| Descripción: | Description:
The remote host is missing updates announced in
advisory RHSA-2007:0950.
The updated packages address the following security vulnerabilities:
Tomcat incorrectly treated a single quote character (') in a cookie value
as a delimiter. In some circumstances this lead to the leaking of
information such as session ID to an attacker (CVE-2007-3382).
Tomcat incorrectly handled the character sequence \ in a cookie value. In
some circumstances this lead to the leaking of information such as session
ID to an attacker (CVE-2007-3385).
In addition to these security fixes, this update also fixes several bugs in
JBoss Enterprise Application Platform. Please see the referenced release
notes for the list of bugs fixed.
Users of JBoss Enterprise Application Platform should upgrade to these
updated packages which contain fixes to correct these issues.
For users of Red Hat Application Stack v1, installation of this errata will
automatically bring the system up to V.1.2. Please note the following
changes that may affect you:
- - Stacks V.1.2 has a new version of JBoss Application Server which
requires Java version 1.5 to run.
- - Unless the JBOSS_IP variable is explicitly set in the configuration
file, JBoss Application Server services are now bound to localhost.
- - Unless the JBOSSCONF variable is explicitly set in the configuration
file, JBoss Application Server will start with the production config
when started via the init script.
Refer to the release notes for more information on how to set the
JBOSS_IP and JBOSSCONF variables.
Solution:
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date
http://rhn.redhat.com/errata/RHSA-2007-0950.html
http://www.redhat.com/docs/manuals/jboss/jboss-eap-4.2.0.cp01/readme.html
http://www.redhat.com/security/updates/classification/#moderate
Risk factor : Medium
CVSS Score:
4.3
|
