Your message dated Sat, 23 Jan 2010 17:06:36 +0100
with message-id <[email protected]>
and subject line Re: Bug#562000: CVE-2009-0027 CVE-2009-1380 CVE-2009-3554
CVE-2009-2405
has caused the Debian Bug report #562000,
regarding CVE-2009-0027 CVE-2009-1380 CVE-2009-3554 CVE-2009-2405
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
562000: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=562000
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: jbossas4
Severity: grave
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for jbossas4.
CVE-2009-0027[0]:
| The request handler in JBossWS in JBoss Enterprise Application
| Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP06 and 4.3 before
| 4.3.0.CP04 does not properly validate the resource path during a
| request for a WSDL file with a custom web-service endpoint, which
| allows remote attackers to read arbitrary XML files via a crafted
| request.
CVE-2009-1380[1]:
| Cross-site scripting (XSS) vulnerability in JMX-Console in JBossAs in
| Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP)
| 4.2 before 4.2.0.CP08 and 4.3 before 4.3.0.CP07 allows remote
| attackers to inject arbitrary web script or HTML via the filter
| parameter, related to the key property and the position of quote and
| colon characters.
CVE-2009-3554[2]:
| Twiddle in Red Hat JBoss Enterprise Application Platform (aka JBoss
| EAP or JBEAP) 4.2 before 4.2.0.CP08 and 4.3 before 4.3.0.CP07 writes
| the JMX password, and other command-line arguments, to the twiddle.log
| file, which allows local users to obtain sensitive information by
| reading this file.
CVE-2009-2405[3]:
| Multiple cross-site scripting (XSS) vulnerabilities in the Web Console
| in the Application Server in Red Hat JBoss Enterprise Application
| Platform (aka JBoss EAP or JBEAP) 4.2.0 before 4.2.0.CP08, 4.2.2GA,
| 4.3 before 4.3.0.CP07, and 5.1.0GA allow remote attackers to inject
| arbitrary web script or HTML via the (1) monitorName, (2) objectName,
| (3) attribute, or (4) period parameter to createSnapshot.jsp, or the
| (5) monitorName, (6) objectName, (7) attribute, (8) threshold, (9)
| period, or (10) enabled parameter to createThresholdMonitor.jsp. NOTE:
| some of these details are obtained from third party information.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0027
http://security-tracker.debian.org/tracker/CVE-2009-0027
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1380
http://security-tracker.debian.org/tracker/CVE-2009-1380
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3554
http://security-tracker.debian.org/tracker/CVE-2009-3554
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2405
http://security-tracker.debian.org/tracker/CVE-2009-2405
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAksv7qcACgkQNxpp46476aphLwCfTWuBeFcKRy9eqXVb8Npt+8GS
7+cAn0zrtf4pK7R0BikWy2Qxxzphq1EA
=5rGT
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Giuseppe Iuculano schrieb:
> CVE-2009-0027[0]:
> | The request handler in JBossWS in JBoss Enterprise Application
> | Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP06
we have 4.2.2.GA-5 (stable) and 4.2.3.GA-1 (testing, unstable) in
Debian. That means we are not vulnerable.
> CVE-2009-1380[1]:
> | Cross-site scripting (XSS) vulnerability in JMX-Console in JBossAs in
> | Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP)
> | 4.2 before 4.2.0.CP08 and 4.3 before 4.3.0.CP07 allows remote
same as above
> CVE-2009-3554[2]:
> | Twiddle in Red Hat JBoss Enterprise Application Platform (aka JBoss
> | EAP or JBEAP) 4.2 before 4.2.0.CP08 and 4.3 before 4.3.0.CP07 writes
same as above and BTW we do not ship the JBEAP
> CVE-2009-2405[3]:
> | Multiple cross-site scripting (XSS) vulnerabilities in the Web Console
> | in the Application Server in Red Hat JBoss Enterprise Application
> | Platform (aka JBoss EAP or JBEAP) 4.2.0 before 4.2.0.CP08, 4.2.2GA,
> | 4.3 before 4.3.0.CP07, and 5.1.0GA allow remote attackers to inject
same as above
Cheers,
Torsten
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAktbHowACgkQfY3dicTPjsMsWwCeOrf/jZkv5c2w7AGTcy+qttwe
IE4AniR0jpMRmExjFgzgLjVsOlXxZO7w
=eFua
-----END PGP SIGNATURE-----
--- End Message ---