Your message dated Tue, 11 May 2010 23:53:27 +0200
with message-id <aanlktimbbwdo_sxclt8uxjbbyk4jpgo6o1qiofgba...@mail.gmail.com>
and subject line Re: Bug#581226: Multiple security issues
has caused the Debian Bug report #581226,
regarding Multiple security issues
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
581226: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581226
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: jbossas4
Severity: grave
Tags: security
The following security issues have been reported against jbossas4:
CVE-2010-0738:
The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise
Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09
and 4.3 before 4.3.0.CP08 performs access control only for the GET and
POST methods, which allows remote attackers to send requests to this
application's GET handler by using a different method.
https://bugzilla.redhat.com/show_bug.cgi?id=574105
CVE-2010-1428:
The Web Console (aka web-console) in JBossAs in Red Hat JBoss
Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before
4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for
the GET and POST methods, which allows remote attackers to obtain
sensitive information via an unspecified request that uses a different
method.
https://bugzilla.redhat.com/show_bug.cgi?id=585899
CVE-2010-1429:
Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP)
4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 allows remote
attackers to obtain sensitive information about "deployed web
contexts" via a request to the status servlet, as demonstrated by a
full=true query string. NOTE: this issue exists because of a
CVE-2008-3273 regression.
https://bugzilla.redhat.com/show_bug.cgi?id=585900
I've noticed the following in README.Debian:
| jbossas4 is currently in a very alpha stage of packaging. I can be used
| to build other libraries depending on JBoss like libhibernate3-java but
| it is not complete and cannot be used as an application server yet.
Does this mean these issue don't affect jbossas4 as packaged in Debian?
If so we should limit the scope of security support for Squeeze.
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
Hi,
as you have found out yourself: we do not provide a full JBoss server
stack in Debian because many Build-Depends are missing. We just build
some core libraries used by hibernate and ehcache. That is why all of
those bugs do not apply to Debian.
Torsten
--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers>. Please
use
debian-j...@lists.debian.org for discussions and questions.
