-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2010.1109
         A number of vulnerabilities have been identified in JBoss
                              9 December 2010

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           JBoss
Publisher:         Red Hat
Operating System:  Red Hat
                   Red Hat Enterprise Linux Server 5
                   Red Hat Enterprise Linux AS/ES/WS 4
Impact/Access:     Denial of Service -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2010-4265 CVE-2010-3862 

Reference:         ESB-2010.1095

Original Bulletin: 
   https://rhn.redhat.com/errata/RHSA-2010-0960.html
   https://rhn.redhat.com/errata/RHSA-2010-0961.html
   https://rhn.redhat.com/errata/RHSA-2010-0962.html
   https://rhn.redhat.com/errata/RHSA-2010-0963.html
   https://rhn.redhat.com/errata/RHSA-2010-0964.html
   https://rhn.redhat.com/errata/RHSA-2010-0965.html

Comment: This bulletin contains six (6) Red Hat security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: JBoss Enterprise Application Platform 5.1.0 security and bug fix update
Advisory ID:       RHSA-2010:0960-01
Product:           JBoss Enterprise Application Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2010-0960.html
Issue date:        2010-12-08
CVE Names:         CVE-2010-3862 
=====================================================================

1. Summary:

Updated JBoss Enterprise Application Platform 5.1 packages that fix one
security issue and various bugs are now available for Red Hat Enterprise
Linux 5.

The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Relevant releases/architectures:

JBoss Enterprise Application Platform 5 for RHEL 5 Server - noarch

3. Description:

JBoss Enterprise Application Platform is the market leading platform for
innovative and scalable Java applications; integrating the JBoss
Application Server, with JBoss Hibernate and JBoss Seam into a complete,
simple enterprise solution.

A flaw was found in the JBoss Remoting component. A remote attacker could
use specially-crafted input to cause the JBoss Remoting listeners to become
unresponsive, resulting in a denial of service condition for services
communicating via JBoss Remoting sockets. (CVE-2010-3862)

Red Hat would like to thank Ole Husgaard of eXerp.com for reporting this
issue.

These updated packages include multiple bug fixes. Documentation for these
bug fixes will be available shortly from the Release Notes, linked to in
the References section.

As well, this update adds a new jbossws-cxf package to JBoss Enterprise
Application Platform 5.1.0, to provide the sources for jbossws-cxf.
(BZ#645470)

Warning: Before applying this update, please backup the JBoss Enterprise
Application Platform "jboss-as/server/$PROFILE/deploy/" directory, along
with all other customized configuration files.

All users of JBoss Enterprise Application Platform 5.0 on Red Hat
Enterprise Linux 5 are advised to upgrade to these updated packages. The
JBoss server process must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

641389 - CVE-2010-3862 JBoss Remoting Denial-Of-Service
645470 - Tracker bug for the addition of jbossws-cxf to EAP 5.1.0 release for RHEL-5.

6. Package List:

JBoss Enterprise Application Platform 5 for RHEL 5 Server:

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-remoting-2.5.3-5.SP1.1.ep5.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossas-security-policy-cc-5.1.0-1.ep5.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossws-cxf-3.1.2-4.SP7.6.jdk6.ep5.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jopr-embedded-1.3.4-16.SP1.7.ep5.el5.src.rpm

noarch:
jboss-remoting-2.5.3-5.SP1.1.ep5.el5.noarch.rpm
jbossas-security-policy-cc-5.1.0-1.ep5.el5.noarch.rpm
jbossws-cxf-3.1.2-4.SP7.6.jdk6.ep5.el5.noarch.rpm
jopr-embedded-1.3.4-16.SP1.7.ep5.el5.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2010-3862.html
https://access.redhat.com/security/updates/classification/#low
http://docs.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html-single/Release_Notes_5.1.0/index.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2010 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFM/+NsXlSAg2UNWIIRAvB/AJ4ubH2qgevB6KzpKT2y7ivvszhoowCgibA7
tquY6P0/y1W0sdvxWFmvGno=
=lHXM
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: JBoss Enterprise Web Platform 5.1.0 security and bug fix update
Advisory ID:       RHSA-2010:0961-01
Product:           JBoss Enterprise Web Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2010-0961.html
Issue date:        2010-12-08
CVE Names:         CVE-2010-3862 
=====================================================================

1. Summary:

Updated JBoss Enterprise Web Platform packages that fix one security issue
and various bugs are now available for Red Hat Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Relevant releases/architectures:

JBoss Enterprise Web Platform 5 for RHEL 4 AS - noarch
JBoss Enterprise Web Platform 5 for RHEL 4 ES - noarch
JBoss Enterprise Web Platform 5 for RHEL 5 Server - noarch

3. Description:

The Enterprise Web Platform is for mid-size workloads, focusing on light
and rich Java applications. Web Platform is a slimmed down profile of the
JBoss Enterprise Application Platform.

A flaw was found in the JBoss Remoting component. A remote attacker could
use specially-crafted input to cause the JBoss Remoting listeners to become
unresponsive, resulting in a denial of service condition for services
communicating via JBoss Remoting sockets. (CVE-2010-3862)

Red Hat would like to thank Ole Husgaard of eXerp.com for reporting this
issue.

These updated packages include multiple bug fixes. Documentation for these
bug fixes will be available shortly from the Release Notes, linked to in
the References section.

As well, this update adds a new jbossws-cxf package to JBoss Enterprise
Web Platform 5.1, to provide the sources for jbossws-cxf. (BZ#645465)

Warning: Before applying this update, please backup the JBoss Enterprise
Web Platform "jboss-as-web/server/$PROFILE/deploy/" directory, along with
all other customized configuration files.

All users of JBoss Enterprise Web Platform on Red Hat Enterprise Linux 4
and 5 are advised to upgrade to these updated packages. The JBoss server
process must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

641389 - CVE-2010-3862 JBoss Remoting Denial-Of-Service
645465 - EWP: Tracker bug for addition of jbossws-cxf to EWP 5.1.0 release for RHEL-4 and RHEL-5.

6. Package List:

JBoss Enterprise Web Platform 5 for RHEL 4 AS:

Source:
jboss-remoting-2.5.3-5.SP1.1.ep5.el4.src.rpm
jbossws-cxf-3.1.2-4.SP7.6.jdk6.ep5.el4.src.rpm
jopr-embedded-1.3.4-16.SP1.7.ep5.el4.src.rpm

noarch:
jboss-remoting-2.5.3-5.SP1.1.ep5.el4.noarch.rpm
jbossws-cxf-3.1.2-4.SP7.6.jdk6.ep5.el4.noarch.rpm
jopr-embedded-1.3.4-16.SP1.7.ep5.el4.noarch.rpm

JBoss Enterprise Web Platform 5 for RHEL 4 ES:

Source:
jboss-remoting-2.5.3-5.SP1.1.ep5.el4.src.rpm
jbossws-cxf-3.1.2-4.SP7.6.jdk6.ep5.el4.src.rpm
jopr-embedded-1.3.4-16.SP1.7.ep5.el4.src.rpm

noarch:
jboss-remoting-2.5.3-5.SP1.1.ep5.el4.noarch.rpm
jbossws-cxf-3.1.2-4.SP7.6.jdk6.ep5.el4.noarch.rpm
jopr-embedded-1.3.4-16.SP1.7.ep5.el4.noarch.rpm

JBoss Enterprise Web Platform 5 for RHEL 5 Server:

Source:
jboss-remoting-2.5.3-5.SP1.1.ep5.el5.src.rpm
jbossws-cxf-3.1.2-4.SP7.6.jdk6.ep5.el5.src.rpm
jopr-embedded-1.3.4-16.SP1.7.ep5.el5.src.rpm

noarch:
jboss-remoting-2.5.3-5.SP1.1.ep5.el5.noarch.rpm
jbossws-cxf-3.1.2-4.SP7.6.jdk6.ep5.el5.noarch.rpm
jopr-embedded-1.3.4-16.SP1.7.ep5.el5.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2010-3862.html
https://access.redhat.com/security/updates/classification/#low
http://docs.redhat.com/docs/en-US/JBoss_Enterprise_Web_Platform/5/html-single/Release_Notes_5.1.0/index.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2010 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFM/+OZXlSAg2UNWIIRAgaXAKCaJeN0gkHHo4iLCzmlM5EIp1BqPQCgsO89
58KnOXYQAROiLfg308SobI0=
=dl6a
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: JBoss Enterprise Web Platform 5.1.0 security update
Advisory ID:       RHSA-2010:0962-01
Product:           JBoss Enterprise Web Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2010-0962.html
Issue date:        2010-12-08
CVE Names:         CVE-2010-3862 
=====================================================================

1. Summary:

A patch for JBoss Enterprise Web Platform 5.1 that fixes one security issue
is now available from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Description:

The Enterprise Web Platform is for mid-size workloads, focusing on light
and rich Java applications. Web Platform is a slimmed down profile of the
JBoss Enterprise Application Platform.

A flaw was found in the JBoss Remoting component. A remote attacker could
use specially-crafted input to cause the JBoss Remoting listeners to become
unresponsive, resulting in a denial of service condition for services
communicating via JBoss Remoting sockets. (CVE-2010-3862)

Red Hat would like to thank Ole Husgaard of eXerp.com for reporting this
issue.

Warning: Before applying this update, please backup the JBoss Enterprise
Web Platform "jboss-as-web/server/$PROFILE/deploy/" directory, along with
all other customized configuration files.

Note: For information about bug fixes available from the Red Hat Customer
Portal, refer to the Release Notes linked to in the References section.

All users of JBoss Enterprise Web Platform 5.1 as provided from the Red Hat
Customer Portal are advised to apply this patch. Refer to the Solution
section of this erratum for patch download instructions.

3. Solution:

A patch to correct CVE-2010-3862 for JBoss Enterprise Web Platform 5.1 is
available from the Red Hat Customer Portal. To download this patch:

1) Backup your existing JBoss Enterprise Web Platform installation
(including all applications and configuration files).

2) Log into the Customer Portal: https://access.redhat.com/login

3) Navigate to
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html

4) On the left-hand side menu, under "JBoss Enterprise Platforms" click
"Enterprise Web Platform". Then, use the "Version:" drop down menu to
select "5.1.0".

5) The patch is available from the "Security Advisories" link. After
applying the patch, the JBoss server process must be restarted for the
update to take effect.

4. Bugs fixed (http://bugzilla.redhat.com/):

641389 - CVE-2010-3862 JBoss Remoting Denial-Of-Service

5. References:

https://www.redhat.com/security/data/cve/CVE-2010-3862.html
https://access.redhat.com/security/updates/classification/#low
http://docs.redhat.com/docs/en-US/JBoss_Enterprise_Web_Platform/5/html-single/Release_Notes_5.1.0/index.html

6. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2010 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFM/+PVXlSAg2UNWIIRAubvAJ9yBT/AI+eytHVlDK21k8G6HxqdzgCgibSt
nwjxCgxQcK80JNv5TBFhtOo=
=T2gK
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: JBoss Enterprise Application Platform 5.1.0 security update
Advisory ID:       RHSA-2010:0963-01
Product:           JBoss Enterprise Application Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2010-0963.html
Issue date:        2010-12-08
CVE Names:         CVE-2010-3862 
=====================================================================

1. Summary:

A patch for JBoss Enterprise Application Platform 5.1 that fixes one
security issue is now available from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Description:

JBoss Enterprise Application Platform is the market leading platform for
innovative and scalable Java applications; integrating the JBoss
Application Server, with JBoss Hibernate and JBoss Seam into a complete,
simple enterprise solution.

A flaw was found in the JBoss Remoting component. A remote attacker could
use specially-crafted input to cause the JBoss Remoting listeners to become
unresponsive, resulting in a denial of service condition for services
communicating via JBoss Remoting sockets. (CVE-2010-3862)

Red Hat would like to thank Ole Husgaard of eXerp.com for reporting this
issue.

Warning: Before applying this update, please backup the JBoss Enterprise
Application Platform "jboss-as/server/$PROFILE/deploy/" directory, along
with all other customized configuration files.

Note: For information about bug fixes available from the Red Hat Customer
Portal, refer to the Release Notes linked to in the References section.

All users of JBoss Enterprise Application Platform 5.1 as provided from the
Red Hat Customer Portal are advised to apply this patch. Refer to the
Solution section of this erratum for patch download instructions.

3. Solution:

A patch to correct CVE-2010-3862 for JBoss Enterprise Application Platform
5.1 is available from the Red Hat Customer Portal. To download this patch:

1) Backup your existing JBoss Enterprise Application Platform installation
(including all applications and configuration files).

2) Log into the Customer Portal: https://access.redhat.com/login

3) Navigate to
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html

4) On the left-hand side menu, under "JBoss Enterprise Platforms" click
"Application Platform". Then, use the "Version:" drop down menu to select
"5.1.0".

5) The patch is available from the "Security Advisories" link. After
applying the patch, the JBoss server process must be restarted for the
update to take effect.

4. Bugs fixed (http://bugzilla.redhat.com/):

641389 - CVE-2010-3862 JBoss Remoting Denial-Of-Service

5. References:

https://www.redhat.com/security/data/cve/CVE-2010-3862.html
https://access.redhat.com/security/updates/classification/#low
http://docs.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html-single/Release_Notes_5.1.0/index.html

6. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2010 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFM/+QTXlSAg2UNWIIRAoR+AKCd3o2dpKqwVXNvfL2A2RL6lAQ9JACfd7W5
jW/RBMQ9RjnDEWN5mL9l6XI=
=18tm
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: jboss-remoting security update
Advisory ID:       RHSA-2010:0964-01
Product:           JBoss Enterprise Application Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2010-0964.html
Issue date:        2010-12-08
CVE Names:         CVE-2010-4265 
=====================================================================

1. Summary:

An updated jboss-remoting package that fixes one security issue is now
available for JBoss Enterprise Application Platform 4.3 for Red Hat
Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Relevant releases/architectures:

JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS - noarch
JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES - noarch
JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server - noarch

3. Description:

JBoss Remoting is a framework for building distributed applications in
Java.

The JBoss Enterprise Application Platform 4.3.0.CP09 updates RHSA-2010:0937
and RHSA-2010:0938 did not, unlike the errata texts stated, provide a fix
for CVE-2010-3862. A remote attacker could use specially-crafted input to
cause the JBoss Remoting listeners to become unresponsive, resulting in a
denial of service condition for services communicating via JBoss Remoting
sockets. (CVE-2010-4265)

Red Hat would like to thank Ole Husgaard of eXerp.com for reporting this
issue.

Warning: Before applying this update, backup your existing JBoss Enterprise
Application Platform installation (including all applications and
configuration files).

Users of JBoss Enterprise Application Platform 4.3 on Red Hat Enterprise
Linux 4 and 5 should upgrade to this updated package, which contains a
backported patch to correct this issue. The JBoss server process must be
restarted for this update to take effect.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

660623 - CVE-2010-4265 jboss-remoting: missing fix for CVE-2010-3862

6. Package List:

JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS:

Source:
ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/jboss-remoting-2.2.3-4.SP3.ep1.1.el4.src.rpm

noarch:
jboss-remoting-2.2.3-4.SP3.ep1.1.el4.noarch.rpm

JBoss Enterprise Application Platform 4.3.0 for RHEL 4 ES:

Source:
ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/jboss-remoting-2.2.3-4.SP3.ep1.1.el4.src.rpm

noarch:
jboss-remoting-2.2.3-4.SP3.ep1.1.el4.noarch.rpm

JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server:

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-remoting-2.2.3-4.SP3.ep1.1.el5.src.rpm

noarch:
jboss-remoting-2.2.3-4.SP3.ep1.1.el5.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2010-4265.html
https://access.redhat.com/security/updates/classification/#low

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2010 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFM/+YEXlSAg2UNWIIRAqcdAJ9Nm4ktzkDp+EzXZiR6m15FWtDE9ACfZkUt
1Clx+txwJRhaSadVJ78R/1c=
=VtFr
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: jboss-remoting security update
Advisory ID:       RHSA-2010:0965-01
Product:           JBoss Enterprise Application Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2010-0965.html
Issue date:        2010-12-08
CVE Names:         CVE-2010-4265 
=====================================================================

1. Summary:

A patch for JBoss Enterprise Application Platform 4.3.0.CP09 that fixes one
security issue is now available from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Description:

JBoss Remoting is a framework for building distributed applications in
Java.

JBoss Enterprise Application Platform 4.3.0.CP09 as provided from the Red
Hat Customer Portal did not, unlike the RHSA-2010:0939 erratum text stated,
provide a fix for CVE-2010-3862. A remote attacker could use
specially-crafted input to cause the JBoss Remoting listeners to become
unresponsive, resulting in a denial of service condition for services
communicating via JBoss Remoting sockets. (CVE-2010-4265)

Red Hat would like to thank Ole Husgaard of eXerp.com for reporting this
issue.

Warning: Before applying this update, backup your existing JBoss Enterprise
Application Platform installation (including all applications and
configuration files).

All users of JBoss Enterprise Application Platform 4.3.0.CP09 as provided
from the Red Hat Customer Portal are advised to apply this patch. Refer to
the Solution section of this erratum for patch download instructions.

3. Solution:

A patch to correct CVE-2010-4265 for JBoss Enterprise Application Platform
4.3.0.CP09 is available from the Red Hat Customer Portal. To download this
patch:

1) Backup your existing JBoss Enterprise Application Platform installation
(including all applications and configuration files).

2) Log into the Customer Portal: https://access.redhat.com/login

3) Navigate to
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html

4) On the left-hand side menu, under "JBoss Enterprise Platforms" click
"Application Platform". Then, use the "Version:" drop down menu to select
"4.3.0.GA_CP09".

5) The patch is available from the "Security Advisories" link. After
applying the patch, the JBoss server process must be restarted for the
update to take effect.

4. Bugs fixed (http://bugzilla.redhat.com/):

660623 - CVE-2010-4265 jboss-remoting: missing fix for CVE-2010-3862

5. References:

https://www.redhat.com/security/data/cve/CVE-2010-4265.html
https://access.redhat.com/security/updates/classification/#low

6. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2010 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFM/+byXlSAg2UNWIIRAucbAJ9s50lQHVKxFCeq4J3Dse4XUvJ/MwCgjbC5
kqK/CdQZnEBH/QYOsn+VIdw=
=nDZi
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFNAEN3/iFOrG6YcBERAvtNAJ40XFPw+rLGcIqUNP8Pb0fuJ0UjvgCgghbs
3W+UqKRTerzD8sWXnHbJa+U=
=+IkY
-----END PGP SIGNATURE-----