Bug 824075 - Xerces instance vulnerable to CVE-2009-2625
Xerces instance vulnerable to CVE-2009-2625
Status: CLOSED CURRENTRELEASE
Product: RHQ Project
Classification: Other
Component: Core Server (Show other bugs)
4.4
Unspecified Unspecified
unspecified Severity medium (vote)
: ---
: RHQ 4.5.0
Assigned To: RHQ Project Maintainer
Mike Foley
:
Depends On: 820053 820629
Blocks: jon310-sprint11/rhq44-sprint11
  Show dependency treegraph
 
Reported: 2012-05-22 13:05 EDT by Charles Crouch
Modified: 2015-02-01 18:28 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 820629
Environment:
Last Closed: 2013-09-01 05:58:55 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Charles Crouch 2012-05-22 13:05:25 EDT
+++ This bug was initially created as a clone of Bug #820629 +++

+++ This bug was initially created as a clone of Bug #820053 +++

Description of problem:

JON 3.0.1 is shipping an instance of Xerces that is vulnerable to
CVE-2009-2625:

jon-server-3.0.1.GA/jbossas/lib/endorsed/xercesImpl.jar

This should be upgraded to either xerces >= 2.10 or a version of 2.9.1 with a
backported patch, as seems to be in other products. Upgrading to >= 2.10 is
preferred.
Comment 1 Charles Crouch 2012-05-22 13:07:42 EDT
From Mazz
git commit to master: f25fa99

Setting Target Release field correctly
Comment 2 Heiko W. Rupp 2013-09-01 05:58:55 EDT
Bulk closing of items that are on_qa and in old RHQ releases, which are out for a long time and where the issue has not been re-opened since.

Note You need to log in before you can comment on or make changes to this bug.