-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0523
       Red Hat JBoss Web Server 3.1 Service Pack 11 security update
                             12 February 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat JBoss Web Server 3.1 Service Pack 11
Publisher:         Red Hat
Operating System:  Red Hat
                   Windows
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-1971  

Reference:         ESB-2021.0319
                   ESB-2021.0160
                   ESB-2021.0103
                   ESB-2020.4516

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:0489
   https://access.redhat.com/errata/RHSA-2021:0491

Comment: This bulletin contains two (2) Red Hat security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: Red Hat JBoss Web Server 3.1 Service Pack 11 security update
Advisory ID:       RHSA-2021:0489-01
Product:           Red Hat JBoss Web Server
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0489
Issue date:        2021-02-11
CVE Names:         CVE-2020-1971 
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 7.

Red Hat Product Security has rated this release as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat JBoss Web Server 3.1 for RHEL 7 - x86_64

3. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.

This release of Red Hat JBoss Web Server 3.1 Service Pack 11 serves as a
replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which
are documented in the Release Notes document linked to in the References.

Security Fix(es):

* openssl: EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1903409 - CVE-2020-1971 openssl: EDIPARTYNAME NULL pointer de-reference

6. JIRA issues fixed (https://issues.jboss.org/):

JWS-1938 - Update to the latest JBCS version - Drop RHEL6

7. Package List:

Red Hat JBoss Web Server 3.1 for RHEL 7:

Source:
tomcat-native-1.2.23-23.redhat_23.ep7.el7.src.rpm

x86_64:
tomcat-native-1.2.23-23.redhat_23.ep7.el7.x86_64.rpm
tomcat-native-debuginfo-1.2.23-23.redhat_23.ep7.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2020-1971
https://access.redhat.com/security/updates/classification/#low

9. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYCUzSdzjgjWX9erEAQhezg//aTexLHlDGTrqV+pOKk3IAlauE8Pd7+DJ
hxifoGNalrgXYhY/8bWREEa/o4MO8QeJdvPSwtG/MJ9WETeGYRoofp3cMIP0J+nt
7MxOMm9ZyOuAgM9COERsOykyddEMF1b3Xl5rjuDICrSiPMjp5AExbHmOdMH5l44c
RcRExhmlL6i+/aLSNDfO5QjGae6oXZnDKaMVavbhv2gllHDQ4lewIP+omgiiV72c
bjALMk6QulenYJ69ClqONDBKJbnu1/zfj2V3OOkQG5VbvlhzxQ6JYmXixDNNEC3p
U/KhdhaD0E2MGz92SCRvj6AvO3UdTRIkb2heby896J41YcnypGSrmDurjcUDJ3u2
NpWF+p5BEEFiHkzRuP5e8PgTNjxy7Ye7WtR1KhCLFK/OcI4R8Hs5qu0ufQHqcHGF
cJNaOmKObdZ6vhees45s9mv6K6EJi6G5oY+82VzUPm1HOxjLU+gkxEws8uJTpKc4
goRzO7rCdsgFXXFcniLYJKn70jj0ngGG/3X4YgxlJHrJiEMRuuiQvRCbqRwkcYA7
ViCJ/pPqh0KxqtkFTGNtIHJUvEelSNcizlWu+gmE3BclLihD5x+8R9g3Zfo0xW7f
B0hy/QhSoc+UXwBYJ03TvCvy2Z3CA14g3Q28x6v42tY+QUzwzGwwot0NWHcWCbxQ
8WOFuknf+mY=
=It3J
- -----END PGP SIGNATURE-----

- ------------------------------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: Red Hat JBoss Web Server 3.1 Service Pack 11 security update
Advisory ID:       RHSA-2021:0491-01
Product:           Red Hat JBoss Web Server
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0491
Issue date:        2021-02-11
CVE Names:         CVE-2020-1971 
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Web Server 3.1, for RHEL 7 and
Windows.

Red Hat Product Security has rated this release as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.

This release of Red Hat JBoss Web Server 3.1 Service Pack 11 serves as a
replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which
are documented in the Release Notes document linked to in the References.

Security Fix(es):

* openssl: EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

The References section of this erratum contains a download link for the
update. You must be logged in to download the update.

4. Bugs fixed (https://bugzilla.redhat.com/):

1903409 - CVE-2020-1971 openssl: EDIPARTYNAME NULL pointer de-reference

5. References:

https://access.redhat.com/security/cve/CVE-2020-1971
https://access.redhat.com/security/updates/classification/#low

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYCUz/tzjgjWX9erEAQilCA//fsO0xWz8j3IU6h73LvoRGSPAqS33oqEG
xlh7OipJa8jf5epkjMxgsAoDXIUDownkxBbEhG4B5fJIx9YR+VgPZEQghV6O3Su/
PA+zd7RWFXmu+g2NXG5G74ts2F6HrTgCvmmyjpZ9SJoghtS86rdz3hXHsSMHXHuC
rErHYR1/B6jr0HB4rH4tZTNe+7rbtHibzW6vAYFJO/gGd5qCRioz8omtHvCDctFN
XCFeRxmfMweUQMNXUCxDoUj2RJvUe5JtwOuEWuDGJirSPLzuD7XRRWZFwroK1MnZ
iaxhEGxFYFvIvViuOBKREd0/Si7oXLZ1Dv6wxyFYwBSjBKjZu6rMU7Pfodij8e7x
w1qcMwgH7QzS2GEGLsCm/5+Mixg5Hm4eYWc8bfsYYy0f7aqTLqHC9gqxBUENyes5
ij7QZavND9jnaoJPTHV+pWeKWFkZ5mZLJfr0SqiaDP7eteesWkXquPyGzUU+UI9c
2incjfXl428NsDqOubfvk+vjXKcf6HvgyPAF3GMvtbFtp4rbNm0AQ2yc7XiYFeWH
3BRWt5XoNM8WJktRLMOA//H11dZj8pPY8KfWNNUYjD9knZBZheZt3K8RIBGsh5mM
P6s1FGucdksQYe/9rY95ZhPZg5W75Ra9Iq8HDEGFK0VGrDK+gf85Je+YV6qlAZE1
HLTXbXpU7AI=
=np8I
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYCXvdeNLKJtyKPYoAQgjFA/9FMRHrtCRWQCl2silEQOFctKPLLkCOkBC
G/xnHjHiq7PiuBi0y0sAfSnTrUhpQ2qQGXOAaaEsb03VIx5FSPOO/gV1dcxl2eww
X7PcVrLmADxfi9+h0H5NMkQncNIcpOe6oYnjgzXO0moXEC8JnMcie6dil5BUf1af
YAfKK70F0iyoHemLcpmz2/S/umX5RY6k7xF+Uy1mzK/3fejGPXcfXKHMQiTBhp/f
/B410Ws04y+n2FBCwsqVWZBBtfmvOha23v40I1OZmDpVmAvfG+YRGWHkyk7KrlaZ
q975XQQHY7XP6xAoxuUXYJug+HDI9wbGmUPrj1bIWMkaf77RTq/fJLf1tiyvCSSu
wRKw60N53UiGKkpiL6Nx9jXdtUF54WBouGbJtbIKKum5Me/j7P+pinkMgSjWVkoD
SU6xkgLoBYD73QwozoI3THMt42x3kcoVnnTNrncC+JZwjsR1tUCv4Q8G5eYjwmBC
10rnDkXW9rK5VZYj13JFt+yK+piz3gLOC8uGeG6Ns+1C0sneWLky1YtbkzcJeZid
dzCIhbzQamOe3FFIXNSy70rndVyDFNQRCKqMag+5rn3hGl8Q73uWhvikwp+PzbqG
xTI8bjIKTrA257CHFUnXIhzg1Hiby9+JLHl+yZPTdf8gSZ2WCKMAhdyRD7KrRIx0
Ccx53CV49E8=
=BAK0
-----END PGP SIGNATURE-----