Bug 824075

Summary: Xerces instance vulnerable to CVE-2009-2625
Product: [Other] RHQ Project Reporter: Charles Crouch <ccrouch>
Component: Core ServerAssignee: RHQ Project Maintainer <rhq-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Mike Foley <mfoley>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.4CC: djorm, hbrock, hrupp, mazz
Target Milestone: ---   
Target Release: RHQ 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 820629 Environment:
Last Closed: 2013-09-01 09:58:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 820053, 820629    
Bug Blocks: 782579    

Description Charles Crouch 2012-05-22 17:05:25 UTC 
+++ This bug was initially created as a clone of Bug #820629 +++

+++ This bug was initially created as a clone of Bug #820053 +++

Description of problem:

JON 3.0.1 is shipping an instance of Xerces that is vulnerable to
CVE-2009-2625:

jon-server-3.0.1.GA/jbossas/lib/endorsed/xercesImpl.jar

This should be upgraded to either xerces >= 2.10 or a version of 2.9.1 with a
backported patch, as seems to be in other products. Upgrading to >= 2.10 is
preferred.
Comment 1 Charles Crouch 2012-05-22 17:07:42 UTC 
From Mazz
git commit to master: f25fa99

Setting Target Release field correctly
Comment 2 Heiko W. Rupp 2013-09-01 09:58:55 UTC 
Bulk closing of items that are on_qa and in old RHQ releases, which are out for a long time and where the issue has not been re-opened since.