On 01/01/2013 01:05 AM, Ricardo Arguello wrote:
Hi,

I was reviewing this jboss-as bug:


CVE-2012-3428 JBoss: Datasource connection manager returns valid connection for wrong credentials when using security-domains:

https://bugzilla.redhat.com/show_bug.cgi?id=888625


And it looks like it doesn't affect the jboss-as package in Fedora 17, since the ironjacamar version included is 1.0.9. I also checked the source code to confirm that ironjacamar-1.0.9 doesn't support "allow-multiple-users".

I'm going to close the bug as NOTABUG, unless somebody thinks otherwise.

Thanks,

-- 
Ricardo Arguello



_______________________________________________
jboss-rpm mailing list
jboss-rpm@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-rpm

Hi Ricardo

Since I filed the tracking bug for Fedora 17 for this flaw, I investigated this and found that you are indeed correct. AS 7.1.1 does not support allow-multiple-users:

https://issues.jboss.org/browse/AS7-5324

Therefore it is not affected by this flaw. I have closed BZ#888625 accordingly.

Thanks
--
David Jorm / Red Hat Security Response Team