-
Task
-
Resolution: Done
-
Major
-
9.0.0.CVE-2015-7501-GA
-
None
- is related to
-
JBDS-3562 Prepare for 9.0.1 (9.0.0 with patched EAP 6.4.0 BZ1281963 / CVE-2015-7501)
-
- Closed
-
[JBDS-3571] Documentation for JBDS 9.0.0.GA EAP 6.4.0 CVE-2015-7501
Martin Malina
added a comment - This is the conclusion:
CSP - includes details including links to BZ/CVE - good enough
http://tools.jboss.org/downloads/devstudio/mars/9.0.0.GA.html
- includes link to http://tools.jboss.org/blog/ga-cve-for-mars.html
http://www.jboss.org/products/devstudio/download/ - @Nick will add a "Release Notes" item which links to the blog
- part of
DEVELOPER-1435
This was agreed upon on today's PM call. So there is nothing more to be done in this JIRA. Resolved.
Martin Malina
added a comment - This is the conclusion:
CSP - includes details including links to BZ/CVE - good enough
http://tools.jboss.org/downloads/devstudio/mars/9.0.0.GA.html
includes link to http://tools.jboss.org/blog/ga-cve-for-mars.html
http://www.jboss.org/products/devstudio/download/
@Nick will add a "Release Notes" item which links to the blog
part of DEVELOPER-1435
This was agreed upon on today's PM call. So there is nothing more to be done in this JIRA. Resolved. 
Len DiMaggio
added a comment - Can we add the information here: https://access.stage.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=25611&product=jbossdeveloperstudio&version=9.0.0&downloadType=distributions
Or - must it be in a separate docuemnt/KBase article?
Len DiMaggio
added a comment - Can we add the information here: https://access.stage.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=25611&product=jbossdeveloperstudio&version=9.0.0&downloadType=distributions
Or - must it be in a separate docuemnt/KBase article? Len DiMaggio
added a comment - It's probably also worth informing the users/readers that they can verify that they have the correct EAP installed by reviewing the installed patches - as reported by the EAP admin console:
Len DiMaggio
added a comment - It's probably also worth informing the users/readers that they can verify that they have the correct EAP installed by reviewing the installed patches - as reported by the EAP admin console:
Martin Malina
added a comment - Nick and Alexey and I agreed that we will simply remove the original jbds+eap installer jar (jboss-devstudio-9.0.0.GA-installer-eap.jar) and add the new jar instead (jboss-devstudio-9.0.0.GA-CVE-2015-7501-installer-eap.jar).
There are several places where you can get the installer:
http://tools.jboss.org/downloads/devstudio/mars/9.0.0.GA.html
http://www.jboss.org/products/devstudio/download/
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbossdeveloperstudio&downloadType=distributions
It would be good if each of the places included a link to the document with explanation.
There are a couple of existing docs about the CVE (none of them mentions JBDS):
https://access.redhat.com/articles/2051353 - internal article
https://access.redhat.com/security/cve/CVE-2015-7501 - list of erratas for each product
https://access.redhat.com/solutions/2045023 - list of affected products
Martin Malina
added a comment - Nick and Alexey and I agreed that we will simply remove the original jbds+eap installer jar (jboss-devstudio-9.0.0.GA-installer-eap.jar) and add the new jar instead (jboss-devstudio-9.0.0.GA-CVE-2015-7501-installer-eap.jar).
There are several places where you can get the installer:
http://tools.jboss.org/downloads/devstudio/mars/9.0.0.GA.html
http://www.jboss.org/products/devstudio/download/
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbossdeveloperstudio&downloadType=distributions
It would be good if each of the places included a link to the document with explanation.
There are a couple of existing docs about the CVE (none of them mentions JBDS):
https://access.redhat.com/articles/2051353 - internal article
https://access.redhat.com/security/cve/CVE-2015-7501 - list of erratas for each product
https://access.redhat.com/solutions/2045023 - list of affected products Martin Malina
added a comment - ldimaggi@redhat.com, "Apply the EAP pacth to their already installed EAP" - currently the patch is not available anywhere, so I don't think that's possible - see http://www.jboss.org/products/eap/download/ - they just silently replaced the zip with the patched one. But the separate patch is not there.
Martin Malina
added a comment - ldimaggi@redhat.com , "Apply the EAP pacth to their already installed EAP" - currently the patch is not available anywhere, so I don't think that's possible - see http://www.jboss.org/products/eap/download/ - they just silently replaced the zip with the patched one. But the separate patch is not there. Martin Malina
added a comment - nivologd@gmail.com, 9.1.0 currently includes internal full build of EAP 6.4.5 which is wrong. I created a JIRA for it here: JBDS-3570 I think it's not clear yet whta 9.1.0.Beta1 installer will include, but it should probably be the same patched EAP 6.4.0.
Martin Malina
added a comment - nivologd@gmail.com , 9.1.0 currently includes internal full build of EAP 6.4.5 which is wrong. I created a JIRA for it here: JBDS-3570 I think it's not clear yet whta 9.1.0.Beta1 installer will include, but it should probably be the same patched EAP 6.4.0. Do we need to mention inclusion of patched EAP in 9.1.0 installer as well and create separate JIRA for that?
Denis Golovin (Inactive)
added a comment - - edited Do we need to mention inclusion of patched EAP in 9.1.0 installer as well and create separate JIRA for that? Len DiMaggio
added a comment - The topic that requires documentation is the upgrade path for JBDS 9.0.0 users.
The possible paths are:
- Install from the new installer - jboss-devstudio-9.0.0.GA-CVE-2015-7501-installer-eap.jar
- Download the EAP release itself
- Apply the EAP pacth to their already installed EAP
Len DiMaggio
added a comment - The topic that requires documentation is the upgrade path for JBDS 9.0.0 users.
The possible paths are:
Install from the new installer - jboss-devstudio-9.0.0.GA-CVE-2015-7501-installer-eap.jar
Download the EAP release itself
Apply the EAP pacth to their already installed EAP
Closing: nothing to see here, please more along.