-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Web Server 5.4.1 Security Update Advisory ID: RHSA-2021:0495-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2021:0495 Issue date: 2021-02-11 CVE Names: CVE-2020-1971 CVE-2020-13943 CVE-2020-17527 CVE-2021-24122 ==================================================================== 1. Summary: Red Hat JBoss Web Server 5.4.1 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8 and Windows. Red Hat Product Security has rated this release as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.4.1 serves as a replacement for Red Hat JBoss Web Server 5.4.0, and includes bug fixes, enhancements, and component upgrades, which are documented in the Release Notes, linked to in the References. Security Fix(es): * tomcat: Apache Tomcat HTTP/2 Request mix-up (CVE-2020-13943) * tomcat: HTTP/2 request header mix-up (CVE-2020-17527) * tomcat: Information disclosure when using NTFS file system (CVE-2021-24122) * openssl: EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. 4. Bugs fixed (https://bugzilla.redhat.com/): 1887648 - CVE-2020-13943 tomcat: Apache Tomcat HTTP/2 Request mix-up 1903409 - CVE-2020-1971 openssl: EDIPARTYNAME NULL pointer de-reference 1904221 - CVE-2020-17527 tomcat: HTTP/2 request header mix-up 1917209 - CVE-2021-24122 tomcat: Information disclosure when using NTFS file system 5. References: https://access.redhat.com/security/cve/CVE-2020-1971 https://access.redhat.com/security/cve/CVE-2020-13943 https://access.redhat.com/security/cve/CVE-2020-17527 https://access.redhat.com/security/cve/CVE-2021-24122 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=5.4 https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/5.4/ 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYCU2rdzjgjWX9erEAQh/qA//fBFrMVOlc6ZUXh3b+/2ZbmqEvt7bcwPz ual1XJCnNuzjk8f5M9wcZ+B9Vw9qJgt+p+e4s2lrXeow/gkNYNx8+WiH+AdRTg2i COHM+34qRLhPKFX2nQ0/0/bqfH7Tx+XYw5RROBog9AmXGqqly5y0qwOMEmCKT+mf g9xx5gKdvP960WAIz+qqgKnWq3geRCYXrqQ83FRIKV2OtUpxiNtYnIeHNmDtjut8 Jr3aWqHUVH0Ylu4QG5QunJloDLuSGcR3Kvs9vKr2Z05N7dVZLft/iuUwTzz8jNL7 4Fqsu0MJhTRmkWaCmF9p7FfdjuzlL8WTpSwTPdUlWDxNCV+HK+HMbSTdKkCaizxo t1/CIcfFFT/eFPCcKAFZ9ybAwOZ8JUVsx8twW6sdtPEpggRPMX00rGiI/uHSKW9R kLCKnmJKllRgHBXUR+MepXFkjTpD6jc1PLDeofNV2IWHbQkdK+oK3Kp9pTuuYbsP sQo1rraUDLlsDtqGhUUzoGo610DGQ7E0Aqm2LOOXGva4jmXWLpdppM6uWOU1FEjI 2YNDeio010ePWqcsEr1TCjn6ColTjtZYgmFOe6L0xrWmnO5jPfQjECWPyqpfzKCR ooWWozPCz6NYSoMizAMpzbSQ3l6AOBtZ0Wglmzc+i1t++IeLJR4cT3nonClLgG4x AcBW8P9Iy5w=LSdp -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce