Uploaded image for project: 'Red Hat CodeReady Studio (devstudio)'
  1. Red Hat CodeReady Studio (devstudio)
  2. JBDS-3570

Include eap-6.4-CVE-2015-7501 into JBDS installer

    XMLWordPrintable

Details

    • Task
    • Resolution: Done
    • Critical
    • 9.1.0.Beta1, 10.0.0.Alpha1
    • 9.1.0.Beta1, 10.0.0.Alpha1
    • build
    • None
    • Release Notes
    • NEW

    Description

      During the whole thing about JBDS-3560, JBDS-3561 and JBDS-3562, Nick changed JBDS 9.1.0 to use the internal build of EAP 6.4.5 in the build process:
      4.3.x branch:
      https://github.com/jbdevstudio/jbdevstudio-product/commit/c8aea70202616dfd168e317510fc861bdc02ec82

      And in master:
      https://github.com/jbdevstudio/jbdevstudio-product/commit/6792edbfefcf54d4329519d21f8c29566d720b6e

      I understand that some of the above mentioned JIRAs are not resolved yet, but I wanted to be sure to track this - we need to make sure not to bundle this build of EAP, because it's an internal build not supposed to be public. (Yes, the original assumption was that perhaps this time there would be an exception, but it turned out not to be the case.)

      For JBDS 9.1.0.Beta1 I suggest we include the same patched EAP as discussed in JBDS-3562 . But it's kind of tricky how to make it obvious to users - I'm not sure if we want to include the CVE in the filename again.

      But in any case, we can never include EAP 6.4.5 full build.

      Attachments

        Issue Links

          is related to

          Bug - A problem that impairs or prevents the functions of the product. JBDS-3560 Arbitrary remote code execution with InvokerTransformer (COLLECTIONS-580)

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. JBDS-3562 Prepare for 9.0.1 (9.0.0 with patched EAP 6.4.0 BZ1281963 / CVE-2015-7501)

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              nickboldt Nick Boldt
              exd-mmalina Martin Malina
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: