Bug 1233640

Summary: CVE-2015-2156 Netty Cookie parsing logic was patched upstream
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Jason Shepherd <jshepherd>
Component: HornetQAssignee: jboss-set
Status: CLOSED DUPLICATE QA Contact: Miroslav Novak <mnovak>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4.1CC: csuconic, msvehla
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-06-22 00:07:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1222923    

Description Jason Shepherd 2015-06-19 10:43:52 UTC 
Description of problem:

Netty was patched upstream so that cookies are correctly parsed. This vulnerability could lead to XSS if using Netty as HTTP Server, which is not the intended use in EAP

See CVE-2015-2156 for more details.


Version-Release number of selected component (if applicable):

5.2.x, and 6.x
Comment 1 Jason Shepherd 2015-06-22 00:07:54 UTC 

*** This bug has been marked as a duplicate of bug 1234173 ***