Chapter 5. Patch Installation

5.1. About Patching Mechanisms

JBoss security and bug patches are released in two forms.
  • Planned updates: As part of a micro, minor or major upgrade of an existing product.
  • Asynchronous updates: As a one off patch which is released outside the normal upgrade cycle of the existing product.
Deciding whether a patch is released as part of a planned update or an out-of-cycle one-off depends on the severity of the flaw being fixed. Flaws of low impact are typically deferred, to be resolved in the next minor release of the affected products. Flaws of moderate or higher impact are typically addressed in order of importance as an update to the product with an asynchronous release and contain only a resolution to the flaw at hand.
The severity of a security flaw is based on the assessment of the bug by the Security Response Team at Red Hat, combined with several consistent factors:
  • How easily can a flaw be exploited?
  • What kind of damage can be done if exploited?
  • Are there typically other factors involved that lower the impact of the flaw (such as firewalls, Security-Enhanced Linux, compiler directives, and so forth)?
Red Hat maintains a mailing list for notifying subscribers about security related flaws. See Section 5.2, “Subscribe to Patch Mailing Lists”
For more information on how Red Hat rates JBoss security flaws, please click on the following link: http://securityblog.redhat.com/2012/09/19/how-red-hat-rates-jboss-security-flaws/