Updated JBoss Enterprise Application Platform packages that fix several
security issues and bugs are now available for Red Hat Application Stack v1
and v2.
This update has been rated as having moderate security impact by the Red Hat
Security Response Team.
2. Relevant releases/architectures:
Red Hat Application Stack v1 for Enterprise Linux AS (v.4) - noarch
Red Hat Application Stack v1 for Enterprise Linux ES (v.4) - noarch
Red Hat Application Stack v2 for Enterprise Linux (v.5) - noarch
3. Problem description:
The updated packages address the following security vulnerabilities:
Tomcat incorrectly treated a single quote character (') in a cookie value
as a delimiter. In some circumstances this lead to the leaking of
information such as session ID to an attacker (CVE-2007-3382).
Tomcat incorrectly handled the character sequence \" in a cookie value. In
some circumstances this lead to the leaking of information such as session
ID to an attacker (CVE-2007-3385).
In addition to these security fixes, this update also fixes several bugs in
JBoss Enterprise Application Platform. Please see the referenced release
notes for the list of bugs fixed.
Users of JBoss Enterprise Application Platform should upgrade to these
updated packages which contain fixes to correct these issues.
For users of Red Hat Application Stack v1, installation of this errata will
automatically bring the system up to V.1.2. Please note the following
changes that may affect you:
- - Stacks V.1.2 has a new version of JBoss Application Server which
requires Java version 1.5 to run.
- - Unless the JBOSS_IP variable is explicitly set in the configuration
file, JBoss Application Server services are now bound to localhost.
- - Unless the JBOSSCONF variable is explicitly set in the configuration
file, JBoss Application Server will start with the production config
when started via the init script.
Refer to the release notes for more information on how to set the
JBOSS_IP and JBOSSCONF variables.
4. Solution:
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package
