+++ This bug was initially created as a clone of Bug #1140859 +++ Description of problem: CVE-2014-3595 An attacker could hit Spacewalk with a malformed url to make tomcat log malicious html. Then, if a Spacewalk admin looked at the tomcat logs in the webui through Admin -> Show Tomcat Logs the malicious html could cause an arbitrary script to run. --- Additional comment from Stephen Herr on 2014-09-11 17:22:55 EDT --- Committing to Spacewalk master: 64e887448ef01e956256a03cc71b71e0f086a1c5 Cherry-picking to Spacewalk master: 9707946c4ac17a1c1124e682f157fc2f69959f82
Cherry-picking to Spacewalk 2.1: 26c6d7831184f412ff3c28f223196eaacbf6c941
Updated spacewalk-java packages that fix this vulnerability have been released to the Spacewalk 2.1 repo.