From portal-commits at lists.jboss.org Fri Apr 23 02:56:46 2010
Content-Type: multipart/mixed; boundary="===============4177285517050652437=="
MIME-Version: 1.0
From: portal-commits at lists.jboss.org
To: portal-commits at lists.jboss.org
Subject: [portal-commits] JBoss Portal SVN: r13929 -
 docs/enterprise/tags/Enterprise_Portal_Platform_4_3_GA_CP04/Release_Notes/en-US.
Date: Fri, 23 Apr 2010 02:56:46 -0400
Message-ID: <201004230656.o3N6uknj010218@svn01.web.mwc.hst.phx2.redhat.com>

--===============4177285517050652437==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Author: smumford
Date: 2010-04-23 02:56:46 -0400 (Fri, 23 Apr 2010)
New Revision: 13929

Modified:
   docs/enterprise/tags/Enterprise_Portal_Platform_4_3_GA_CP04/Release_Note=
s/en-US/Release_Notes.xml
Log:
Added New Issues Resolved text from darrin mison

Modified: docs/enterprise/tags/Enterprise_Portal_Platform_4_3_GA_CP04/Relea=
se_Notes/en-US/Release_Notes.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- docs/enterprise/tags/Enterprise_Portal_Platform_4_3_GA_CP04/Release_Not=
es/en-US/Release_Notes.xml	2010-04-23 06:24:44 UTC (rev 13928)
+++ docs/enterprise/tags/Enterprise_Portal_Platform_4_3_GA_CP04/Release_Not=
es/en-US/Release_Notes.xml	2010-04-23 06:56:46 UTC (rev 13929)
@@ -83,39 +83,53 @@
 		</note>
 	</section>
 	=

-	<section id=3D"sect-Release_Notes-Issues_fixed_in_this_release">
-		<title> Issues fixed in this release </title>
-		<warning>
-		<para>
-			A security issue in the JMX Console configuration has been identified t=
hat allows an attacker to bypass
-			security authentication.
-		</para>
-		</warning>
-		<para>
-			The JMX Console configuration only specified an authentication requirem=
ent for requests that used the GET and =

-	POST HTTP "verbs". An attacker could create a HTTP request that did not s=
pecify GET or POST and it would be =

-	executed by the default GET handler without authentication. This release =
contains a JMX Console with an updated
-	configuration that no longer specifies the HTTP verbs. This means that th=
e authentication requirement is
-	applied to all requests.
-		</para>
-		<para>
-	For additional information on this vulnerability refer to: =

-	<ulink type=3D"http" url=3D"http://cve.mitre.org/cgi-bin/cvename.cgi?name=
=3DCVE-2010-0738">CVE-2010-0738</ulink>
-	=

-		</para>
-		<para>
-	All users are advised to upgrade to this release to resolve this issue.  =
If an upgrade is not possible then the fix can =

-	be applied by editing the affected configuration files and removing the s=
pecified lines. =

-		</para>
-		<para>
-	If a new server profile has been created by copying an existing profile t=
hen the changes should be applied =

-	to that profile as though it was the original.  Contact Red Hat JBoss Sup=
port for advice.
-		</para>
+<section id =3D "issues_resolved_in_CP04">
+ 	<title>Issues resolved in the 4.3 CP04 release</title>
+ 	=

+    <para>
+    The following issue was resolved for the 4.3 CP03 release of the &PROD=
UCT;:
+    </para>
+ =

+    <variablelist>
+         <varlistentry>
+           <term><ulink url=3D"https://jira.jboss.org/jira/browse/JBPAPP-3=
952" /></term>
+           <listitem>
                 <para>
-        The lines of configuration to remove are:
-        <programlisting>&lt;http-method&gt;GET&lt;/http-method&gt;
-&lt;http-method&gt;POST&lt;/http-method&gt;</programlisting>
+                A security issue in the JMX Console configuration has been=
 identified that allows an
+                attacker to bypass security authentication.
                 </para>
+                <para>
+                The JMX Console configuration only specified an authentica=
tion requirement for requests
+                that used the GET and POST HTTP "verbs". An attacker could=
 create a HTTP request that did
+                not specify GET or POST and it would be executed by the de=
fault GET handler without
+                authentication. This release contains a JMX Console with a=
n updated configuration that no
+                longer specifies the HTTP verbs. This means that the authe=
ntication requirement is applied
+                to all requests.
+                </para>
+                <para>
+                For additional information on this vulnerability refer to: =

+                <ulink url=3D"http://cve.mitre.org/cgi-bin/cvename.cgi?nam=
e=3DCVE-2010-0738"/>
+                </para>
+                <para>
+                All users are advised to upgrade to this release to resolv=
e this issue.  =

+                </para>
+                <para>
+                If an immediate upgrade is not possible or the server depl=
oyment has been customized then
+                the fix can be applied by removing the following lines fro=
m the deployment descriptor
+                (<filename>WEB-INF/web.xml</filename>) of the JMX Console =
WAR. Contact Red Hat JBoss
+                Support for advice before making these changes.
+                </para>
+                <para>
+                The lines of configuration to remove are:
+                </para>
+ =

+                <programlisting language=3D"XML">&lt;http-method&gt;GET&lt=
;/http-method&gt;
+ &lt;http-method&gt;POST&lt;/http-method&gt;</programlisting>
+ =

+           </listitem>
+         </varlistentry>
+ =

+    </variablelist>
 		<formalpara>
 			<title>EPP Platform with EAP Embedded</title>
 			<para>


--===============4177285517050652437==--