[#JBPAPP-317] Fix multiple potential vulnerabilities in embedded Tomcats - jboss.org JIRA

Issue Details (XML | Word)

Key:	JBPAPP-317
Type:	Bug
Status:	Closed
Resolution:	Done
Priority:	Blocker
Assignee:	Jean-Frederic Clere
Reporter:	Marc Schoenefeld
Votes:	0
Watchers:	0

Operations

If you were logged in you would be able to see more operations.

JBoss Enterprise Platform App Edition

Fix multiple potential vulnerabilities in embedded Tomcats

Created: 24/Aug/07 12:58 PM Updated: 31/Aug/07 04:21 AM Due: 27/Aug/07

Component/s:

App Server

Affects Version/s:

4.2.0.GA

Fix Version/s:

4.2.0.GA_CP01

Security Level:

Public (Everyone can see)

Original Estimate:

Unknown

Remaining Estimate:

Unknown

Time Spent:

Unknown

Environment:

JBoss-Web security

Issue Links:

Superset

This issue incorporates:
	~~JBPAPP-302~~ Fix Tomcat security vulnerabilities, ...

Affects:

Release Notes

Description

The embedded tomcat versions in jboss are vulnerable to a set of security vulnerabilities.
The potential breaches are listed here:

http://jira.jboss.com/jira/browse/JBWEB-90

All

Comments

Work Log

Change History

Subversion Commits

Sort Order:

[ Permlink | « Hide ]

Fernando Nasser [24/Aug/07 03:58 PM]

Is the CVE-2007-3386 the only one missing for JBoss Web ATM?

Jean-Frederic: as this has not been releases yet, you can just replace the 2.0.0.GA_CP01 with one that contains this 3rd fix.

[ Permlink | « Hide ]

Fernando Nasser [24/Aug/07 03:59 PM]

One more :-(

[ Permlink | « Hide ]

Fernando Nasser [27/Aug/07 08:49 AM]

From Jean-Frederic:

"This one is easy.... HTMLManagerServlet is not used by JBossAS (the code
is there). So I don't think we need to fix it for 4.2.0.GA_CP01."

[ Permlink | « Hide ]

Fernando Nasser [27/Aug/07 08:50 AM]

Code not used by the AS -- fix only needed for standalone uses.

[ Permlink | « Hide ]

Jean-Frederic Clere [31/Aug/07 04:21 AM]

Code not used in jbossas.