Updated packages for JBoss Enterprise Application Platform 5.2.0 which fixone security issue and one bug are now available for Red Hat EnterpriseLinux 4, 5, and 6.The Red Hat Security Response Team has rated this update as havingImportant security impact. A Common Vulnerability Scoring System (CVSS)base score, which gives a detailed severity rating, is available from theCVE link in the References section.

JBoss Enterprise Application Platform is a platform for Java applications,which integrates the JBoss Application Server with JBoss Hibernate andJBoss Seam.It was found that the secure processing feature of Xalan-Java hadinsufficient restrictions defined for certain properties and features.A remote attacker able to provide Extensible Stylesheet LanguageTransformations (XSLT) content to be processed by an application usingXalan-Java could use this flaw to bypass the intended constraints of thesecure processing feature. Depending on the components available in theclasspath, this could lead to arbitrary remote code execution in thecontext of the application server running the application that usesXalan-Java. (CVE-2014-0107)This update also fixes the following bug:It was observed that when using the Transfomer to convert a StreamSource toDOMResult, the performance of the conversion degraded as the size of thecharacter data increased. For example, converting a 50 MB XML BLOB wouldtake a very long time to finish. This issue has been resolved in thisrelease by adjusting both the SAX2DOM and DOMBuilder classes to handlelarger inputs more efficiently. (JBPAPP-10991)All users of JBoss Enterprise Application Platform 5.2.0 on Red HatEnterprise Linux 4, 5, and 6 are advised to upgrade to these updatedpackages. The JBoss server process must be restarted for the update totake effect.
Before applying this update, make sure all previously released erratarelevant to your system have been applied. Also, back up your existing RedHat JBoss Enterprise Application Platform 5 installation (including allapplications and configuration files).This update is available via the Red Hat Network. Details on how to use theRed Hat Network to apply this update are available athttps://access.redhat.com/knowledge/articles/11258JBoss Enterprise Application Platform 5 EL4

SRPMS:
xalan-j2-2.7.1-12_patch_08.ep5.el4.src.rpm
    MD5: ee2eb945d57a71b9ffb4ae7060ccc7a6SHA-256: 3d6c43472ee31ef9f277dd085a8bb916d1c834e27f218d5d5557cd94d349b117
 
IA-32:
xalan-j2-2.7.1-12_patch_08.ep5.el4.noarch.rpm
    MD5: 02277d05afb5d1bdf8d0e029b43f8f5dSHA-256: f7176ea6c2e3d8eb9a97af61857f032366211ea4e2859d58b4c3561e5ade762b
 
x86_64:
xalan-j2-2.7.1-12_patch_08.ep5.el4.noarch.rpm
    MD5: 02277d05afb5d1bdf8d0e029b43f8f5dSHA-256: f7176ea6c2e3d8eb9a97af61857f032366211ea4e2859d58b4c3561e5ade762b
 
JBoss Enterprise Application Platform 5 EL5

SRPMS:
xalan-j2-2.7.1-12_patch_08.ep5.el5.src.rpm
    MD5: d6300dd3fb326482a5ada4ffa828fbccSHA-256: e119ccb9780bdcc098586782e789358551276053721634f45ede98bfa286dc37
 
IA-32:
xalan-j2-2.7.1-12_patch_08.ep5.el5.noarch.rpm
    MD5: 3e808a7dfe8ffdaf4bf59ebefc2d0cbeSHA-256: 9b8ea49f43f100a16ef98571d55b1d43ee583d0a799cd10800dd9dfbd6c530a5
 
x86_64:
xalan-j2-2.7.1-12_patch_08.ep5.el5.noarch.rpm
    MD5: 3e808a7dfe8ffdaf4bf59ebefc2d0cbeSHA-256: 9b8ea49f43f100a16ef98571d55b1d43ee583d0a799cd10800dd9dfbd6c530a5
 
JBoss Enterprise Application Platform 5 EL6

SRPMS:
xalan-j2-2.7.1-12_patch_08.ep5.el6.src.rpm
    MD5: abddf5fd55278e93798923666a8bda34SHA-256: e34cb335ef4d76e214f6a74b831bac25127d2f022a868e7943b280b7e8c95bb3
 
IA-32:
xalan-j2-2.7.1-12_patch_08.ep5.el6.noarch.rpm
    MD5: d8e2f9b519db0fff5bd604fd4fca0876SHA-256: bfb4094f4224c51efbcc8731762f6f1fe877ae26750c6f9c45157665a0498bba
 
x86_64:
xalan-j2-2.7.1-12_patch_08.ep5.el6.noarch.rpm
    MD5: d8e2f9b519db0fff5bd604fd4fca0876SHA-256: bfb4094f4224c51efbcc8731762f6f1fe877ae26750c6f9c45157665a0498bba
 
(The unlinked packages above are only available from the Red Hat Network)
1080248 – CVE-2014-0107 Xalan-Java: insufficient constraints in secure processing feature

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from:

Leave a Reply