Sigurnosni nedostaci programskog paketa Red Hat JBoss Enterprise Application Platform 6.4

Detalji os-a: WN7
Važnost: IMP
Operativni sustavi: L
Kategorije: LRH

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.21 security update
Advisory ID: RHSA-2018:2740-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2018:2740
Issue date: 2018-09-24
CVE Names: CVE-2017-2582 CVE-2017-7536 CVE-2018-1336
CVE-2018-10237
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Enterprise Application
Platform 6.4 for Red Hat Enterprise Linux.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Enterprise Application Platform is a platform for Java
applications based on the JBoss Application Server.

This release of Red Hat JBoss Enterprise Application Platform 6.4.21 serves
as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.20,
and includes bug fixes and enhancements, which are documented in the
Release Notes document linked to in the References.

Security Fix(es):

* hibernate-validator: Privilege escalation when running under the security
manager (CVE-2017-7536)

* guava: Unbounded memory allocation in AtomicDoubleArray and
CompoundOrdering classes allow remote attackers to cause a denial of
service (CVE-2018-10237)

* picketlink: The fix for CVE-2017-2582 breaks the feature of attribute
replacement with system property in picketlink.xml (CVE-2017-2582)

* jbossweb: tomcat: A bug in the UTF-8 decoder can lead to DoS
(CVE-2018-1336)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the
CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).

3. Solution:

Before applying this update, back up your existing Red Hat JBoss Enterprise
Application Platform installation and deployed applications.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1261190 – [GSS](6.4.z) Upgrade jboss-ejb-client from 1.0.40 to 1.0.41
1410481 – CVE-2017-2582 picketlink, keycloak: SAML request parser replaces special strings with system properties
1465573 – CVE-2017-7536 hibernate-validator: Privilege escalation when running under the security manager
1570200 – [GSS](6.4.z) Upgrade JBoss Modules from 1.3.10 to 1.3.11
1573391 – CVE-2018-10237 guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service
1578830 – (6.4.z) Upgrade hibernate-validator from 4.3.3 to 4.3.4
1580440 – [GSS](6.4.z) Upgrade xnio from 3.0.16 to 3.0.17
1594389 – [GSS](6.4.z) The fix for CVE-2017-2582 breaks the feature of attribute replacement with system property in picketlink.xml
1602226 – [GSS](6.4.z) Upgrade xerces from 2.9.1.redhat-6 to 2.9.1.redhat-8
1606334 – [GSS](6.4.z) Upgrade JBoss VFS from 3.2.12 to 3.2.13
1607591 – CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS
1610355 – [GSS](6.4.z) Upgrade HornetQ from 2.3.25.SP24 to 2.3.25.SP28
1610742 – [GSS](6.4.z) Upgrade JBoss Web from 7.5.28 to 7.5.29
1611770 – [GSS](6.4.z) Upgrade Ironjacamar from 1.0.41 to 1.0.42
1614448 – [GSS](6.4.z) Upgrade Jackson from 1.9.9.redhat-6 to 1.9.9.redhat-7
1615347 – [GSS](6.4.z) Upgrade PicketLink from 2.5.4.SP18-redhat-1 to 2.5.4.SP18-redhat-2
1615380 – [GSS](6.4.z) Upgrade Guava from 13.0.1.redhat-2 to 13.0.1.redhat-3

5. References:

https://access.redhat.com/security/cve/CVE-2017-2582
https://access.redhat.com/security/cve/CVE-2017-7536
https://access.redhat.com/security/cve/CVE-2018-1336
https://access.redhat.com/security/cve/CVE-2018-10237
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.4

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

iQIVAwUBW6lbXtzjgjWX9erEAQgvuhAAmWjRjX6+cckdgzHrBqY86ABFz+T6rvhW
xKr+NPFA32mvWqSTs5Faasvp4E360/j1b3SGKb7xw9zeMubbyc8a0qdOyszxQ9VU
UcUgU0Yd5qOdipaqEKtKQIKwTR/px4Vx8PuFLoDfQ9VcTTCUS7061G6FBwmTD6Ur
iN2UMxIicJwORdTpcmLJyWWSzM5fXFlgua6cP3ybfZ3BJz1XfmBhVu4uXAZJbsdt
6MCslgIloWAhTo4CS/Wbnl0LTFrUrKxsNMCwRV8ZvtyYpBSiAh9R/dMtippcKfuN
AaEyvK1HYFe0tEvMXVgHullihFXS3+E9EhGhfYueuZCwcLmSk/Yk1/r2II7Ci1FX
ZnUTNxaK7FMXivFl5ln8m82B+icFEzdvZg61P8ARs6lRZTveVJ8j14AijtUPh+RL
ePPF+o1MKDZDavWXz7gv8B4cYFdmu3ZnyZAWt+OcGfdJ0AafitnlRbxhIjOrMT9/
HQUfLULPMsG5WKmAOezKsrwDEAtQ27TBeoB0kDz2eJoFYOJ2ebtJpy87D6Omc+zF
hT1IDlGJfCc4x79GlEcShzJrCF8k6kpXzEPbqj/jQmPRV0pwK8yP7Ji1PTZmjXM4
WadUl98BuLTTh5wiF18Am3ag9cWuhCA6x1BCV9teTJiLBilYwOGHW2Pi+pSM8krT
VJ9QX/0XtOQ=
=Kz1/
—–END PGP SIGNATURE—–

—
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.21 security update
Advisory ID: RHSA-2018:2741-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2018:2741
Issue date: 2018-09-24
CVE Names: CVE-2017-2582 CVE-2017-7536 CVE-2018-1336
CVE-2018-10237
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Enterprise Application
Platform 6.4 for Red Hat Enterprise Linux 7.

2. Relevant releases/architectures:

Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server – noarch

3. Description:

Red Hat JBoss Enterprise Application Platform is a platform for Java
applications based on the JBoss Application Server.

Security Fix(es):

* hibernate-validator: Privilege escalation when running under the security
manager (CVE-2017-7536)

* guava: Unbounded memory allocation in AtomicDoubleArray and
CompoundOrdering classes allow remote attackers to cause a denial of
service (CVE-2018-10237)

* picketlink: The fix for CVE-2017-2582 breaks the feature of attribute
replacement with system property in picketlink.xml (CVE-2017-2582)

* jbossweb: tomcat: A bug in the UTF-8 decoder can lead to DoS
(CVE-2018-1336)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the
CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

6. Package List:

Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server:

Source:
codehaus-jackson-1.9.9-14.redhat_7.1.ep6.el7.src.rpm
guava-libraries-13.0.1-5.redhat_3.1.ep6.el7.src.rpm
hibernate4-validator-4.3.4-1.Final_redhat_1.1.ep6.el7.src.rpm
hornetq-2.3.25-27.SP28_redhat_1.1.ep6.el7.src.rpm
ironjacamar-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.src.rpm
jboss-as-appclient-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-cli-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-client-all-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-clustering-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-cmp-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-connector-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-controller-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-controller-client-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-core-security-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-deployment-repository-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-deployment-scanner-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-domain-http-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-domain-management-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-ee-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-ee-deployment-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-ejb3-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-embedded-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-host-controller-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-jacorb-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-jaxr-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-jaxrs-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-jdr-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-jmx-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-jpa-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-jsf-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-jsr77-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-logging-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-mail-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-management-client-content-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-messaging-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-modcluster-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-naming-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-network-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-osgi-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-osgi-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-osgi-service-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-picketlink-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-platform-mbean-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-pojo-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-process-controller-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-protocol-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-remoting-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-sar-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-security-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-server-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-system-jmx-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-threads-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-transactions-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-version-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-web-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-webservices-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-weld-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-xts-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-ejb-client-1.0.41-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-modules-1.3.11-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-vfs2-3.2.13-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-xnio-base-3.0.17-1.GA_redhat_1.1.ep6.el7.src.rpm
jbossas-appclient-7.5.21-2.Final_redhat_1.1.ep6.el7.src.rpm
jbossas-bundles-7.5.21-2.Final_redhat_1.1.ep6.el7.src.rpm
jbossas-core-7.5.21-2.Final_redhat_1.1.ep6.el7.src.rpm
jbossas-domain-7.5.21-2.Final_redhat_1.1.ep6.el7.src.rpm
jbossas-javadocs-7.5.21-2.Final_redhat_1.2.ep6.el7.src.rpm
jbossas-modules-eap-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jbossas-product-eap-7.5.21-2.Final_redhat_1.1.ep6.el7.src.rpm
jbossas-standalone-7.5.21-2.Final_redhat_1.1.ep6.el7.src.rpm
jbossas-welcome-content-eap-7.5.21-2.Final_redhat_1.1.ep6.el7.src.rpm
jbossweb-7.5.29-1.Final_redhat_1.1.ep6.el7.src.rpm
picketlink-bindings-2.5.4-23.SP18_redhat_2.1.ep6.el7.src.rpm
picketlink-federation-2.5.4-21.SP18_redhat_2.1.ep6.el7.src.rpm
xerces-j2-eap6-2.9.1-19.redhat_8.1.ep6.el7.src.rpm

noarch:
codehaus-jackson-1.9.9-14.redhat_7.1.ep6.el7.noarch.rpm
codehaus-jackson-core-asl-1.9.9-14.redhat_7.1.ep6.el7.noarch.rpm
codehaus-jackson-jaxrs-1.9.9-14.redhat_7.1.ep6.el7.noarch.rpm
codehaus-jackson-mapper-asl-1.9.9-14.redhat_7.1.ep6.el7.noarch.rpm
codehaus-jackson-xc-1.9.9-14.redhat_7.1.ep6.el7.noarch.rpm
guava-libraries-13.0.1-5.redhat_3.1.ep6.el7.noarch.rpm
hibernate4-validator-4.3.4-1.Final_redhat_1.1.ep6.el7.noarch.rpm
hornetq-2.3.25-27.SP28_redhat_1.1.ep6.el7.noarch.rpm
ironjacamar-common-api-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm
ironjacamar-common-impl-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm
ironjacamar-common-spi-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm
ironjacamar-core-api-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm
ironjacamar-core-impl-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm
ironjacamar-deployers-common-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm
ironjacamar-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm
ironjacamar-jdbc-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm
ironjacamar-spec-api-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm
ironjacamar-validator-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm
jboss-as-appclient-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-cli-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-client-all-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-clustering-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-cmp-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-connector-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-controller-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-controller-client-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-core-security-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-deployment-repository-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-deployment-scanner-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-domain-http-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-domain-management-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-ee-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-ee-deployment-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-ejb3-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-embedded-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-host-controller-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-jacorb-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-jaxr-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-jaxrs-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-jdr-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-jmx-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-jpa-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-jsf-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-jsr77-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-logging-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-mail-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-management-client-content-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-messaging-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-modcluster-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-naming-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-network-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-osgi-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-osgi-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-osgi-service-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-picketlink-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-platform-mbean-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-pojo-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-process-controller-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-protocol-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-remoting-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-sar-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-security-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-server-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-system-jmx-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-threads-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-transactions-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-version-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-web-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-webservices-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-weld-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-xts-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-ejb-client-1.0.41-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-modules-1.3.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-vfs2-3.2.13-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-xnio-base-3.0.17-1.GA_redhat_1.1.ep6.el7.noarch.rpm
jbossas-appclient-7.5.21-2.Final_redhat_1.1.ep6.el7.noarch.rpm
jbossas-bundles-7.5.21-2.Final_redhat_1.1.ep6.el7.noarch.rpm
jbossas-core-7.5.21-2.Final_redhat_1.1.ep6.el7.noarch.rpm
jbossas-domain-7.5.21-2.Final_redhat_1.1.ep6.el7.noarch.rpm
jbossas-javadocs-7.5.21-2.Final_redhat_1.2.ep6.el7.noarch.rpm
jbossas-modules-eap-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jbossas-product-eap-7.5.21-2.Final_redhat_1.1.ep6.el7.noarch.rpm
jbossas-standalone-7.5.21-2.Final_redhat_1.1.ep6.el7.noarch.rpm
jbossas-welcome-content-eap-7.5.21-2.Final_redhat_1.1.ep6.el7.noarch.rpm
jbossweb-7.5.29-1.Final_redhat_1.1.ep6.el7.noarch.rpm
picketlink-bindings-2.5.4-23.SP18_redhat_2.1.ep6.el7.noarch.rpm
picketlink-federation-2.5.4-21.SP18_redhat_2.1.ep6.el7.noarch.rpm
xerces-j2-eap6-2.9.1-19.redhat_8.1.ep6.el7.noarch.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-2582
https://access.redhat.com/security/cve/CVE-2017-7536
https://access.redhat.com/security/cve/CVE-2018-1336
https://access.redhat.com/security/cve/CVE-2018-10237
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

iQIVAwUBW6lg4dzjgjWX9erEAQhztQ//Sd0Rilqb+F4Gkc1kkq9Td7XKU0IgH54m
b69/klo+tl8t7Cwkw35QCYYGaAzreESRTAtl5zwTbWVBISMEoG8F+v6+5h1+qYXz
EZH4iClwwtAy5U3sR/D2tjy7EON/pEFcXYAJQf6lhVPYydqNW/FUEjPN5D3pr5ee
4cS4MmJb8tDfXUFszeymLhCO5kpwnocCKC2wvf+bZveADTBE4qyV+gDvAFs/mqRN
gZcon0tJ9zFOiFUzGwWvxPPNKZNbUx8DtraazMTGt9JwIuXi8qdsybOOCBa63V6W
j172iyPtKkrtWMfsY97tTFuOoxhcAHGzydtFbZmmLRviYyq22P124VHrPVpThpOn
90yVmyOJ2u6jEReXnRnuDLSEZWVpzaRi5rBXGHGz8WOZPuTQFQHpO7T7pKA9l58U
XFV11W+/o++M8tNbteyzFUMQMZQteFvPqH9XY2QqnGNywiASdi7CjEue/vnci/Py
VodGHtGLfUVypGAN3alQOj25jh7Num9BfGE/IyMC/5Pi5Mr9z4x9lNE7XWoIAu3J
Jrz7EmsfWdMzLmw+QpkCZJUH7JBenfR6xa+S5iMH9BFfvv75DPSmBKifpVmqb8Kp
jh0wg82lVwUp8K17T1HGh9rgNIkFMXHc8CkDIut+SVYSc4SK7OiaFFp8i/Ocq7G7
WA4CRnn8YZM=
=blOk
—–END PGP SIGNATURE—–

—
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.21 security update
Advisory ID: RHSA-2018:2742-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2018:2742
Issue date: 2018-09-24
CVE Names: CVE-2017-2582 CVE-2017-7536 CVE-2018-1336
CVE-2018-10237
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Enterprise Application
Platform 6.4 for Red Hat Enterprise Linux 5.

2. Relevant releases/architectures:

Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Server – noarch

3. Description:

Red Hat JBoss Enterprise Application Platform is a platform for Java
applications based on the JBoss Application Server.

Security Fix(es):

* hibernate-validator: Privilege escalation when running under the security
manager (CVE-2017-7536)

* guava: Unbounded memory allocation in AtomicDoubleArray and
CompoundOrdering classes allow remote attackers to cause a denial of
service (CVE-2018-10237)

* picketlink: The fix for CVE-2017-2582 breaks the feature of attribute
replacement with system property in picketlink.xml (CVE-2017-2582)

* jbossweb: tomcat: A bug in the UTF-8 decoder can lead to DoS
(CVE-2018-1336)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the
CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

6. Package List:

Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Server:

Source:
codehaus-jackson-1.9.9-14.redhat_7.1.ep6.el5.src.rpm
guava-libraries-13.0.1-5.redhat_3.1.ep6.el5.src.rpm
hibernate4-validator-4.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm
hornetq-2.3.25-27.SP28_redhat_1.1.ep6.el5.src.rpm
ironjacamar-eap6-1.0.42-2.Final_redhat_2.1.ep6.el5.src.rpm
jboss-as-appclient-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-cli-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-client-all-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-clustering-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-cmp-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-connector-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-controller-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-controller-client-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-core-security-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-deployment-repository-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-deployment-scanner-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-domain-http-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-domain-management-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-ee-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-ee-deployment-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-ejb3-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-embedded-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-host-controller-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-jacorb-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-jaxr-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-jaxrs-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-jdr-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-jmx-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-jpa-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-jsf-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-jsr77-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-logging-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-mail-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-management-client-content-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-messaging-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-modcluster-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-naming-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-network-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-osgi-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-osgi-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-osgi-service-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-picketlink-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-platform-mbean-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-pojo-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-process-controller-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-protocol-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-remoting-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-sar-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-security-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-server-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-system-jmx-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-threads-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-transactions-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-version-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-web-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-webservices-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-weld-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-xts-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-ejb-client-1.0.41-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-modules-1.3.11-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-vfs2-3.2.13-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-xnio-base-3.0.17-1.GA_redhat_1.1.ep6.el5.src.rpm
jbossas-appclient-7.5.21-2.Final_redhat_1.1.ep6.el5.src.rpm
jbossas-bundles-7.5.21-2.Final_redhat_1.1.ep6.el5.src.rpm
jbossas-core-7.5.21-2.Final_redhat_1.1.ep6.el5.src.rpm
jbossas-domain-7.5.21-2.Final_redhat_1.1.ep6.el5.src.rpm
jbossas-javadocs-7.5.21-2.Final_redhat_1.2.ep6.el5.src.rpm
jbossas-modules-eap-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm
jbossas-product-eap-7.5.21-2.Final_redhat_1.1.ep6.el5.src.rpm
jbossas-standalone-7.5.21-2.Final_redhat_1.1.ep6.el5.src.rpm
jbossas-welcome-content-eap-7.5.21-2.Final_redhat_1.1.ep6.el5.src.rpm
jbossweb-7.5.29-1.Final_redhat_1.1.ep6.el5.src.rpm
picketlink-bindings-2.5.4-23.SP18_redhat_2.1.ep6.el5.src.rpm
picketlink-federation-2.5.4-21.SP18_redhat_2.1.ep6.el5.src.rpm
xerces-j2-eap6-2.9.1-19.redhat_8.1.ep6.el5.src.rpm

noarch:
codehaus-jackson-1.9.9-14.redhat_7.1.ep6.el5.noarch.rpm
codehaus-jackson-core-asl-1.9.9-14.redhat_7.1.ep6.el5.noarch.rpm
codehaus-jackson-jaxrs-1.9.9-14.redhat_7.1.ep6.el5.noarch.rpm
codehaus-jackson-mapper-asl-1.9.9-14.redhat_7.1.ep6.el5.noarch.rpm
codehaus-jackson-xc-1.9.9-14.redhat_7.1.ep6.el5.noarch.rpm
guava-libraries-13.0.1-5.redhat_3.1.ep6.el5.noarch.rpm
hibernate4-validator-4.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm
hornetq-2.3.25-27.SP28_redhat_1.1.ep6.el5.noarch.rpm
ironjacamar-eap6-1.0.42-2.Final_redhat_2.1.ep6.el5.noarch.rpm
jboss-as-appclient-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-cli-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-client-all-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-clustering-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-cmp-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-connector-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-controller-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-controller-client-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-core-security-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-deployment-repository-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-deployment-scanner-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-domain-http-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-domain-management-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-ee-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-ee-deployment-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-ejb3-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-embedded-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-host-controller-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-jacorb-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-jaxr-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-jaxrs-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-jdr-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-jmx-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-jpa-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-jsf-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-jsr77-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-logging-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-mail-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-management-client-content-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-messaging-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-modcluster-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-naming-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-network-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-osgi-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-osgi-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-osgi-service-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-picketlink-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-platform-mbean-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-pojo-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-process-controller-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-protocol-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-remoting-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-sar-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-security-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-server-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-system-jmx-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-threads-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-transactions-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-version-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-web-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-webservices-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-weld-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-as-xts-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-ejb-client-1.0.41-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-modules-1.3.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-vfs2-3.2.13-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jboss-xnio-base-3.0.17-1.GA_redhat_1.1.ep6.el5.noarch.rpm
jbossas-appclient-7.5.21-2.Final_redhat_1.1.ep6.el5.noarch.rpm
jbossas-bundles-7.5.21-2.Final_redhat_1.1.ep6.el5.noarch.rpm
jbossas-core-7.5.21-2.Final_redhat_1.1.ep6.el5.noarch.rpm
jbossas-domain-7.5.21-2.Final_redhat_1.1.ep6.el5.noarch.rpm
jbossas-javadocs-7.5.21-2.Final_redhat_1.2.ep6.el5.noarch.rpm
jbossas-modules-eap-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm
jbossas-product-eap-7.5.21-2.Final_redhat_1.1.ep6.el5.noarch.rpm
jbossas-standalone-7.5.21-2.Final_redhat_1.1.ep6.el5.noarch.rpm
jbossas-welcome-content-eap-7.5.21-2.Final_redhat_1.1.ep6.el5.noarch.rpm
jbossweb-7.5.29-1.Final_redhat_1.1.ep6.el5.noarch.rpm
picketlink-bindings-2.5.4-23.SP18_redhat_2.1.ep6.el5.noarch.rpm
picketlink-federation-2.5.4-21.SP18_redhat_2.1.ep6.el5.noarch.rpm
xerces-j2-eap6-2.9.1-19.redhat_8.1.ep6.el5.noarch.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-2582
https://access.redhat.com/security/cve/CVE-2017-7536
https://access.redhat.com/security/cve/CVE-2018-1336
https://access.redhat.com/security/cve/CVE-2018-10237
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

iQIVAwUBW6lg8dzjgjWX9erEAQgjkA/9F7MlCSTvCsrjBo0KX8/MynP3Oaz+Mb+2
tf1Oj7OXwJ0JBp6c72g3wdgg/TX3kdVmMuD7SUDuue0GK4rzovD3o8sEwuNmKcpX
u2sJhzXYYb6pbmzhrn15Qoyyqzd4HFsPPqZmjFEGpX4Ugg26oosChcEgGdHRl5L0
WuEIbb/HsXk48ZMNEXnQfJsRcZDnypIIQJst8cSTP7ekYVdKXo9yeQRneLNyhLBy
08WoPzXqurkjdxZE7LtxpsfAi0rKZ+1DKRRgnl0ZD3A3+t/Xb4ELyYzredJWZx50
YMgW1SCy6evf/muon96B2SXjxawWZwXnZ9tOY0gb7dJ7KxhpjUYdtauTBYGSHB0h
IJXCXK5Leo2WLDqBiWD+KBVYilDpzBqhyLbk8/F4tw0bchim2WVGHcOmNvLaFMg/
oFC9zEZAwEWkEJ/pl2eDYx5YEsTaiifns+Iw22wcgsAiUG3vgXJhdSsw2PFs6Ovl
OgBV2l42aetQV+b8xeky6gOoJa3cf4C4kVAvAomtw8sRDDWy76q0q/vIoBSz5X5I
hCpEWpu6cuIDdEgvtDWy5NinNi+h0uAgfb59GsOpTegm+doG+zfCbj9/xsq2udDP
M5kJnXYSGOR8oS5Ob+dJ/lubBGDRwjibmTMtwXuQx7B2c0qusP/+LOZ/E9EiNG86
k32TVSosfZ8=
=cSux
—–END PGP SIGNATURE—–

—
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.21 security update
Advisory ID: RHSA-2018:2743-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2018:2743
Issue date: 2018-09-24
CVE Names: CVE-2017-2582 CVE-2017-7536 CVE-2018-1336
CVE-2018-10237
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Enterprise Application
Platform 6.4 for Red Hat Enterprise Linux 6.

2. Relevant releases/architectures:

Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server – noarch

3. Description:

Red Hat JBoss Enterprise Application Platform is a platform for Java
applications based on the JBoss Application Server.

Security Fix(es):

* hibernate-validator: Privilege escalation when running under the security
manager (CVE-2017-7536)

* guava: Unbounded memory allocation in AtomicDoubleArray and
CompoundOrdering classes allow remote attackers to cause a denial of
service (CVE-2018-10237)

* picketlink: The fix for CVE-2017-2582 breaks the feature of attribute
replacement with system property in picketlink.xml (CVE-2017-2582)

* jbossweb: tomcat: A bug in the UTF-8 decoder can lead to DoS
(CVE-2018-1336)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the
CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

6. Package List:

Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server:

Source:
codehaus-jackson-1.9.9-14.redhat_7.1.ep6.el6.src.rpm
guava-libraries-13.0.1-5.redhat_3.1.ep6.el6.src.rpm
hibernate4-validator-4.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm
hornetq-2.3.25-27.SP28_redhat_1.1.ep6.el6.src.rpm
ironjacamar-eap6-1.0.42-2.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-appclient-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-cli-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-client-all-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-clustering-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-cmp-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-connector-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-controller-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-controller-client-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-core-security-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-deployment-repository-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-deployment-scanner-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-domain-http-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-domain-management-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-ee-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-ee-deployment-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-ejb3-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-embedded-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-host-controller-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-jacorb-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-jaxr-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-jaxrs-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-jdr-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-jmx-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-jpa-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-jsf-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-jsr77-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-logging-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-mail-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-management-client-content-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-messaging-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-modcluster-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-naming-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-network-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-osgi-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-osgi-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-osgi-service-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-picketlink-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-platform-mbean-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-pojo-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-process-controller-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-protocol-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-remoting-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-sar-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-security-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-server-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-system-jmx-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-threads-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-transactions-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-version-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-web-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-webservices-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-weld-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-xts-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-ejb-client-1.0.41-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-modules-1.3.11-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-vfs2-3.2.13-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-xnio-base-3.0.17-1.GA_redhat_1.1.ep6.el6.src.rpm
jbossas-appclient-7.5.21-2.Final_redhat_1.1.ep6.el6.src.rpm
jbossas-bundles-7.5.21-2.Final_redhat_1.1.ep6.el6.src.rpm
jbossas-core-7.5.21-2.Final_redhat_1.1.ep6.el6.src.rpm
jbossas-domain-7.5.21-2.Final_redhat_1.1.ep6.el6.src.rpm
jbossas-javadocs-7.5.21-2.Final_redhat_1.2.ep6.el6.src.rpm
jbossas-modules-eap-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jbossas-product-eap-7.5.21-2.Final_redhat_1.1.ep6.el6.src.rpm
jbossas-standalone-7.5.21-2.Final_redhat_1.1.ep6.el6.src.rpm
jbossas-welcome-content-eap-7.5.21-2.Final_redhat_1.1.ep6.el6.src.rpm
jbossweb-7.5.29-1.Final_redhat_1.1.ep6.el6.src.rpm
picketlink-bindings-2.5.4-23.SP18_redhat_2.1.ep6.el6.src.rpm
picketlink-federation-2.5.4-21.SP18_redhat_2.1.ep6.el6.src.rpm
xerces-j2-eap6-2.9.1-19.redhat_8.1.ep6.el6.src.rpm

noarch:
codehaus-jackson-1.9.9-14.redhat_7.1.ep6.el6.noarch.rpm
codehaus-jackson-core-asl-1.9.9-14.redhat_7.1.ep6.el6.noarch.rpm
codehaus-jackson-jaxrs-1.9.9-14.redhat_7.1.ep6.el6.noarch.rpm
codehaus-jackson-mapper-asl-1.9.9-14.redhat_7.1.ep6.el6.noarch.rpm
codehaus-jackson-xc-1.9.9-14.redhat_7.1.ep6.el6.noarch.rpm
guava-libraries-13.0.1-5.redhat_3.1.ep6.el6.noarch.rpm
hibernate4-validator-4.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm
hornetq-2.3.25-27.SP28_redhat_1.1.ep6.el6.noarch.rpm
ironjacamar-core-api-eap6-1.0.42-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-appclient-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-cli-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-client-all-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-clustering-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-cmp-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-connector-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-controller-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-controller-client-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-core-security-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-deployment-repository-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-deployment-scanner-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-domain-http-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-domain-management-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-ee-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-ee-deployment-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-ejb3-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-embedded-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-host-controller-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-jacorb-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-jaxr-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-jaxrs-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-jdr-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-jmx-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-jpa-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-jsf-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-jsr77-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-logging-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-mail-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-management-client-content-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-messaging-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-modcluster-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-naming-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-network-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-osgi-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-osgi-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-osgi-service-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-picketlink-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-platform-mbean-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-pojo-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-process-controller-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-protocol-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-remoting-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-sar-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-security-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-server-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-system-jmx-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-threads-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-transactions-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-version-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-web-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-webservices-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-weld-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-xts-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-ejb-client-1.0.41-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-modules-1.3.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-vfs2-3.2.13-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-xnio-base-3.0.17-1.GA_redhat_1.1.ep6.el6.noarch.rpm
jbossas-appclient-7.5.21-2.Final_redhat_1.1.ep6.el6.noarch.rpm
jbossas-bundles-7.5.21-2.Final_redhat_1.1.ep6.el6.noarch.rpm
jbossas-core-7.5.21-2.Final_redhat_1.1.ep6.el6.noarch.rpm
jbossas-domain-7.5.21-2.Final_redhat_1.1.ep6.el6.noarch.rpm
jbossas-javadocs-7.5.21-2.Final_redhat_1.2.ep6.el6.noarch.rpm
jbossas-modules-eap-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jbossas-product-eap-7.5.21-2.Final_redhat_1.1.ep6.el6.noarch.rpm
jbossas-standalone-7.5.21-2.Final_redhat_1.1.ep6.el6.noarch.rpm
jbossas-welcome-content-eap-7.5.21-2.Final_redhat_1.1.ep6.el6.noarch.rpm
jbossweb-7.5.29-1.Final_redhat_1.1.ep6.el6.noarch.rpm
picketlink-bindings-2.5.4-23.SP18_redhat_2.1.ep6.el6.noarch.rpm
picketlink-federation-2.5.4-21.SP18_redhat_2.1.ep6.el6.noarch.rpm
xerces-j2-eap6-2.9.1-19.redhat_8.1.ep6.el6.noarch.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-2582
https://access.redhat.com/security/cve/CVE-2017-7536
https://access.redhat.com/security/cve/CVE-2018-1336
https://access.redhat.com/security/cve/CVE-2018-10237
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

iQIVAwUBW6lht9zjgjWX9erEAQj1KRAAo3GwlHYZtEgH69JknBOF6S2Wmfh/onUt
QJywsaAGnd3jB+awxpAH8ADPy3Cc7khaUymN0D1/o6B7/sGiHl6+TgjNhMdFRJJz
Snfnvc3ChZfIpKnyfCCopbx6Z55yJdMzjvAHrMGhlWWlmiar8pEI24L7O5DX7Zpe
hwP9d37YpYIqEqT9AODOQs9jpK7GdV4io6kbKmzK6Cy0qzk13S3kS3vsqaswB3Cd
TyO13QfIOZPVnjPhNvrj8IMQBAxlBTnDbb3jhUIJIuJfz/+uoB56L67ICI/s2cGB
qgHhmDaY2Jf5sirKgs66omihSm8bLdikCvo1qH/E2gPR0vEbA0haDOlljK8f/Oz0
zJQtakYUl03GnORrzXFYFIZ8IiVgZuqKEmsYR+leelZ1ZNA7pQGUZG2O7MPRPjq+
EpJMrymWhrkeqhzROVRGM0AGCgOaa7KNArXgObgj14kHkkAXLlCBI0BYc71aAQc+
h8f2zyaG20NNkQ5q37eMRHKLD7cUvAjovULiiJueip0RA1MPAIuLluWMHRzAqsor
57wze4uUM9uQAl//3O6rpcZS0m8nvu01ByB985QFVW82mxbDmJV9UT3PDucc0QUQ
pqjQtT/n141rFaUworha1iTAEtIGTUNiQHMiMIsnGl45TCV9yxlXI2Nu0EGR9NEz
lZvwOxCPuPk=
=kys3
—–END PGP SIGNATURE—–

—
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Autor	Zvonimir Bosnjak
Cert id	NCERT-REF-2018-09-0001-ADV
Cve	CERT-CVE-DUMMY
ID izvornika	CERT-ORIGID-DUMMY
Proizvod	CERT-DUMMY-PRODUCT
Izvor	Adobe

Sigurnosni nedostaci programskog paketa Red Hat JBoss Enterprise Application Platform 6.4

Archives

More in Preporuke

Sigurnosni nedostatak programskog paketa mod_perl