Re: [jboss-rpm] CVE-2012-3428
On 01/01/2013 01:05 AM, Ricardo Arguello wrote:
Hi,
I was reviewing this jboss-as bug:
CVE-2012-3428 JBoss: Datasource connection manager returns valid
connection for wrong credentials when using security-domains:
https://bugzilla.redhat.com/show_bug.cgi?id=888625
And it looks like it doesn't affect the jboss-as package in Fedora 17,
since the ironjacamar version included is 1.0.9. I also checked the
source code to confirm that ironjacamar-1.0.9 doesn't support
"allow-multiple-users".
I'm going to close the bug as NOTABUG, unless somebody thinks otherwise.
Thanks,
--
Ricardo Arguello
_______________________________________________
jboss-rpm mailing list
jboss-rpm(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-rpm
Hi Ricardo
Since I filed the tracking bug for Fedora 17 for this flaw, I
investigated this and found that you are indeed correct. AS 7.1.1 does
not support allow-multiple-users:
https://issues.jboss.org/browse/AS7-5324
Therefore it is not affected by this flaw. I have closed BZ#888625
accordingly.
Thanks
--
David Jorm / Red Hat Security Response Team
Attachments:
- attachment.html (text/html — 2.7 KB)