Skip to navigation

Security Advisory Important: JBoss Enterprise Application Platform 4.3.0.CP09 update

Advisory: RHSA-2010:0937-1
Type: Security Advisory
Severity: Important
Issued on: 2010-12-01
Last updated on: 2010-12-01
Affected Products: JBoss Enterprise Application Platform 4.3.0 EL4
CVEs (cve.mitre.org): CVE-2010-3708
CVE-2010-3862
CVE-2010-3878

Details

Updated JBoss Enterprise Application Platform (JBEAP) 4.3 packages that fix
three security issues and multiple bugs are now available for Red Hat
Enterprise Linux 4 as JBEAP 4.3.0.CP09.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

JBoss Enterprise Application Platform is the market leading platform for
innovative and scalable Java applications; integrating the JBoss
Application Server, with JBoss Hibernate and JBoss Seam into a complete,
simple enterprise solution.

This release of JBEAP for Red Hat Enterprise Linux 4 serves as a
replacement to JBEAP 4.3.0.CP08.

These updated packages include multiple bug fixes which are detailed in the
Release Notes. The Release Notes will be available shortly from the link in
the References section.

The following security issues are also fixed with this release:

An input sanitization flaw was found in the way JBoss Drools implemented
certain rule base serialization. If a remote attacker supplied
specially-crafted input to a JBoss Seam based application that accepts
serialized input, it could lead to arbitrary code execution with the
privileges of the JBoss server process. (CVE-2010-3708)

A Cross-Site Request Forgery (CSRF) flaw was found in the JMX Console. A
remote attacker could use this flaw to deploy a WAR file of their choosing
on the target server, if they are able to trick a user, who is logged into
the JMX Console as the admin user, into visiting a specially-crafted web
page. (CVE-2010-3878)

A flaw was found in the JBoss Remoting component. A remote attacker could
use specially-crafted input to cause the JBoss Remoting listeners to become
unresponsive, resulting in a denial of service condition for services
communicating via JBoss Remoting sockets. (CVE-2010-3862)

Red Hat would like to thank Ole Husgaard of eXerp.com for reporting the
CVE-2010-3862 issue.

Warning: Before applying this update, please backup the JBEAP
"server/[configuration]/deploy/" directory, and any other customized
configuration files.

All users of JBEAP 4.3 on Red Hat Enterprise Linux 4 are advised to upgrade
to these updated packages.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

JBoss Enterprise Application Platform 4.3.0 EL4

SRPMS:
glassfish-jaxb-2.1.4-1.17.patch04.ep1.el4.src.rpm     MD5: ff7f42808412e11c684b05a25f16ff04
SHA-256: b348d442cbdbf6afd24901b72863d3fcd549b159f92c5c1dbde00a4037f26037
glassfish-jaxws-2.1.1-1jpp.ep1.13.el4.src.rpm     MD5: 5aa2d996e7a2101c1005696602943329
SHA-256: d30d65bc1f72c34d32112bd8ffbb5c27a4e72793a999d114976bbbeddb37441c
hibernate3-3.2.4-1.SP1_CP11.0jpp.ep2.0.el4.src.rpm
File outdated by:  RHBA-2011:1297
    MD5: 4f812bf2a6e61ba6eaf8e75fbe6697db
SHA-256: 32d52aa084a3861a426ace3d93885def25b87eda880c453b0638501414fe2c5d
hibernate3-annotations-3.3.1-2.0.GA_CP04.ep1.el4.src.rpm
File outdated by:  RHBA-2011:1297
    MD5: e8627b55e6ff4b24cca64b78bdd69c23
SHA-256: 133ed0fdf0eb802e56eca314899609a11bb45f25e9804c0987557d16baf8cff0
javassist-3.9.0-2.ep1.1.el4.src.rpm     MD5: 192b6cb7fdda72bf9d9bcee42c6196b0
SHA-256: 1ef91b768c121f8186e8994bc0dfe024513b23179e8b510c2fbb841ef2ff4f7e
jboss-common-1.2.2-1.ep1.1.el4.src.rpm     MD5: dd089d156d39519a739c9e24cf39f318
SHA-256: 37eda6746b7cf930deeba15e81e3a1225b09c1f7a3b638ad4941a6a10db471ca
jboss-messaging-1.4.0-4.SP3_CP11.1.ep1.el4.src.rpm
File outdated by:  RHBA-2011:1297
    MD5: dc330d00b346af8fe45320cae29ac8c2
SHA-256: 36f1a3c8fc81b2cb881ef89eefd722cc7f3de8b763563a7c6a0059428a3a73bb
jboss-remoting-2.2.3-4.SP3.ep1.el4.src.rpm
File outdated by:  RHBA-2011:1297
    MD5: ad5e5245ddeddb17982acbc97361856a
SHA-256: 1ceb0942cab2d764cffe4159fe24d33897e349814ee391eadd56b79ae166dc8d
jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.22.el4.src.rpm
File outdated by:  RHBA-2011:1297
    MD5: 468a857d671fc617317d93443fb7d914
SHA-256: f0d441ef1ccc08611ee55af3c9a1eeac76f2dac920a29071ad691fa4e9fa3f94
jboss-seam2-2.0.2.FP-1.ep1.26.el4.src.rpm
File outdated by:  RHBA-2013:1099
    MD5: 34323f9294cc5fb8a11d36faa639585c
SHA-256: daa96b06cb2e8b2ce84d258e97bfcc7a79dafeb53cd05698053481da01a771b8
jbossas-4.3.0-8.GA_CP09.2.ep1.el4.src.rpm
File outdated by:  RHSA-2013:0249
    MD5: 11ff3b30878a2120fcf0ae27b68959a6
SHA-256: b0ac9aa8b0aa4ab544673e52978546a45d7e1b70827ccfd315133cf380948f64
jbossts-4.2.3-2.SP5_CP10.1jpp.ep1.1.el4.src.rpm     MD5: 5b0b33bf9c02a776eb52c9a542e8a62a
SHA-256: 3741baf239f5298938da5ef01252ad1481911b0cd21dd4a603679885e94a407f
jbossweb-2.0.0-7.CP15.0jpp.ep1.1.el4.src.rpm
File outdated by:  RHBA-2011:1297
    MD5: 62022b7953474d0c1356fbc8e7ad2146
SHA-256: e818910a2205d1ede69d2686a78fcf03d7f2e984de5ffd7e6f9fb835b215dbb1
jbossws-2.0.1-6.SP2_CP09.2.ep1.el4.src.rpm
File outdated by:  RHBA-2011:1297
    MD5: ccd0ca0449a6a0435afbe1e84b25ced0
SHA-256: 15cdf7481f8cc25128e1d2fc246a0cdd50ecfda1600328f5ad6d761f561ad341
jbossws-common-1.0.0-3.GA_CP06.1.ep1.el4.src.rpm
File outdated by:  RHSA-2011:1306
    MD5: bfffe47f13552818acc57fb4f110e51c
SHA-256: 0259bc862955f93e4b5133aa7ce2a9c65a0c3e479581d7f277aea48b4b565be5
jgroups-2.4.9-1.ep1.el4.src.rpm
File outdated by:  RHBA-2011:1297
    MD5: 889291ed507130f0b34ccc8e3a380f3a
SHA-256: 6f86d0b4224ffc6dbf9203993c402a56742e52d9d079c7a05dc5ff2bbc95ea15
rh-eap-docs-4.3.0-8.GA_CP09.ep1.3.el4.src.rpm
File outdated by:  RHBA-2011:1297
    MD5: 9a7f5f3ba9402a9ee477a9b174ca8bfd
SHA-256: 1cd65420dd5f95871c0aa6bd9d7f048b5c6e0f0ea34ee83199135a53151c0ec3
xalan-j2-2.7.1-4.ep1.1.el4.src.rpm     MD5: 42446a93c5db7cd38cfa9f0cf08853bb
SHA-256: 86892f5eb24b87a3fd179ec8db52f5bd2e77b4da1c5b85ca293c99c755a535b5
 
IA-32:
glassfish-jaxb-2.1.4-1.17.patch04.ep1.el4.noarch.rpm     MD5: 7e64daf90ef21d28f91a1d36a40ce1c6
SHA-256: ab3dff169f99eba29da151e63b32319d27ac66461a15a1d96c042321621c9c25
glassfish-jaxws-2.1.1-1jpp.ep1.13.el4.noarch.rpm     MD5: f69fb400664e15006c35826fcec9d3d8
SHA-256: dee1c2aaff5759a2fea5678e468ac127de1751c1afbb15d4dfeb5cee212ec605
hibernate3-3.2.4-1.SP1_CP11.0jpp.ep2.0.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 6bf78631e5a52f1a7a595d1a611eaa2d
SHA-256: 2c7ed28f220ebffcb513a2a62ee005063792d6ffdc3abc4370a06de86a9780be
hibernate3-annotations-3.3.1-2.0.GA_CP04.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: c2ebfdbea5c292a91c35f4482a99d6e5
SHA-256: 189eb833eed666277b037d2c44671b72f22c8cba07960022f15464ddd2cbf3e4
hibernate3-annotations-javadoc-3.3.1-2.0.GA_CP04.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 353d25c865ced4a9a033ff7e6b7939e3
SHA-256: 51717e59ccd8dea018eef026382de31dc813a7acef08b4a95f3c5489b7b99925
hibernate3-javadoc-3.2.4-1.SP1_CP11.0jpp.ep2.0.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 1b98e163039305517a3915a3ce4136fa
SHA-256: 8a42ccddc50c0bb5ac850a1da21189df25819241aac6caae07adb18994dc4871
javassist-3.9.0-2.ep1.1.el4.noarch.rpm     MD5: 2ca74f935dab7e9fcc3f911378cb2712
SHA-256: a85ae7c05b658d1c7e04cd0d39937b61a7fc80cf5fb44b058df08d802aba27a3
jboss-common-1.2.2-1.ep1.1.el4.noarch.rpm     MD5: d463fdc704e00477d199d6a14b53d510
SHA-256: 5733406c8eb561c912f83f37735af9648fbf2a8bc3c873bed52e2f43a764ba65
jboss-messaging-1.4.0-4.SP3_CP11.1.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: fc93d7e1e47350b422fde2c1c08a9d47
SHA-256: 837ab0beb834b85ab2433955e3d326f81bf4ecb8a44e2e9efcafb65d688e8d49
jboss-remoting-2.2.3-4.SP3.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: ea88931ed4e3ae76f6ed8f59e082e347
SHA-256: c17335ac50536ad650a351c41b8a02692b5a9c06bd33871114c30c13b07dc50d
jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.22.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 482694bd546d8cfcb581c7edff978e3d
SHA-256: d2df6d3a26d0e5843bf8d0dbe7467531e8c434169804f9fa4c22d409ce81dd8d
jboss-seam-docs-1.2.1-3.JBPAPP_4_3_0_GA.ep1.22.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 066e0795bd354fe7e72ece7768cc3b87
SHA-256: 7191a4780bf5f707722813af9272dcfa08f592e78ea88a6eb75194fc5e75be37
jboss-seam2-2.0.2.FP-1.ep1.26.el4.noarch.rpm
File outdated by:  RHBA-2013:1099
    MD5: ce888c77647a23c90d8c5596b0025e2c
SHA-256: 99942747a5856e1da28b2dc73e5a29ba6e51d377f9c844b72cc8bd1ff200b38f
jboss-seam2-docs-2.0.2.FP-1.ep1.26.el4.noarch.rpm
File outdated by:  RHBA-2013:1099
    MD5: 0f76b2e1b533df71825bd5aa4b46cdb2
SHA-256: 446fbed3698c1aea81b4bf26eea7b416bada04b1c3f281395faf1e5383a9edf7
jbossas-4.3.0-8.GA_CP09.2.ep1.el4.noarch.rpm
File outdated by:  RHSA-2013:0249
    MD5: 7a46d918b8f786c35ca9ce1e3498d4bd
SHA-256: a66022b2f38ac37893514940d74ade743acb79ab7cbb089cb9921dcf5063dad2
jbossas-4.3.0.GA_CP09-bin-4.3.0-8.GA_CP09.2.ep1.el4.noarch.rpm     MD5: dbd509cfdaa6228ebaefa4b13dbae7d1
SHA-256: f71ef72e715e052fca1092242dc4c6c1458f86b9a8c6e65b87cb3ad8c69c4206
jbossas-client-4.3.0-8.GA_CP09.2.ep1.el4.noarch.rpm
File outdated by:  RHSA-2013:0249
    MD5: ced1c8a1abca71c005108dc8a859db07
SHA-256: 87012e5bc99e8d0352f4ad8d0dba83295e855d07d4a76fb6af2af8bad71a43ce
jbossts-4.2.3-2.SP5_CP10.1jpp.ep1.1.el4.noarch.rpm     MD5: 712a35f3ef70f929f5eaa3c86e0a84a4
SHA-256: 79a58a025aaa9e805ce800fc7fe0b3ec9611e8a8dcbdd935d368b61cf5c8af70
jbossweb-2.0.0-7.CP15.0jpp.ep1.1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 16bef652ef90d920b213455ec3e04b3d
SHA-256: f78be9f9a9c69185342fef58a933d3ac17b392eaa50f5d821cee8c34d53265ea
jbossws-2.0.1-6.SP2_CP09.2.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: c82adba91bd20d32e470065b6f1013ac
SHA-256: e48aa575b219147ae7ddc9e524ba55f855de5a3d6299bfc990dbf07f8ca8a8aa
jbossws-common-1.0.0-3.GA_CP06.1.ep1.el4.noarch.rpm
File outdated by:  RHSA-2011:1306
    MD5: f0ad625c8c5a233bc853726082ca4e63
SHA-256: 31d8f92977a8bf4804fc5a6e32aa70ba58271b2606acbd1eefbeb05bb3d71cc3
jgroups-2.4.9-1.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 54a03bcc0d0011821122cb8a65349991
SHA-256: 26302bd67f01e583f4a042d923e3b4914f68d913c63c2785876ec7d65502ef4c
rh-eap-docs-4.3.0-8.GA_CP09.ep1.3.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: ef308a3f10d852c7ad58083b14f50ddf
SHA-256: 4df5752127ee982e915529f8e740c00b7d7d294aaf5b28ed70f6c56ab2818e0e
rh-eap-docs-examples-4.3.0-8.GA_CP09.ep1.3.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 180c2826953942a1e89c1a79ac2aa741
SHA-256: b6230aaaf5d1365aacc55abb288545609f509c6184e6ec8592411d8cb8a1c21c
xalan-j2-2.7.1-4.ep1.1.el4.noarch.rpm     MD5: a2702f1fc692cc1274979a605c59f419
SHA-256: 0a745e8c83b662b03fa228dbde1ff302942318f53342c98974b827813962fa5e
 
x86_64:
glassfish-jaxb-2.1.4-1.17.patch04.ep1.el4.noarch.rpm     MD5: 7e64daf90ef21d28f91a1d36a40ce1c6
SHA-256: ab3dff169f99eba29da151e63b32319d27ac66461a15a1d96c042321621c9c25
glassfish-jaxws-2.1.1-1jpp.ep1.13.el4.noarch.rpm     MD5: f69fb400664e15006c35826fcec9d3d8
SHA-256: dee1c2aaff5759a2fea5678e468ac127de1751c1afbb15d4dfeb5cee212ec605
hibernate3-3.2.4-1.SP1_CP11.0jpp.ep2.0.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 6bf78631e5a52f1a7a595d1a611eaa2d
SHA-256: 2c7ed28f220ebffcb513a2a62ee005063792d6ffdc3abc4370a06de86a9780be
hibernate3-annotations-3.3.1-2.0.GA_CP04.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: c2ebfdbea5c292a91c35f4482a99d6e5
SHA-256: 189eb833eed666277b037d2c44671b72f22c8cba07960022f15464ddd2cbf3e4
hibernate3-annotations-javadoc-3.3.1-2.0.GA_CP04.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 353d25c865ced4a9a033ff7e6b7939e3
SHA-256: 51717e59ccd8dea018eef026382de31dc813a7acef08b4a95f3c5489b7b99925
hibernate3-javadoc-3.2.4-1.SP1_CP11.0jpp.ep2.0.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 1b98e163039305517a3915a3ce4136fa
SHA-256: 8a42ccddc50c0bb5ac850a1da21189df25819241aac6caae07adb18994dc4871
javassist-3.9.0-2.ep1.1.el4.noarch.rpm     MD5: 2ca74f935dab7e9fcc3f911378cb2712
SHA-256: a85ae7c05b658d1c7e04cd0d39937b61a7fc80cf5fb44b058df08d802aba27a3
jboss-common-1.2.2-1.ep1.1.el4.noarch.rpm     MD5: d463fdc704e00477d199d6a14b53d510
SHA-256: 5733406c8eb561c912f83f37735af9648fbf2a8bc3c873bed52e2f43a764ba65
jboss-messaging-1.4.0-4.SP3_CP11.1.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: fc93d7e1e47350b422fde2c1c08a9d47
SHA-256: 837ab0beb834b85ab2433955e3d326f81bf4ecb8a44e2e9efcafb65d688e8d49
jboss-remoting-2.2.3-4.SP3.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: ea88931ed4e3ae76f6ed8f59e082e347
SHA-256: c17335ac50536ad650a351c41b8a02692b5a9c06bd33871114c30c13b07dc50d
jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.22.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 482694bd546d8cfcb581c7edff978e3d
SHA-256: d2df6d3a26d0e5843bf8d0dbe7467531e8c434169804f9fa4c22d409ce81dd8d
jboss-seam-docs-1.2.1-3.JBPAPP_4_3_0_GA.ep1.22.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 066e0795bd354fe7e72ece7768cc3b87
SHA-256: 7191a4780bf5f707722813af9272dcfa08f592e78ea88a6eb75194fc5e75be37
jboss-seam2-2.0.2.FP-1.ep1.26.el4.noarch.rpm
File outdated by:  RHBA-2013:1099
    MD5: ce888c77647a23c90d8c5596b0025e2c
SHA-256: 99942747a5856e1da28b2dc73e5a29ba6e51d377f9c844b72cc8bd1ff200b38f
jboss-seam2-docs-2.0.2.FP-1.ep1.26.el4.noarch.rpm
File outdated by:  RHBA-2013:1099
    MD5: 0f76b2e1b533df71825bd5aa4b46cdb2
SHA-256: 446fbed3698c1aea81b4bf26eea7b416bada04b1c3f281395faf1e5383a9edf7
jbossas-4.3.0-8.GA_CP09.2.ep1.el4.noarch.rpm
File outdated by:  RHSA-2013:0249
    MD5: 7a46d918b8f786c35ca9ce1e3498d4bd
SHA-256: a66022b2f38ac37893514940d74ade743acb79ab7cbb089cb9921dcf5063dad2
jbossas-4.3.0.GA_CP09-bin-4.3.0-8.GA_CP09.2.ep1.el4.noarch.rpm     MD5: dbd509cfdaa6228ebaefa4b13dbae7d1
SHA-256: f71ef72e715e052fca1092242dc4c6c1458f86b9a8c6e65b87cb3ad8c69c4206
jbossas-client-4.3.0-8.GA_CP09.2.ep1.el4.noarch.rpm
File outdated by:  RHSA-2013:0249
    MD5: ced1c8a1abca71c005108dc8a859db07
SHA-256: 87012e5bc99e8d0352f4ad8d0dba83295e855d07d4a76fb6af2af8bad71a43ce
jbossts-4.2.3-2.SP5_CP10.1jpp.ep1.1.el4.noarch.rpm     MD5: 712a35f3ef70f929f5eaa3c86e0a84a4
SHA-256: 79a58a025aaa9e805ce800fc7fe0b3ec9611e8a8dcbdd935d368b61cf5c8af70
jbossweb-2.0.0-7.CP15.0jpp.ep1.1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 16bef652ef90d920b213455ec3e04b3d
SHA-256: f78be9f9a9c69185342fef58a933d3ac17b392eaa50f5d821cee8c34d53265ea
jbossws-2.0.1-6.SP2_CP09.2.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: c82adba91bd20d32e470065b6f1013ac
SHA-256: e48aa575b219147ae7ddc9e524ba55f855de5a3d6299bfc990dbf07f8ca8a8aa
jbossws-common-1.0.0-3.GA_CP06.1.ep1.el4.noarch.rpm
File outdated by:  RHSA-2011:1306
    MD5: f0ad625c8c5a233bc853726082ca4e63
SHA-256: 31d8f92977a8bf4804fc5a6e32aa70ba58271b2606acbd1eefbeb05bb3d71cc3
jgroups-2.4.9-1.ep1.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 54a03bcc0d0011821122cb8a65349991
SHA-256: 26302bd67f01e583f4a042d923e3b4914f68d913c63c2785876ec7d65502ef4c
rh-eap-docs-4.3.0-8.GA_CP09.ep1.3.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: ef308a3f10d852c7ad58083b14f50ddf
SHA-256: 4df5752127ee982e915529f8e740c00b7d7d294aaf5b28ed70f6c56ab2818e0e
rh-eap-docs-examples-4.3.0-8.GA_CP09.ep1.3.el4.noarch.rpm
File outdated by:  RHBA-2011:1297
    MD5: 180c2826953942a1e89c1a79ac2aa741
SHA-256: b6230aaaf5d1365aacc55abb288545609f509c6184e6ec8592411d8cb8a1c21c
xalan-j2-2.7.1-4.ep1.1.el4.noarch.rpm     MD5: a2702f1fc692cc1274979a605c59f419
SHA-256: 0a745e8c83b662b03fa228dbde1ff302942318f53342c98974b827813962fa5e
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

604617 - CVE-2010-3878 JBoss EAP jmx console FileDeployment CSRF
633859 - CVE-2010-3708 JBoss drools deserialization remote code execution
638224 - Tracker bug for the EAP 4.3.0.cp09 release.
641389 - CVE-2010-3862 JBoss Remoting Denial-Of-Service


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/