RHSA-2015:0675: Important: Red Hat JBoss Data Virtualization 6.1.0 update

Red Hat JBoss Data Virtualization is a lean data integration solution thatprovides easy, real-time, and unified data access across disparate sourcesto multiple applications and users. JBoss Data Virtualization makes dataspread across physically distinct systems—such as multiple databases, XMLfiles, and even Hadoop systems—appear as a set of tables in a localdatabase.The release of Red Hat JBoss Data Virtualization 6.1.0 serves as areplacement for Red Hat JBoss Data Virtualization 6.0.0. It includesvarious bug fixes, which are listed in the README file included with thepatch files.The following security issues are also fixed with this release,descriptions of which can be found on the respective CVE pages linked inthe References section.CVE-2012-6153 Apache HttpComponents client / Apache CXF: SSL hostnameverification bypass, incomplete CVE-2012-5783 fixCVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostnameverification bypass, incomplete CVE-2012-6153 fixCVE-2013-4002 Xerces-J2 OpenJDK: XML parsing Denial of Service (JAXP,8017298)CVE-2013-4517 Apache Santuario XML Security for Java: Java XML SignatureDoS AttackCVE-2013-5855 Mojarra JSF: XSS due to insufficient escaping ofuser-supplied content in outputText tags and EL expressionsCVE-2014-0059 JBossSX/PicketBox: World readable audit.log fileCVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encodinginput filterCVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTsCVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious contentlength headerCVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious webapplicationCVE-2014-0193 netty: DoS via memory exhaustion during data aggregationCVE-2014-0227 Tomcat/JBossWeb: Limited DoS in chunked transfer encodinginput filterCVE-2014-3481 JBoss AS JAX-RS: Information disclosure via XML eXternalEntity (XXE)CVE-2014-3490 RESTEasy: XXE via parameter entitiesCVE-2014-3530 PicketLink: XXE via insecure DocumentBuilderFactory usageCVE-2014-3623 Apache WSS4J / Apache CXF: Improper security semanticsenforcement of SAML SubjectConfirmation methodsCVE-2014-7839 RESTeasy: External entities expanded by DocumentProviderCVE-2014-8122 JBoss Weld: Limited information disclosure via stale threadstateRed Hat would like to thank James Roper of Typesafe for reportingCVE-2014-0193, Alexander Papadakis for reporting CVE-2014-3530, and RuneSteinseth of JProfessionals for reporting CVE-2014-8122. The CVE-2012-6153issue was discovered by Florian Weimer of Red Hat Product Security, theCVE-2014-0075 and CVE-2014-3490 issues were discovered by David Jorm of RedHat Product Security, and the CVE-2014-3481 issue was discovered by the RedHat JBoss Enterprise Application Platform QE team.All users of Red Hat JBoss Data Virtualization 6.0.0 as provided from theRed Hat Customer Portal are advised to apply this roll up patch.