RHSA-2007:0950 - Security Advisory
Moderate: JBoss Enterprise Application Platform security update
Security Advisory: Moderate
Updated JBoss Enterprise Application Platform packages that fix several
security issues and bugs are now available for Red Hat Application Stack v1
This update has been rated as having moderate security impact by the Red Hat
Security Response Team.
The updated packages address the following security vulnerabilities:
Tomcat incorrectly treated a single quote character (') in a cookie value
as a delimiter. In some circumstances this lead to the leaking of
information such as session ID to an attacker (CVE-2007-3382).
Tomcat incorrectly handled the character sequence \" in a cookie value. In
some circumstances this lead to the leaking of information such as session
ID to an attacker (CVE-2007-3385).
In addition to these security fixes, this update also fixes several bugs in
JBoss Enterprise Application Platform. Please see the referenced release
notes for the list of bugs fixed.
Users of JBoss Enterprise Application Platform should upgrade to these
updated packages which contain fixes to correct these issues.
For users of Red Hat Application Stack v1, installation of this errata will
automatically bring the system up to V.1.2. Please note the following
changes that may affect you:
- Stacks V.1.2 has a new version of JBoss Application Server which
requires Java version 1.5 to run.
- Unless the JBOSS_IP variable is explicitly set in the configuration
file, JBoss Application Server services are now bound to localhost.
- Unless the JBOSSCONF variable is explicitly set in the configuration
file, JBoss Application Server will start with the production config
when started via the init script.
Refer to the release notes for more information on how to set the
JBOSS_IP and JBOSSCONF variables.
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
- Red Hat Application Stack 2 (for RHEL Server) 2 x86_64
- Red Hat Application Stack 2 (for RHEL Server) 2 i386
- Red Hat Application Stack 1 1 x86_64
- Red Hat Application Stack 1 1 i386
- BZ - 247972 - CVE-2007-3382 tomcat handling of cookies
- BZ - 247976 - CVE-2007-3385 tomcat handling of cookie values
Red Hat Application Stack 2 (for RHEL Server) 2
Red Hat Application Stack 1 1