Description of problem: CVE-2014-3595 An attacker could hit Spacewalk with a malformed url to make tomcat log malicious html. Then, if a Spacewalk admin looked at the tomcat logs in the webui through Admin -> Show Tomcat Logs the malicious html could cause an arbitrary script to run.
Committing to Spacewalk master: 64e887448ef01e956256a03cc71b71e0f086a1c5 Cherry-picking to Spacewalk master: 9707946c4ac17a1c1124e682f157fc2f69959f82
The second commit has in comment 1 should read "Cherry-picking to Spacewalk 2.2".
Updated spacewalk-java packages that fix this vulnerability are now available in Spacewalk 2.2.