RHSA-2012:1537: Moderate: jasperreports-server-pro security and bug fix update
JasperReports Server is a reporting server.A flaw was found in the way the Apache Xerces2 Java Parser processed theSYSTEM identifier in DTDs. A remote attacker could provide aspecially-crafted XML file, which once parsed by an application using theApache Xerces2 Java Parser, would lead to a denial of service (applicationhang due to excessive CPU use). (CVE-2009-2625)This update also fixes the following bugs: Adding a user to any ROLE caused an unexpected exception. (BZ#730712) Previously, the jasperreports-server-pro RPM spec file contained the "%{dist}" tag on the "Release" line. To comply with the packaging andnaming guidelines, the tag has been changed to "%{?dist}" with this update.(BZ#868927) In some cases reports were opened with an incorrect list of Entity/Entities. (BZ#842687)Note: The jasperreports-server-pro package replaces rhevm-reports-serverfrom Red Hat Enterprise Virtualization Manager 3.0.Users are advised to upgrade to this updated package, which corrects theseissues.
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of RHSA-2012:1537?
The severity of RHSA-2012:1537 is classified as moderate.
How do I fix RHSA-2012:1537?
To fix RHSA-2012:1537, update to the latest version of JasperReports Server, specifically version 4.7.1-2.el6e or later.
What vulnerability does RHSA-2012:1537 address?
RHSA-2012:1537 addresses a flaw in how Apache Xerces2 Java Parser handles SYSTEM identifiers in DTDs.
Can RHSA-2012:1537 be exploited remotely?
Yes, RHSA-2012:1537 can be exploited remotely through specially-crafted XML files.
Which software is affected by RHSA-2012:1537?
RHSA-2012:1537 affects JasperReports Server, particularly the jasperreports-server-pro package.