RHSA-2014:1321: Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update

Red Hat JBoss Enterprise Application Platform is a platform for Javaapplications, which integrates the JBoss Application Server with JBossHibernate and JBoss Seam.It was found that the fix for CVE-2012-5783 was incomplete: the code addedto check that the server host name matches the domain name in a subject'sCommon Name (CN) field in X.509 certificates was flawed.A man-in-the-middle attacker could use this flaw to spoof an SSL serverusing a specially crafted X.509 certificate. (CVE-2012-6153)It was discovered that the HttpClient incorrectly extracted host name froman X.509 certificate subject's Common Name (CN) field. A man-in-the-middleattacker could use this flaw to spoof an SSL server using a speciallycrafted X.509 certificate. (CVE-2014-3577)The CVE-2012-6153 issue was discovered by Florian Weimer of Red HatProduct Security.For additional information on these flaws, refer to the Knowledgebasearticle in the References section.All users of Red Hat JBoss Enterprise Application Platform 5.2.0 on Red HatEnterprise Linux 4, 5, and 6 are advised to upgrade to these updatedpackages. The JBoss server process must be restarted for the update to takeeffect.