-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 5.5.1 Security Update Advisory ID: RHSA-2021:3741-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2021:3741 Issue date: 2021-10-06 CVE Names: CVE-2021-41079 ===================================================================== 1. Summary: Updated Red Hat JBoss Web Server 5.5.1 packages are now available for Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 8. Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 5.5 for RHEL 7 Server - noarch Red Hat JBoss Web Server 5.5 for RHEL 8 - noarch 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.5.1 serves as a replacement for Red Hat JBoss Web Server 5.5.0, and includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References. Security Fix(es): * tomcat: Apache Tomcat DoS with unexpected TLS packet (CVE-2021-41079) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2004820 - CVE-2021-41079 tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine 6. Package List: Red Hat JBoss Web Server 5.5 for RHEL 7 Server: Source: jws5-tomcat-9.0.43-13.redhat_00013.1.el7jws.src.rpm noarch: jws5-tomcat-9.0.43-13.redhat_00013.1.el7jws.noarch.rpm jws5-tomcat-admin-webapps-9.0.43-13.redhat_00013.1.el7jws.noarch.rpm jws5-tomcat-docs-webapp-9.0.43-13.redhat_00013.1.el7jws.noarch.rpm jws5-tomcat-el-3.0-api-9.0.43-13.redhat_00013.1.el7jws.noarch.rpm jws5-tomcat-java-jdk11-9.0.43-13.redhat_00013.1.el7jws.noarch.rpm jws5-tomcat-java-jdk8-9.0.43-13.redhat_00013.1.el7jws.noarch.rpm jws5-tomcat-javadoc-9.0.43-13.redhat_00013.1.el7jws.noarch.rpm jws5-tomcat-jsp-2.3-api-9.0.43-13.redhat_00013.1.el7jws.noarch.rpm jws5-tomcat-lib-9.0.43-13.redhat_00013.1.el7jws.noarch.rpm jws5-tomcat-selinux-9.0.43-13.redhat_00013.1.el7jws.noarch.rpm jws5-tomcat-servlet-4.0-api-9.0.43-13.redhat_00013.1.el7jws.noarch.rpm jws5-tomcat-webapps-9.0.43-13.redhat_00013.1.el7jws.noarch.rpm Red Hat JBoss Web Server 5.5 for RHEL 8: Source: jws5-tomcat-9.0.43-13.redhat_00013.1.el8jws.src.rpm noarch: jws5-tomcat-9.0.43-13.redhat_00013.1.el8jws.noarch.rpm jws5-tomcat-admin-webapps-9.0.43-13.redhat_00013.1.el8jws.noarch.rpm jws5-tomcat-docs-webapp-9.0.43-13.redhat_00013.1.el8jws.noarch.rpm jws5-tomcat-el-3.0-api-9.0.43-13.redhat_00013.1.el8jws.noarch.rpm jws5-tomcat-javadoc-9.0.43-13.redhat_00013.1.el8jws.noarch.rpm jws5-tomcat-jsp-2.3-api-9.0.43-13.redhat_00013.1.el8jws.noarch.rpm jws5-tomcat-lib-9.0.43-13.redhat_00013.1.el8jws.noarch.rpm jws5-tomcat-selinux-9.0.43-13.redhat_00013.1.el8jws.noarch.rpm jws5-tomcat-servlet-4.0-api-9.0.43-13.redhat_00013.1.el8jws.noarch.rpm jws5-tomcat-webapps-9.0.43-13.redhat_00013.1.el8jws.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-41079 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYV2mk9zjgjWX9erEAQjiwhAAlwhT6Uj2+cJKhzP0cNShX1eur+vNGcYY rOMuLVKESo6mrosooxwUVdt1kwp1ENNeiJ5HHQ3rm2BErLf+C0p0HYfkGNJTpryJ SVk7pop9CrfkJvdy2sE6tQRho80qHDD8DbnJOF3xBkfX6VyG78ZgNk+LAJ7f1sGs QpY9PD3icWyNsFW+Uury9FXFJlC8dF6LMWxdq14J6PNLnWpcFe7U7XWUlCIlcrWV ivDXAm0MRBJsCiW3F/v40bT+XvG55MArBO/bgdFQssJ0SV2vw5wh3r3bdnO/r9Zy 7HVGB0RAnO4v+jDDOPvcdSsOGhFY/Cb+kp8RIqzhmUAA6QWJxUS8azDeyrOgdvI8 oeojGxaJabknmaQkZ7wK2zCZm5UiNgomG9ns297mGprNto9KiuBH+TPYpN5ua/Q3 n3+JMipUSsV6JG4tgy23uCw05gB+AosErDShCO8A0dqROSg42e1xl6Hx9HszLpPj MW9mwTrA4wFEyXprGrvVXqi11EWyDZtW44qZYcKP3O8wzG6ry1N4tprxCxnEpTpV x9mrVDITWHpaWFi1gzCsei1U2hPaG3bykcR8ANN/HfKVjSFzvOGBnF92Q9A6n0+M b9vj8udNsJNbpx7L5j+4GoHPjyTvQys3jzdHE+LTbOlMKhg/lTRO/fdNp4Bmhb6k nmCYvuYAIuQ= =y43W -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce