5-tomcat-webapps-9.0.30-4.redhat_5.1.el7jws.noarch.rpm

x86_64:
jws5-tomcat-native-1.2.23-5.redhat_5.el7jws.x86_64.rpm
jws5-tomcat-native-debuginfo-1.2.23-5.redhat_5.el7jws.x86_64.rpm

Red Hat JBoss Web Server 5.3 for RHEL 8:

Source:
jws5-tomcat-9.0.30-4.redhat_5.1.el8jws.src.rpm
jws5-tomcat-native-1.2.23-5.redhat_5.el8jws.src.rpm

noarch:
jws5-tomcat-9.0.30-4.redhat_5.1.el8jws.noarch.rpm
jws5-tomcat-admin-webapps-9.0.30-4.redhat_5.1.el8jws.noarch.rpm
jws5-tomcat-docs-webapp-9.0.30-4.redhat_5.1.el8jws.noarch.rpm
jws5-tomcat-el-3.0-api-9.0.30-4.redhat_5.1.el8jws.noarch.rpm
jws5-tomcat-javadoc-9.0.30-4.redhat_5.1.el8jws.noarch.rpm
jws5-tomcat-jsp-2.3-api-9.0.30-4.redhat_5.1.el8jws.noarch.rpm
jws5-tomcat-lib-9.0.30-4.redhat_5.1.el8jws.noarch.rpm
jws5-tomcat-selinux-9.0.30-4.redhat_5.1.el8jws.noarch.rpm
jws5-tomcat-servlet-4.0-api-9.0.30-4.redhat_5.1.el8jws.noarch.rpm
jws5-tomcat-webapps-9.0.30-4.redhat_5.1.el8jws.noarch.rpm

x86_64:
jws5-tomcat-native-1.2.23-5.redhat_5.el8jws.x86_64.rpm
jws5-tomcat-native-debuginfo-1.2.23-5.redhat_5.el8jws.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-9484
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXuEKEtzjgjWX9erEAQi1iQ//SgZKJnO4OosXeFQDYKXzx2+R2UHZJ8OJ
OaY6LKEjIb6wAY3QimRSxHL5s2G1dM51TdJUMPGVzW/ZC6WTph68mecpkB5xiQ90
knoAB7XdZoobkw9rdGupYBkNZGYsZah3mbQrU1WEMEcZIMNyO1ESw/qPlWHRxUDU
LI/cyTH78n6GWED0mUWhfcrMWmmweUjMxR+Ld5hgA0ZetjvC2DttqIMspBuwgzIF
krBvAv3eqx/mHQivtHSOkwoj+wfBIWS1ZTlv3xa5fu0A06CmzVfRrnMwxanajTMq
4wna5Kq+dNRe6MvlQ9YT4r5VciRXIf9ByxNHSwHthy30bXLmjDkOEbb6BtbegaQP
Pj1vmTrRlnZU9KQpdddVKLUhi2odZlEIig2P/6PH02lXvPiGvH7ozLbceNaq3yuP
x6ADb+ft+JPL3JVJzkggHUVgBN9/yu9f6OrrYDUEf6GQiXLbdjb0/q8jlUZKsgIi
BjnT7XHQwMHKxGTID1XFP7r7JoEv6/sHgsf7SM0PulZ93wLbR9nFJDAF4+ATAwcq
aDP/GPjsrAJ/TErnKNkDXADeTTVFf4PhLGWi9LQLey16/cnXuA7emv2pR0mcdg22
7uAELEj+ZojlS6qYukRYlWcM7fPlLz1kMB9f+rEe3k/5hGqWsr0PBri8sWSiFKMn
EMQ+iKEGQWY=
=UEGb
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss Web Server 5.3.1 security update
Advisory ID: RHSA-2020:2509-01
Product: Red Hat JBoss Web Server
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2509
Issue date: 2020-06-10
CVE Names: CVE-2020-9484
=====================================================================

1. Summary:

Updated Red Hat JBoss Web Server 5.3.1 packages are now available for Red
Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise
Linux 8 and Windows.

Red Hat Product Security has rated this release as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the
PicketLink Vault extension for Apache Tomcat, and the Tomcat Native
library.

This release of Red Hat JBoss Web Server 5.3.1 serves as a replacement for
Red Hat JBoss Web Server 5.3.0, and includes bug fixes, enhancements, and
component upgrades, which are documented in the Release Notes, linked to in
the References.

Security Fix(es):

* tomcat: Apache Tomcat Remote Code Execution via session persistence
(CVE-2020-9484)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

The References section of this erratum contains a download link for the
update. You must be logged in to download the update.

4. Bugs fixed (https://bugzilla.redhat.com/):

1838332 – CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE

5. References:

https://access.redhat.com/security/cve/CVE-2020-9484
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=5.3
https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/5.3/

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXuETO9zjgjWX9erEAQjXxg//QS+8bTXNkhjQugj+b4Ak8DCjm0JrrGrg
fT+rPvu79dzjeooLZ18fnoPBZQ2xowu7gjIev8PlTlQNlj76CzzjRGvv77MlUy3G
JAw+gh/kYDUV8bX6Whs5fvj+9LOwcrs6lB3WeYVfFjj2na2Nr7mkKoL/mvzJMToH
jcZ7W7cnLECcWhtC+JIRT1mwpe1lXOkiWlfn6df+VBX6R0PiFdmz4ieyHWqV3Ryd
bdT+IMe1ubmHRpYnolx/4kHUbr84CNx+AwEcX9OI6jfzFMOKtEaOHcAPO83ZR7Pt
p5IcEdD1drwGjzhaER/bMR56+faFXPA31oZ4UMpXdDp6BhNzEh/3bV1VqaOgxd8o
MUuZhqTTPJgPnlWJ1jolv0ccKvcl6Nia7FPjyfYqBjo9YFIcXhGRlrOICu7ivn4X
qp86C9tejiNuq4C0jMODwvU4dfRLrKHRXZ9ZwnvJB+Og98CBS5RezmJXuauIBKT7
FJDqXtHOSMiLVOboXZnbhKj9KWHp37iAMSl+N/xuXLxJ/OD+LbBavTlCG/hXNnoJ
lyK10HaqJjO+59zJMLaGuOT2Bt4YmxH+GxZSR1u+yiXWuSXYJO9meOYeO9EpuqGU
7yeG/ZkSyi2iLI5wK0u6XNLradiCq1fPkvUUtXBNi8qjNxfYAxFjYUWRZAoRXlfL
9wyJATiOAwc=
=Qw56
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

AutorGoran Culibrk
Cert idNCERT-REF-2020-06-0001-ADV
CveCERT-CVE-DUMMY
ID izvornikaCERT-ORIGID-DUMMY
ProizvodCERT-DUMMY-PRODUCT
IzvorAdobe
Marina Dimic Vugec
Top
More in Preporuke
Sigurnosni nedostatak programskog paketa python

Otkriven je sigurnosni nedostatak u programskom paketu python za operacijski sustav Redhat. Otkriveni nedostatak potencijalnim napadačima omogućuje zaobilaženje sigurnosnih ograničenja....

Close