RHSA-2015:0765: Important: Red Hat JBoss Data Virtualization 6.0.0 security update

Red Hat JBoss Data Virtualization is a lean data integration solution thatprovides easy, real-time, and unified data access across disparate sourcesto multiple applications and users. JBoss Data Virtualization makes dataspread across physically distinct systems-such as multiple databases, XMLfiles, and even Hadoop systems-appear as a set of tables in a localdatabase.This roll up patch serves as a cumulative upgrade for Red Hat JBoss DataVirtualization 6.0.0. It includes various bug fixes, which are listed inthe README file included with the patch files.The following security issues are also fixed with this release,descriptions of which can be found on the respective CVE pages linked inthe References section.CVE-2012-6153 Apache HttpComponents client: SSL hostname verificationbypass, incomplete CVE-2012-5783 fixCVE-2014-3577 Apache HttpComponents client: SSL hostname verificationbypass, incomplete CVE-2012-6153 fixCVE-2014-3530 PicketLink: XXE via insecure DocumentBuilderFactory usageCVE-2013-4002 Xerces-J2 OpenJDK: XML parsing Denial of Service (JAXP,8017298)CVE-2013-5855 Mojarra JSF: XSS due to insufficient escaping ofuser-supplied content in outputText tags and EL expressionsCVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encodinginput filterCVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious contentlength headerCVE-2014-3481 JBoss AS JAX-RS: Information disclosure via XML eXternalEntity (XXE)CVE-2014-3490 RESTEasy: XXE via parameter entitiesCVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTsCVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious webapplicationCVE-2014-0193 netty: DoS via memory exhaustion during data aggregationCVE-2014-0227 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter Red Hat would like to thank James Roper of Typesafe for reportingCVE-2014-0193, and Alexander Papadakis for reporting CVE-2014-3530.The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat ProductSecurity, the CVE-2014-0075 and CVE-2014-3490 issues were discovered byDavid Jorm of Red Hat Product Security, and the CVE-2014-3481 issue wasdiscovered by the Red Hat JBoss Enterprise Application Platform QE team.All users of Red Hat JBoss Data Virtualization 6.0.0 as provided from theRed Hat Customer Portal are advised to apply this roll up patch.