Red Hat Security Advisory 2011-1291-01 - jsvc is a service wrapper that allows Java applications to be run as daemons. It was found that jsvc did not correctly drop capabilities after starting an application. If an administrator used jsvc to run an application, and also used the "-user" option to specify a user for it to run as, the application correctly ran as that user but did not drop its increased capabilities, allowing it access to all files and directories accessible to the root user. Note: This flaw only affected users running JBoss Enterprise Web Server 1.0.2 from jboss-ews-1.0.2-RHEL4-[arch].zip as provided from the Red Hat Customer Portal, as versions for other products are not built with capabilities support.
3835f15da8cfe9f8fd71959ff2c34e727472f267207caed51712bcc12c758f68