Author: smumford
Date: 2010-04-23 02:56:46 -0400 (Fri, 23 Apr 2010)
New Revision: 13929
Modified:
docs/enterprise/tags/Enterprise_Portal_Platform_4_3_GA_CP04/Release_Notes/en-US/Release_Notes.xml
Log:
Added New Issues Resolved text from darrin mison
Modified:
docs/enterprise/tags/Enterprise_Portal_Platform_4_3_GA_CP04/Release_Notes/en-US/Release_Notes.xml
===================================================================
---
docs/enterprise/tags/Enterprise_Portal_Platform_4_3_GA_CP04/Release_Notes/en-US/Release_Notes.xml 2010-04-23
06:24:44 UTC (rev 13928)
+++
docs/enterprise/tags/Enterprise_Portal_Platform_4_3_GA_CP04/Release_Notes/en-US/Release_Notes.xml 2010-04-23
06:56:46 UTC (rev 13929)
@@ -83,39 +83,53 @@
</note>
</section>
- <section id="sect-Release_Notes-Issues_fixed_in_this_release">
- <title> Issues fixed in this release </title>
- <warning>
- <para>
- A security issue in the JMX Console configuration has been identified that allows an
attacker to bypass
- security authentication.
- </para>
- </warning>
- <para>
- The JMX Console configuration only specified an authentication requirement for
requests that used the GET and
- POST HTTP "verbs". An attacker could create a HTTP request that did not
specify GET or POST and it would be
- executed by the default GET handler without authentication. This release contains a JMX
Console with an updated
- configuration that no longer specifies the HTTP verbs. This means that the
authentication requirement is
- applied to all requests.
- </para>
- <para>
- For additional information on this vulnerability refer to:
- <ulink type="http"
url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0738&quo...
-
- </para>
- <para>
- All users are advised to upgrade to this release to resolve this issue. If an upgrade
is not possible then the fix can
- be applied by editing the affected configuration files and removing the specified lines.
- </para>
- <para>
- If a new server profile has been created by copying an existing profile then the changes
should be applied
- to that profile as though it was the original. Contact Red Hat JBoss Support for
advice.
- </para>
+<section id = "issues_resolved_in_CP04">
+ <title>Issues resolved in the 4.3 CP04 release</title>
+
+ <para>
+ The following issue was resolved for the 4.3 CP03 release of the &PRODUCT;:
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term><ulink
url="https://jira.jboss.org/jira/browse/JBPAPP-3952" /></term>
+ <listitem>
<para>
- The lines of configuration to remove are:
- <programlisting><http-method>GET</http-method>
-<http-method>POST</http-method></programlisting>
+ A security issue in the JMX Console configuration has been identified
that allows an
+ attacker to bypass security authentication.
</para>
+ <para>
+ The JMX Console configuration only specified an authentication
requirement for requests
+ that used the GET and POST HTTP "verbs". An attacker could
create a HTTP request that did
+ not specify GET or POST and it would be executed by the default GET
handler without
+ authentication. This release contains a JMX Console with an updated
configuration that no
+ longer specifies the HTTP verbs. This means that the authentication
requirement is applied
+ to all requests.
+ </para>
+ <para>
+ For additional information on this vulnerability refer to:
+ <ulink
url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0738&quo...
+ </para>
+ <para>
+ All users are advised to upgrade to this release to resolve this issue.
+ </para>
+ <para>
+ If an immediate upgrade is not possible or the server deployment has been
customized then
+ the fix can be applied by removing the following lines from the
deployment descriptor
+ (<filename>WEB-INF/web.xml</filename>) of the JMX Console
WAR. Contact Red Hat JBoss
+ Support for advice before making these changes.
+ </para>
+ <para>
+ The lines of configuration to remove are:
+ </para>
+
+ <programlisting
language="XML"><http-method>GET</http-method>
+ <http-method>POST</http-method></programlisting>
+
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
<formalpara>
<title>EPP Platform with EAP Embedded</title>
<para>