RedHat: Low: struts security update for Red Hat Application Server

    Date17 Jan 2006
    CategoryRed Hat
    7575
    Posted ByLinuxSecurity Advisories
    Updated Red Hat Application Server components are now available including a security update for Struts. This update has been rated as having low security impact by the Red Hat Security Response Team.

    
    - ---------------------------------------------------------------------
    Red Hat Security Advisory
    
    Synopsis: Low: struts security update for Red Hat Application Server
    Advisory ID: RHSA-2006:0157-01
    Advisory URL: https://rhn.redhat.com/errata/RHSA-2006-0157.html
    Issue date: 2006-01-11
    Updated on: 2006-01-11
    Product: Red Hat Application Server
    CVE Names: CVE-2005-3745
    - ---------------------------------------------------------------------
    
    1. Summary:
    
    Updated Red Hat Application Server components are now available including a
    security update for Struts.
    
    This update has been rated as having low security impact by the Red Hat
    Security Response Team.
    
    2. Relevant releases/architectures:
    
    Red Hat Application Server 3AS - noarch
    Red Hat Application Server 3ES - noarch
    Red Hat Application Server 3WS - noarch
    
    3. Problem description:
    
    Red Hat Application Server packages provide a J2EE Application Server and
    Web container as well as the underlying Java stack.
    
    A cross-site scripting flaw was found in the way Struts displays error
    pages. It may be possible for an attacker to construct a specially crafted
    URL which could fool a victim into believing they are viewing a trusted
    site. The Common Vulnerabilities and Exposures project assigned the
    name CVE-2005-3745 to this issue. Please note that this issue does not
    affect Struts running on Tomcat or JOnAS, which is our supported usage of
    Struts.
    
    All users of Red Hat Application Server should upgrade to these updated
    packages, which contain Struts version 1.2.8 which is not vulnerable to
    this issue.
    
    4. Solution:
    
    Before applying this update, make sure all previously released errata
    relevant to your system have been applied.
    
    To update all RPMs for your particular architecture, run:
    
    rpm -Fvh [filenames]
    
    where [filenames] is a list of the RPMs you wish to upgrade. Only those
    RPMs which are currently installed will be updated. Those RPMs which are
    not installed but included in the list will not be updated. Note that you
    can also use wildcards (*.rpm) if your current directory *only* contains the
    desired RPMs.
    
    Please note that this update is also available via Red Hat Network. Many
    people find this an easier way to apply updates. To use Red Hat Network,
    launch the Red Hat Update Agent with the following command:
    
    up2date
    
    This will start an interactive process that will result in the appropriate
    RPMs being upgraded on your system.
    
    5. Bug IDs fixed (http://bugzilla.redhat.com/):
    
    173929 - CVE-2005-3745 struts cross site scripting flaw
    
    
    6. RPMs required:
    
    Red Hat Application Server 3AS:
    
    SRPMS:
    ftp://updates.redhat.com/enterprise/3AS/en/RHAPS/SRPMS/jakarta-commons-validator-1.1.4-1jpp_2rh.src.rpm
    46933f732577bc526befdeea7bac8104 jakarta-commons-validator-1.1.4-1jpp_2rh.src.rpm
    ftp://updates.redhat.com/enterprise/3AS/en/RHAPS/SRPMS/struts-1.2.8-1jpp_2rh.src.rpm
    155997f9d1c9e4bc5aa5925fc4c32c09 struts-1.2.8-1jpp_2rh.src.rpm
    
    noarch:
    ftp://updates.redhat.com/enterprise/3AS/en/RHAPS/SRPMS/jakarta-commons-validator-1.1.4-1jpp_2rh.noarch.rpm
    f98c1b067974f6be016c01b0ab6295a0 jakarta-commons-validator-1.1.4-1jpp_2rh.noarch.rpm
    ftp://updates.redhat.com/enterprise/3AS/en/RHAPS/SRPMS/jakarta-commons-validator-javadoc-1.1.4-1jpp_2rh.noarch.rpm
    32401dec1ab787c56760145a033a4d7c jakarta-commons-validator-javadoc-1.1.4-1jpp_2rh.noarch.rpm
    ftp://updates.redhat.com/enterprise/3AS/en/RHAPS/SRPMS/struts-1.2.8-1jpp_2rh.noarch.rpm
    19ff36e45ff2aee9fab9e6aa06a8f46b struts-1.2.8-1jpp_2rh.noarch.rpm
    ftp://updates.redhat.com/enterprise/3AS/en/RHAPS/SRPMS/struts-javadoc-1.2.8-1jpp_2rh.noarch.rpm
    80b709089a6c65cc926df4d64695777e struts-javadoc-1.2.8-1jpp_2rh.noarch.rpm
    ftp://updates.redhat.com/enterprise/3AS/en/RHAPS/SRPMS/struts-manual-1.2.8-1jpp_2rh.noarch.rpm
    96e87e5eed99be4173961e8a805004c2 struts-manual-1.2.8-1jpp_2rh.noarch.rpm
    ftp://updates.redhat.com/enterprise/3AS/en/RHAPS/SRPMS/struts-webapps-tomcat5-1.2.8-1jpp_2rh.noarch.rpm
    9f50fcbd73cc59fdb65383bd9f3c28ef struts-webapps-tomcat5-1.2.8-1jpp_2rh.noarch.rpm
    
    Red Hat Application Server 3ES:
    
    SRPMS:
    ftp://updates.redhat.com/enterprise/3ES/en/RHAPS/SRPMS/jakarta-commons-validator-1.1.4-1jpp_2rh.src.rpm
    46933f732577bc526befdeea7bac8104 jakarta-commons-validator-1.1.4-1jpp_2rh.src.rpm
    ftp://updates.redhat.com/enterprise/3ES/en/RHAPS/SRPMS/struts-1.2.8-1jpp_2rh.src.rpm
    155997f9d1c9e4bc5aa5925fc4c32c09 struts-1.2.8-1jpp_2rh.src.rpm
    
    noarch:
    ftp://updates.redhat.com/enterprise/3ES/en/RHAPS/SRPMS/jakarta-commons-validator-1.1.4-1jpp_2rh.noarch.rpm
    f98c1b067974f6be016c01b0ab6295a0 jakarta-commons-validator-1.1.4-1jpp_2rh.noarch.rpm
    ftp://updates.redhat.com/enterprise/3ES/en/RHAPS/SRPMS/jakarta-commons-validator-javadoc-1.1.4-1jpp_2rh.noarch.rpm
    32401dec1ab787c56760145a033a4d7c jakarta-commons-validator-javadoc-1.1.4-1jpp_2rh.noarch.rpm
    ftp://updates.redhat.com/enterprise/3ES/en/RHAPS/SRPMS/struts-1.2.8-1jpp_2rh.noarch.rpm
    19ff36e45ff2aee9fab9e6aa06a8f46b struts-1.2.8-1jpp_2rh.noarch.rpm
    ftp://updates.redhat.com/enterprise/3ES/en/RHAPS/SRPMS/struts-javadoc-1.2.8-1jpp_2rh.noarch.rpm
    80b709089a6c65cc926df4d64695777e struts-javadoc-1.2.8-1jpp_2rh.noarch.rpm
    ftp://updates.redhat.com/enterprise/3ES/en/RHAPS/SRPMS/struts-manual-1.2.8-1jpp_2rh.noarch.rpm
    96e87e5eed99be4173961e8a805004c2 struts-manual-1.2.8-1jpp_2rh.noarch.rpm
    ftp://updates.redhat.com/enterprise/3ES/en/RHAPS/SRPMS/struts-webapps-tomcat5-1.2.8-1jpp_2rh.noarch.rpm
    9f50fcbd73cc59fdb65383bd9f3c28ef struts-webapps-tomcat5-1.2.8-1jpp_2rh.noarch.rpm
    
    Red Hat Application Server 3WS:
    
    SRPMS:
    ftp://updates.redhat.com/enterprise/3WS/en/RHAPS/SRPMS/jakarta-commons-validator-1.1.4-1jpp_2rh.src.rpm
    46933f732577bc526befdeea7bac8104 jakarta-commons-validator-1.1.4-1jpp_2rh.src.rpm
    ftp://updates.redhat.com/enterprise/3WS/en/RHAPS/SRPMS/struts-1.2.8-1jpp_2rh.src.rpm
    155997f9d1c9e4bc5aa5925fc4c32c09 struts-1.2.8-1jpp_2rh.src.rpm
    
    noarch:
    ftp://updates.redhat.com/enterprise/3WS/en/RHAPS/SRPMS/jakarta-commons-validator-1.1.4-1jpp_2rh.noarch.rpm
    f98c1b067974f6be016c01b0ab6295a0 jakarta-commons-validator-1.1.4-1jpp_2rh.noarch.rpm
    ftp://updates.redhat.com/enterprise/3WS/en/RHAPS/SRPMS/jakarta-commons-validator-javadoc-1.1.4-1jpp_2rh.noarch.rpm
    32401dec1ab787c56760145a033a4d7c jakarta-commons-validator-javadoc-1.1.4-1jpp_2rh.noarch.rpm
    ftp://updates.redhat.com/enterprise/3WS/en/RHAPS/SRPMS/struts-1.2.8-1jpp_2rh.noarch.rpm
    19ff36e45ff2aee9fab9e6aa06a8f46b struts-1.2.8-1jpp_2rh.noarch.rpm
    ftp://updates.redhat.com/enterprise/3WS/en/RHAPS/SRPMS/struts-javadoc-1.2.8-1jpp_2rh.noarch.rpm
    80b709089a6c65cc926df4d64695777e struts-javadoc-1.2.8-1jpp_2rh.noarch.rpm
    ftp://updates.redhat.com/enterprise/3WS/en/RHAPS/SRPMS/struts-manual-1.2.8-1jpp_2rh.noarch.rpm
    96e87e5eed99be4173961e8a805004c2 struts-manual-1.2.8-1jpp_2rh.noarch.rpm
    ftp://updates.redhat.com/enterprise/3WS/en/RHAPS/SRPMS/struts-webapps-tomcat5-1.2.8-1jpp_2rh.noarch.rpm
    9f50fcbd73cc59fdb65383bd9f3c28ef struts-webapps-tomcat5-1.2.8-1jpp_2rh.noarch.rpm
    
    These packages are GPG signed by Red Hat for security. Our key and
    details on how to verify the signature are available from
    https://www.redhat.com/security/team/key/#package
    
    7. References:
    
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3745
    
    8. Contact:
    
    The Red Hat security contact is . More contact
    details at https://www.redhat.com/security/team/contact/
    
    Copyright 2006 Red Hat, Inc. 
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"39","type":"x","order":"1","pct":50.65,"resources":[]},{"id":"88","title":"Should be more technical","votes":"11","type":"x","order":"2","pct":14.29,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"27","type":"x","order":"3","pct":35.06,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.