Updated packages that provide Red Hat JBoss Enterprise Application Platform6.4.10 natives, fix several bugs, and add various enhancements are now availablefor Red Hat Enterprise Linux 6.Red Hat Product Security has rated this update as having a security impact ofImportant.

A Common Vulnerability Scoring System (CVSS) base score, which givesa detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
Red Hat JBoss Enterprise Application Platform 6 is a platform for Javaapplications based on JBoss Application Server 7.This release includes bug fixes and enhancements, as well as a new release ofOpenSSL that addresses a number of outstanding security flaws.

For furtherinformation, see the knowledge base article linked to in the References section.All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red HatEnterprise Linux 6 are advised to upgrade to these updated packages.

The JBossserver process must be restarted for the update to take effect.Security Fix(es):* A flaw was found in the way OpenSSL encoded certain ASN.1 data structures.

Anattacker could use this flaw to create a specially crafted certificate which,when verified or re-encoded by OpenSSL, could cause it to crash, or executearbitrary code using the permissions of the user running an application compiledagainst the OpenSSL library. (CVE-2016-2108)* Multiple flaws were found in the way httpd parsed HTTP requests and responsesusing chunked transfer encoding.

A remote attacker could use these flaws tocreate a specially crafted request, which httpd would decode differently from anHTTP proxy software in front of it, possibly leading to HTTP request smugglingattacks. (CVE-2015-3183)* A memory leak vulnerability was found in the way OpenSSL parsed PKCS#7 and CMSdata.

A remote attacker could use this flaw to cause an application that parsesPKCS#7 or CMS data from untrusted sources to use an excessive amount of memoryand possibly crash. (CVE-2015-3195)* A flaw was found in the way the TLS protocol composes the Diffie-Hellmanexchange (for both export and non-export grade cipher suites).

An attacker coulduse this flaw to downgrade a DHE connection to use export-grade key sizes, whichcould then be broken by sufficient pre-computation.

This can lead to a passiveman-in-the-middle attack in which the attacker is able to decrypt all traffic.(CVE-2015-4000)* An integer overflow flaw, leading to a buffer overflow, was found in the waythe EVP_EncodeUpdate() function of OpenSSL parsed very large amounts of inputdata.

A remote attacker could use this flaw to crash an application usingOpenSSL or, possibly, execute arbitrary code with the permissions of the userrunning that application. (CVE-2016-2105)* An integer overflow flaw, leading to a buffer overflow, was found in the waythe EVP_EncryptUpdate() function of OpenSSL parsed very large amounts of inputdata.

A remote attacker could use this flaw to crash an application usingOpenSSL or, possibly, execute arbitrary code with the permissions of the userrunning that application. (CVE-2016-2106)* It was discovered that it is possible to remotely Segfault Apache http serverwith a specially crafted string sent to the mod_cluster via service messages(MCMP). (CVE-2016-3110)* A denial of service flaw was found in the way OpenSSL parsed certainASN.1-encoded data from BIO (OpenSSL’s I/O abstraction) inputs.

An applicationusing OpenSSL that accepts untrusted ASN.1 BIO input could be forced to allocatean excessive amount of data. (CVE-2016-2109)* It was discovered that specifying configuration with a JVMRoute path longerthan 80 characters will cause segmentation fault leading to a server crash.(CVE-2016-4459)Red Hat would like to thank the OpenSSL project for reporting CVE-2016-2108,CVE-2016-2105, and CVE-2016-2106 and Michal Karm Babacek for reportingCVE-2016-3110.

The CVE-2016-4459 issue was discovered by Robert Bost (Red Hat).Upstream acknowledges Huzaifa Sidhpurwala (Red Hat), Hanno Böck, and DavidBenjamin (Google) as the original reporters of CVE-2016-2108; and Guido Vrankenas the original reporter of CVE-2016-2105 and CVE-2016-2106.
Before applying this update, back up your existing Red Hat JBoss EnterpriseApplication Platform installation and deployed applications.For details on how to apply this update, which includes the changes described inthis advisory, refer to:https://access.redhat.com/articles/11258For the update to take effect, all services linked to the OpenSSL library mustbe restarted, or the system rebooted.JBoss Enterprise Application Platform 6 EL6

SRPMS:
hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.src.rpm
    MD5: cd62e3452ea727322f407eb7f70197f6SHA-256: 42a0d006acfd4c4a76cb4e4ca1fe43f78f579fda49539cbf7f7a6508f1f22e3d
httpd-2.2.26-54.ep6.el6.src.rpm
    MD5: eea764698b146f592541c89c33f1750fSHA-256: 500e2f71d7ec5bfdc3a06bc409c1c153295dc9ac19d3cb94b104dd4636492110
jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.src.rpm
    MD5: 963dc03d1a02d317a679000b14fac02aSHA-256: ac5b23430a44667cd0792bb73c6f3c366d4450d6239e7025095bcc72fb165513
mod_cluster-native-1.2.13-3.Final_redhat_2.ep6.el6.src.rpm
    MD5: 7398b0838abe76a7fef1ef7978b274beSHA-256: 13f719c9842b1ff8c1bf8a216599ca2e53cb412fec11035cc83ae20e3fe9ade8
mod_jk-1.2.41-2.redhat_4.ep6.el6.src.rpm
    MD5: a5e47f6180e7b967b83ed98c2ffc4ec1SHA-256: 7494c511a9af95e50c283d012125f55281f8f9d88361782902189da719d67db7
tomcat-native-1.1.34-5.redhat_1.ep6.el6.src.rpm
    MD5: d28d971ae5736394f7fbb125b0e05ed0SHA-256: f36bf2dafa5e715c97cf1a516f944bb4c6f2b98be1199f15b7508191d100b8ad
 
IA-32:
hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.i386.rpm
    MD5: 390fbfdd259e95b310a73594e6b22883SHA-256: e8056f0ac22b05a5231fd44e89e8a5973977e86fbd36ec965b58b20a5fac49af
httpd-2.2.26-54.ep6.el6.i386.rpm
    MD5: 2f620897fde7952deda0559fd9f9249dSHA-256: 2ef8cdddf64eee31651657bad31abec8e607dc46b7f4c698351d74a261462d61
httpd-devel-2.2.26-54.ep6.el6.i386.rpm
    MD5: b32fe0a48b47ff99c52df86da99d17b3SHA-256: 04722287bb04ab20e50386340906e15279f5acc197ec64adf1ebbc406586e335
httpd-manual-2.2.26-54.ep6.el6.i386.rpm
    MD5: acfd1db3e2a03fb7572c761363845758SHA-256: 953df274cb9193c9cab480f8ecd8af48dda6e2d63de6bd4a3dd39e2c0499cd9a
httpd-tools-2.2.26-54.ep6.el6.i386.rpm
    MD5: 02d0d90b97b00d7d2973040e8e5ed6ecSHA-256: ea1765628eb3e4d08020227c0506b5b3adfa021b31e774f8879af06921b3ecff
jbcs-httpd24-1-3.jbcs.el6.noarch.rpm
    MD5: 55c3c3b5f68c76fac313b7ca0e184511SHA-256: 4ad48d853b5aa9b54e724c78e144bbde6deeb7a04ae023cf99e7bb04f079f6ff
jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.i686.rpm
    MD5: 7f161860ac4557d0d1ac61a8bfe3852aSHA-256: 45b0aad95e6c5e6031e26e36865970c1948cf1a881b0c4e5680468e1a06c49d7
jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el6.i686.rpm
    MD5: 2b2acec99c551418e47a6fe8223c16bdSHA-256: f5ddc2a4bc86f5ec40f932aceeaf4d87eb1c012a300b4e2ffd11bfd2fecd7ba8
jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el6.i686.rpm
    MD5: 66978755c0f3ff07731c6e7de5017920SHA-256: ec9f2c353d7f1b3ebbe453ff5eb170304839f6ba4b98d903b1008100e98faa60
jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el6.i686.rpm
    MD5: 688b86a5500ec07141d70794c6633408SHA-256: e093d1532b16a8ad66a36413fcbfcd0e2b190d555c40308ca70f984cfa35d22d
jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el6.i686.rpm
    MD5: fb5353cbf563d1d9c999709f4bcad07aSHA-256: 4e06824b17e7bfe3a69c968517b2573bb38977b93ed1cc6ec3bd9616ab3c4101
jbcs-httpd24-runtime-1-3.jbcs.el6.noarch.rpm
    MD5: 26a66efa482cd82904ebdb713607bca3SHA-256: 8ac86a3df21bd84036eaeedcf6a780bc81d36b74924fc05a308cbb3fc0241865
jbossas-hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.i386.rpm
    MD5: 31a0b89c502622d5c695ee86cbf6bf58SHA-256: 46b530eeeb0ff03aa08296639d1ee62f23668169b17621168f920f2e792ab4ad
jbossas-jbossweb-native-1.1.34-5.redhat_1.ep6.el6.i386.rpm
    MD5: 8b19d89a9cad62c61439628b5aafa8caSHA-256: a2d3e9e884ef7500c856d4f5a30f563f449375588338a7ae05a5d949492e57f1
mod_cluster-native-1.2.13-3.Final_redhat_2.ep6.el6.i386.rpm
    MD5: 0960a08b41ef13c51794bc2b3fcb7056SHA-256: ed043fcb58bce264b360afbd457eddfd9039dab8ff491d8f46ccdf567c6e6caf
mod_jk-ap22-1.2.41-2.redhat_4.ep6.el6.i386.rpm
    MD5: 18d370e1f246c8202b10be688b6bbe65SHA-256: 00c0f495520cd745811413ba3eb137f5e886c27d711ece911452941c599e0aba
mod_ldap-2.2.26-54.ep6.el6.i386.rpm
    MD5: b9978abe33bd8fca73a00f1d6053fe2fSHA-256: 4039a3dacde1c77d1d7ba8a6d055af9e4ea86ef25830c81a298e54059a8d531e
mod_ssl-2.2.26-54.ep6.el6.i386.rpm
    MD5: ad1a0f3f8f4f5203d4171c787f90dcb0SHA-256: 2a5fd27067edc19626604ef553a5490f8a7eba49da369c3043d7a4a7c306779e
tomcat-native-1.1.34-5.redhat_1.ep6.el6.i386.rpm
    MD5: f5ea8e1260998850436ff0c0d84e63b7SHA-256: d6e7500e9781ff94436a46aec1b0facc37d61429f80bcc9d4696ecfafe7aaac4
 
PPC:
hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.ppc64.rpm
    MD5: fc027ca74904c221166add5734d45728SHA-256: 46e1fe1e99a7addc91be62ef3ed9aa60106db09341c8308109bd87bb759a0605
httpd-2.2.26-54.ep6.el6.ppc64.rpm
    MD5: 730d260c56adef2a83351d94b851951aSHA-256: e88819d657247afd74a1d9569ca4af85a84bc0ad0c341126b2f31541a2d8f6b3
httpd-devel-2.2.26-54.ep6.el6.ppc64.rpm
    MD5: 32583d34b85c9d41551e2046bca00e5aSHA-256: 9f53a2587de8302faf309bb1f25b87ae55bb140f6b19772007f39707d148523d
httpd-manual-2.2.26-54.ep6.el6.ppc64.rpm
    MD5: 9438800d7ad9b096e4d7c65b6000e076SHA-256: 2d64802ded23776cd83f5a9276fd177e9bf1309fb20a951717f9dc7bf9556c20
httpd-tools-2.2.26-54.ep6.el6.ppc64.rpm
    MD5: c1145bdd515273bcbbb68a3f6477bf1aSHA-256: 81d95ca8234f7734ae118e0951dad5aa96241c20a880913ff1813f7b7dac6274
jbcs-httpd24-1-3.jbcs.el6.noarch.rpm
    MD5: 55c3c3b5f68c76fac313b7ca0e184511SHA-256: 4ad48d853b5aa9b54e724c78e144bbde6deeb7a04ae023cf99e7bb04f079f6ff
jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.ppc64.rpm
    MD5: 559f08abb2169ef0c58483df1ece7bdcSHA-256: fb93c148a9e3e636dfe34436b25b07ef4e7ca2630318c2b39eead2892aa34416
jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el6.ppc64.rpm
    MD5: 748cdd95b14d1ac09c88161d8e09960dSHA-256: 623aa239c016538ee28dd9a48a7997f3affc5e43ec19932fb7f75677f62089f8
jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el6.ppc64.rpm
    MD5: e549845fda3618e722f457d04ada64b4SHA-256: bfe0e72169d772e7318e6db41a9f4c31f8af72f11cae22ee54da6a393af96c58
jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el6.ppc64.rpm
    MD5: 4cc3fba1d01725cf022bfc7ed51f95a5SHA-256: 69336af63ea5062c72cfb2f02bc13ec125e89a6e00040837615fa8fac1454aa1
jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el6.ppc64.rpm
    MD5: c3b2e87d6eb03256843f86f78356f6adSHA-256: 7d2bd10540061a83db34359615901bdb39f8a0db1902ba1e6c5baaa5f839394a
jbcs-httpd24-runtime-1-3.jbcs.el6.noarch.rpm
    MD5: 26a66efa482cd82904ebdb713607bca3SHA-256: 8ac86a3df21bd84036eaeedcf6a780bc81d36b74924fc05a308cbb3fc0241865
jbossas-hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.ppc64.rpm
    MD5: 25cd16b4ea2f068cc4a10e5465abc468SHA-256: 7d7b1c4d327e31c6f0775bad4cd36c787aca17720d0038943450d2cfc7f2ef83
jbossas-jbossweb-native-1.1.34-5.redhat_1.ep6.el6.ppc64.rpm
    MD5: f60065497f75b0306ece04007cefec19SHA-256: 4b21884a73ca27b0871c1171d2dc272de364a32bd6995c03111d2cd788ae475a
mod_cluster-native-1.2.13-3.Final_redhat_2.ep6.el6.ppc64.rpm
    MD5: c5e6c941aa20046741ee7bd7c3c55332SHA-256: a02e41bb0d4478a6c1e13fba4035dcce6aa3cd513fb06a487c18f983824da16a
mod_jk-ap22-1.2.41-2.redhat_4.ep6.el6.ppc64.rpm
    MD5: acb73b0b6ac5607b4ec77fe72c76b2ccSHA-256: 3d66976dfafb2d4318bdefc8418c0afbd83dfd6f91e0e57fb96b0f4d64d26387
mod_ldap-2.2.26-54.ep6.el6.ppc64.rpm
    MD5: e6ed9807c9b81ebaf6d87baa70e3cb73SHA-256: c91676653409e6e8a06534b7c16ede83858513fc0ed734d4b8bd89a85f568db0
mod_ssl-2.2.26-54.ep6.el6.ppc64.rpm
    MD5: 71ce8f549b1c2625d3fc4a7e37ee6a1fSHA-256: 3b6f84a6765ea1593910ff2cab26f675a3b5e905565be813e797b24eabb7f372
tomcat-native-1.1.34-5.redhat_1.ep6.el6.ppc64.rpm
    MD5: 2a011488806a7edbca4e7ee3f9c2e083SHA-256: 1df4ed8db1110bbf65192749051d9482c56fa055337f9c0a1117a37018865151
 
x86_64:
hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.x86_64.rpm
    MD5: aa72f656b66f7a5e91c1635ac65a506cSHA-256: 0d35825de1ca9f8dff9db819a57da22adfd85f3471fef13ffe7db1376a49355d
httpd-2.2.26-54.ep6.el6.x86_64.rpm
    MD5: 91556faf775acf8a5f130099cb076275SHA-256: 65a1e179b6e455b73a9aa23929f65fda99c2283cf33e0f6cb96f362efd9b2197
httpd-devel-2.2.26-54.ep6.el6.x86_64.rpm
    MD5: b00a921577b49c18ea2578e2444b4278SHA-256: 4e5e0e62a3e47307ca75d23e9fb8a97a117163a46d11911e7f926210a86a5a43
httpd-manual-2.2.26-54.ep6.el6.x86_64.rpm
    MD5: 456777fc9cfbc7052cab5513cac10c49SHA-256: 8b0470615c47fafc22b9b08eecde0eca9f88371822869e76bbc2935a178a17fa
httpd-tools-2.2.26-54.ep6.el6.x86_64.rpm
    MD5: b5451282b70f72e3ffb4e850837b83edSHA-256: 4aeb4ecadcca0e06707fd6ef87a629067f353061dd4016c2bbe2115e51f00774
jbcs-httpd24-1-3.jbcs.el6.noarch.rpm
    MD5: 55c3c3b5f68c76fac313b7ca0e184511SHA-256: 4ad48d853b5aa9b54e724c78e144bbde6deeb7a04ae023cf99e7bb04f079f6ff
jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.x86_64.rpm
    MD5: 411ce2397cddf77a882ddbebcd8a0762SHA-256: 86225769181a6677c8ec92ac74db4281b41e73f0a782cb426867a50b6a0289ac
jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el6.x86_64.rpm
    MD5: a8cdf0f72326e9801671c00af0594d4cSHA-256: 2f558d2b55fa44f8df23471b4d6e2bb67dbf6b05348d2fbe9d414248a93e687d
jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el6.x86_64.rpm
    MD5: 03a954c4787d3ccce6dbb131b922f110SHA-256: 62186db1184d1a37129d44771eeab73630109c5e3fa54f7d2e38e35ad1a98712
jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el6.x86_64.rpm
    MD5: 7598560deaba3370c3c85f83d6ab980eSHA-256: 588505e83e4e8d4e75d54b7faa1d4e727159d0a98f83b2dad73b6aa2026bb379
jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el6.x86_64.rpm
    MD5: 5f827452f347852789e667798d8964beSHA-256: 744051dbab7f5ad2d3157fdfa904452f51974219f1d66ca4976012e5142a5719
jbcs-httpd24-runtime-1-3.jbcs.el6.noarch.rpm
    MD5: 26a66efa482cd82904ebdb713607bca3SHA-256: 8ac86a3df21bd84036eaeedcf6a780bc81d36b74924fc05a308cbb3fc0241865
jbossas-hornetq-native-2.3.25-4.SP11_redhat_1.ep6.el6.x86_64.rpm
    MD5: c6857621fd657153131b1d8b91f65261SHA-256: 877874f7e1ffc0924c5fd7d077355532be724b126d9f4b22335087926a91b6df
jbossas-jbossweb-native-1.1.34-5.redhat_1.ep6.el6.x86_64.rpm
    MD5: 378d0dbe20ca0e8d8df66015922c8691SHA-256: e335c3ea451f7f12d4c7810f9c012f16a0bbb17a485a2e0a6267a2dd0336b594
mod_cluster-native-1.2.13-3.Final_redhat_2.ep6.el6.x86_64.rpm
    MD5: 6781a0b7d7c6fbaa720289b367e169ebSHA-256: e67be895b7a3e8f2eec5211052d2dccb6dfd3323ad9884d4abe520b7c881c537
mod_jk-ap22-1.2.41-2.redhat_4.ep6.el6.x86_64.rpm
    MD5: cc964b2fbe429f58c8b3016e45ab5bd7SHA-256: edeaf9c06eb7ee6fb752c8d58944fcf8357adbeed7dbf26dc8be786104c45e75
mod_ldap-2.2.26-54.ep6.el6.x86_64.rpm
    MD5: 0185716d5ff7efd84767680799e677bfSHA-256: 704e71dc12b7456d610b8de7132ddfd5a472ff5d7b2d98b636da562f41010864
mod_ssl-2.2.26-54.ep6.el6.x86_64.rpm
    MD5: 6d218955f6ac6f6bb493467e2b9d6606SHA-256: e345df4f891e8278366a86e5db014d660c8306877aaa3357e9bb6e3af5cab6f4
tomcat-native-1.1.34-5.redhat_1.ep6.el6.x86_64.rpm
    MD5: 272492dd826b88ad6bdb5e60d114b42dSHA-256: c66e650acf0a08d8088bec04e59c683358a115185820b1801ca677b7d612f71b
 
(The unlinked packages above are only available from the Red Hat Network)

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

Leave a Reply