Security Advisory Important: jakarta-taglibs-standard security update

Advisory: RHSA-2015:1695-1
Type: Security Advisory
Severity: Important
Issued on: 2015-08-31
Last updated on: 2015-08-31
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux Desktop (v. 7)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux HPC Node (v. 7)
Red Hat Enterprise Linux HPC Node EUS (v. 7.1)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server (v. 7)
Red Hat Enterprise Linux Server EUS (v. 6.7.z)
Red Hat Enterprise Linux Server EUS (v. 7.1)
Red Hat Enterprise Linux Workstation (v. 6)
Red Hat Enterprise Linux Workstation (v. 7)
CVEs (cve.mitre.org): CVE-2015-0254

Details

Updated jakarta-taglibs-standard packages that fix one security issue are
now available for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

jakarta-taglibs-standard is the Java Standard Tag Library (JSTL).
This library is used in conjunction with Tomcat and Java Server Pages
(JSP).

It was found that the Java Standard Tag Library (JSTL) allowed the
processing of untrusted XML documents to utilize external entity
references, which could access resources on the host system and,
potentially, allowing arbitrary code execution. (CVE-2015-0254)

Note: jakarta-taglibs-standard users may need to take additional steps
after applying this update. Detailed instructions on the additional steps
can be found here:

https://access.redhat.com/solutions/1584363

All jakarta-taglibs-standard users are advised to upgrade to these updated
packages, which contain a backported patch to correct this issue.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
jakarta-taglibs-standard-1.1.1-11.7.el6_7.src.rpm     MD5: 0e7686431b0f736cf26a8e6ba69d1ba6
SHA-256: 0da65eab50bc77035c95e03b129fd8a2e6344024561a4084859fca8e3ce3acb4
 
IA-32:
jakarta-taglibs-standard-1.1.1-11.7.el6_7.noarch.rpm     MD5: aa1d718e4ab5abafdaa20aae3be42946
SHA-256: c6103cb04bb01f4e44be0e322faac51866d367dc17eea2a05bc3e7bee71bccaa
jakarta-taglibs-standard-javadoc-1.1.1-11.7.el6_7.noarch.rpm     MD5: e9492def076e43d5f6ec59e4df4cfa56
SHA-256: c5792ed9f26e729b4f47c97f9714a8712777f804489c88b2dd3a6c79ca064699
 
x86_64:
jakarta-taglibs-standard-1.1.1-11.7.el6_7.noarch.rpm     MD5: aa1d718e4ab5abafdaa20aae3be42946
SHA-256: c6103cb04bb01f4e44be0e322faac51866d367dc17eea2a05bc3e7bee71bccaa
jakarta-taglibs-standard-javadoc-1.1.1-11.7.el6_7.noarch.rpm     MD5: e9492def076e43d5f6ec59e4df4cfa56
SHA-256: c5792ed9f26e729b4f47c97f9714a8712777f804489c88b2dd3a6c79ca064699
 
Red Hat Enterprise Linux Desktop (v. 7)

SRPMS:
jakarta-taglibs-standard-1.1.2-14.el7_1.src.rpm     MD5: 136350f102ce08c8ddba40b2d1f66a1f
SHA-256: c3070d3878de4f5cbe24af1ccdc93e5cd33b5898693978dd5c2a80b0c1f19c1b
 
x86_64:
jakarta-taglibs-standard-1.1.2-14.el7_1.noarch.rpm     MD5: 737c190950bb9fa2d8e908aa502fee7c
SHA-256: 158ce353bde180f79378a45a8268661c4bcb75748bf990040ba3a9c2757ff5f3
jakarta-taglibs-standard-javadoc-1.1.2-14.el7_1.noarch.rpm     MD5: 8d187ede0ccfa9d23b92cde995970bd9
SHA-256: bf465a3ac4af22b2eee507d0d1be115b8c022c8a41418b8743e8e911c489259d
 
Red Hat Enterprise Linux HPC Node (v. 6)

SRPMS:
jakarta-taglibs-standard-1.1.1-11.7.el6_7.src.rpm     MD5: 0e7686431b0f736cf26a8e6ba69d1ba6
SHA-256: 0da65eab50bc77035c95e03b129fd8a2e6344024561a4084859fca8e3ce3acb4
 
x86_64:
jakarta-taglibs-standard-1.1.1-11.7.el6_7.noarch.rpm     MD5: aa1d718e4ab5abafdaa20aae3be42946
SHA-256: c6103cb04bb01f4e44be0e322faac51866d367dc17eea2a05bc3e7bee71bccaa
jakarta-taglibs-standard-javadoc-1.1.1-11.7.el6_7.noarch.rpm     MD5: e9492def076e43d5f6ec59e4df4cfa56
SHA-256: c5792ed9f26e729b4f47c97f9714a8712777f804489c88b2dd3a6c79ca064699
 
Red Hat Enterprise Linux HPC Node (v. 7)

SRPMS:
jakarta-taglibs-standard-1.1.2-14.el7_1.src.rpm     MD5: 136350f102ce08c8ddba40b2d1f66a1f
SHA-256: c3070d3878de4f5cbe24af1ccdc93e5cd33b5898693978dd5c2a80b0c1f19c1b
 
x86_64:
jakarta-taglibs-standard-1.1.2-14.el7_1.noarch.rpm     MD5: 737c190950bb9fa2d8e908aa502fee7c
SHA-256: 158ce353bde180f79378a45a8268661c4bcb75748bf990040ba3a9c2757ff5f3
jakarta-taglibs-standard-javadoc-1.1.2-14.el7_1.noarch.rpm     MD5: 8d187ede0ccfa9d23b92cde995970bd9
SHA-256: bf465a3ac4af22b2eee507d0d1be115b8c022c8a41418b8743e8e911c489259d
 
Red Hat Enterprise Linux HPC Node EUS (v. 7.1)

SRPMS:
jakarta-taglibs-standard-1.1.2-14.el7_1.src.rpm     MD5: 136350f102ce08c8ddba40b2d1f66a1f
SHA-256: c3070d3878de4f5cbe24af1ccdc93e5cd33b5898693978dd5c2a80b0c1f19c1b
 
x86_64:
jakarta-taglibs-standard-1.1.2-14.el7_1.noarch.rpm     MD5: 737c190950bb9fa2d8e908aa502fee7c
SHA-256: 158ce353bde180f79378a45a8268661c4bcb75748bf990040ba3a9c2757ff5f3
jakarta-taglibs-standard-javadoc-1.1.2-14.el7_1.noarch.rpm     MD5: 8d187ede0ccfa9d23b92cde995970bd9
SHA-256: bf465a3ac4af22b2eee507d0d1be115b8c022c8a41418b8743e8e911c489259d
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
jakarta-taglibs-standard-1.1.1-11.7.el6_7.src.rpm     MD5: 0e7686431b0f736cf26a8e6ba69d1ba6
SHA-256: 0da65eab50bc77035c95e03b129fd8a2e6344024561a4084859fca8e3ce3acb4
 
IA-32:
jakarta-taglibs-standard-1.1.1-11.7.el6_7.noarch.rpm     MD5: aa1d718e4ab5abafdaa20aae3be42946
SHA-256: c6103cb04bb01f4e44be0e322faac51866d367dc17eea2a05bc3e7bee71bccaa
jakarta-taglibs-standard-javadoc-1.1.1-11.7.el6_7.noarch.rpm     MD5: e9492def076e43d5f6ec59e4df4cfa56
SHA-256: c5792ed9f26e729b4f47c97f9714a8712777f804489c88b2dd3a6c79ca064699
 
PPC:
jakarta-taglibs-standard-1.1.1-11.7.el6_7.noarch.rpm     MD5: aa1d718e4ab5abafdaa20aae3be42946
SHA-256: c6103cb04bb01f4e44be0e322faac51866d367dc17eea2a05bc3e7bee71bccaa
jakarta-taglibs-standard-javadoc-1.1.1-11.7.el6_7.noarch.rpm     MD5: e9492def076e43d5f6ec59e4df4cfa56
SHA-256: c5792ed9f26e729b4f47c97f9714a8712777f804489c88b2dd3a6c79ca064699
 
s390x:
jakarta-taglibs-standard-1.1.1-11.7.el6_7.noarch.rpm     MD5: aa1d718e4ab5abafdaa20aae3be42946
SHA-256: c6103cb04bb01f4e44be0e322faac51866d367dc17eea2a05bc3e7bee71bccaa
jakarta-taglibs-standard-javadoc-1.1.1-11.7.el6_7.noarch.rpm     MD5: e9492def076e43d5f6ec59e4df4cfa56
SHA-256: c5792ed9f26e729b4f47c97f9714a8712777f804489c88b2dd3a6c79ca064699
 
x86_64:
jakarta-taglibs-standard-1.1.1-11.7.el6_7.noarch.rpm     MD5: aa1d718e4ab5abafdaa20aae3be42946
SHA-256: c6103cb04bb01f4e44be0e322faac51866d367dc17eea2a05bc3e7bee71bccaa
jakarta-taglibs-standard-javadoc-1.1.1-11.7.el6_7.noarch.rpm     MD5: e9492def076e43d5f6ec59e4df4cfa56
SHA-256: c5792ed9f26e729b4f47c97f9714a8712777f804489c88b2dd3a6c79ca064699
 
Red Hat Enterprise Linux Server (v. 7)

SRPMS:
jakarta-taglibs-standard-1.1.2-14.el7_1.src.rpm     MD5: 136350f102ce08c8ddba40b2d1f66a1f
SHA-256: c3070d3878de4f5cbe24af1ccdc93e5cd33b5898693978dd5c2a80b0c1f19c1b
 
PPC:
jakarta-taglibs-standard-1.1.2-14.el7_1.noarch.rpm     MD5: 737c190950bb9fa2d8e908aa502fee7c
SHA-256: 158ce353bde180f79378a45a8268661c4bcb75748bf990040ba3a9c2757ff5f3
jakarta-taglibs-standard-javadoc-1.1.2-14.el7_1.noarch.rpm     MD5: 8d187ede0ccfa9d23b92cde995970bd9
SHA-256: bf465a3ac4af22b2eee507d0d1be115b8c022c8a41418b8743e8e911c489259d
 
s390x:
jakarta-taglibs-standard-1.1.2-14.el7_1.noarch.rpm     MD5: 737c190950bb9fa2d8e908aa502fee7c
SHA-256: 158ce353bde180f79378a45a8268661c4bcb75748bf990040ba3a9c2757ff5f3
jakarta-taglibs-standard-javadoc-1.1.2-14.el7_1.noarch.rpm     MD5: 8d187ede0ccfa9d23b92cde995970bd9
SHA-256: bf465a3ac4af22b2eee507d0d1be115b8c022c8a41418b8743e8e911c489259d
 
x86_64:
jakarta-taglibs-standard-1.1.2-14.el7_1.noarch.rpm     MD5: 737c190950bb9fa2d8e908aa502fee7c
SHA-256: 158ce353bde180f79378a45a8268661c4bcb75748bf990040ba3a9c2757ff5f3
jakarta-taglibs-standard-javadoc-1.1.2-14.el7_1.noarch.rpm     MD5: 8d187ede0ccfa9d23b92cde995970bd9
SHA-256: bf465a3ac4af22b2eee507d0d1be115b8c022c8a41418b8743e8e911c489259d
 
Red Hat Enterprise Linux Server EUS (v. 6.7.z)

SRPMS:
jakarta-taglibs-standard-1.1.1-11.7.el6_7.src.rpm     MD5: 0e7686431b0f736cf26a8e6ba69d1ba6
SHA-256: 0da65eab50bc77035c95e03b129fd8a2e6344024561a4084859fca8e3ce3acb4
 
IA-32:
jakarta-taglibs-standard-1.1.1-11.7.el6_7.noarch.rpm     MD5: aa1d718e4ab5abafdaa20aae3be42946
SHA-256: c6103cb04bb01f4e44be0e322faac51866d367dc17eea2a05bc3e7bee71bccaa
jakarta-taglibs-standard-javadoc-1.1.1-11.7.el6_7.noarch.rpm     MD5: e9492def076e43d5f6ec59e4df4cfa56
SHA-256: c5792ed9f26e729b4f47c97f9714a8712777f804489c88b2dd3a6c79ca064699
 
PPC:
jakarta-taglibs-standard-1.1.1-11.7.el6_7.noarch.rpm     MD5: aa1d718e4ab5abafdaa20aae3be42946
SHA-256: c6103cb04bb01f4e44be0e322faac51866d367dc17eea2a05bc3e7bee71bccaa
jakarta-taglibs-standard-javadoc-1.1.1-11.7.el6_7.noarch.rpm     MD5: e9492def076e43d5f6ec59e4df4cfa56
SHA-256: c5792ed9f26e729b4f47c97f9714a8712777f804489c88b2dd3a6c79ca064699
 
s390x:
jakarta-taglibs-standard-1.1.1-11.7.el6_7.noarch.rpm     MD5: aa1d718e4ab5abafdaa20aae3be42946
SHA-256: c6103cb04bb01f4e44be0e322faac51866d367dc17eea2a05bc3e7bee71bccaa
jakarta-taglibs-standard-javadoc-1.1.1-11.7.el6_7.noarch.rpm     MD5: e9492def076e43d5f6ec59e4df4cfa56
SHA-256: c5792ed9f26e729b4f47c97f9714a8712777f804489c88b2dd3a6c79ca064699
 
x86_64:
jakarta-taglibs-standard-1.1.1-11.7.el6_7.noarch.rpm     MD5: aa1d718e4ab5abafdaa20aae3be42946
SHA-256: c6103cb04bb01f4e44be0e322faac51866d367dc17eea2a05bc3e7bee71bccaa
jakarta-taglibs-standard-javadoc-1.1.1-11.7.el6_7.noarch.rpm     MD5: e9492def076e43d5f6ec59e4df4cfa56
SHA-256: c5792ed9f26e729b4f47c97f9714a8712777f804489c88b2dd3a6c79ca064699
 
Red Hat Enterprise Linux Server EUS (v. 7.1)

SRPMS:
jakarta-taglibs-standard-1.1.2-14.el7_1.src.rpm     MD5: 136350f102ce08c8ddba40b2d1f66a1f
SHA-256: c3070d3878de4f5cbe24af1ccdc93e5cd33b5898693978dd5c2a80b0c1f19c1b
 
PPC:
jakarta-taglibs-standard-1.1.2-14.el7_1.noarch.rpm     MD5: 737c190950bb9fa2d8e908aa502fee7c
SHA-256: 158ce353bde180f79378a45a8268661c4bcb75748bf990040ba3a9c2757ff5f3
jakarta-taglibs-standard-javadoc-1.1.2-14.el7_1.noarch.rpm     MD5: 8d187ede0ccfa9d23b92cde995970bd9
SHA-256: bf465a3ac4af22b2eee507d0d1be115b8c022c8a41418b8743e8e911c489259d
 
s390x:
jakarta-taglibs-standard-1.1.2-14.el7_1.noarch.rpm     MD5: 737c190950bb9fa2d8e908aa502fee7c
SHA-256: 158ce353bde180f79378a45a8268661c4bcb75748bf990040ba3a9c2757ff5f3
jakarta-taglibs-standard-javadoc-1.1.2-14.el7_1.noarch.rpm     MD5: 8d187ede0ccfa9d23b92cde995970bd9
SHA-256: bf465a3ac4af22b2eee507d0d1be115b8c022c8a41418b8743e8e911c489259d
 
x86_64:
jakarta-taglibs-standard-1.1.2-14.el7_1.noarch.rpm     MD5: 737c190950bb9fa2d8e908aa502fee7c
SHA-256: 158ce353bde180f79378a45a8268661c4bcb75748bf990040ba3a9c2757ff5f3
jakarta-taglibs-standard-javadoc-1.1.2-14.el7_1.noarch.rpm     MD5: 8d187ede0ccfa9d23b92cde995970bd9
SHA-256: bf465a3ac4af22b2eee507d0d1be115b8c022c8a41418b8743e8e911c489259d
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
jakarta-taglibs-standard-1.1.1-11.7.el6_7.src.rpm     MD5: 0e7686431b0f736cf26a8e6ba69d1ba6
SHA-256: 0da65eab50bc77035c95e03b129fd8a2e6344024561a4084859fca8e3ce3acb4
 
IA-32:
jakarta-taglibs-standard-1.1.1-11.7.el6_7.noarch.rpm     MD5: aa1d718e4ab5abafdaa20aae3be42946
SHA-256: c6103cb04bb01f4e44be0e322faac51866d367dc17eea2a05bc3e7bee71bccaa
jakarta-taglibs-standard-javadoc-1.1.1-11.7.el6_7.noarch.rpm     MD5: e9492def076e43d5f6ec59e4df4cfa56
SHA-256: c5792ed9f26e729b4f47c97f9714a8712777f804489c88b2dd3a6c79ca064699
 
x86_64:
jakarta-taglibs-standard-1.1.1-11.7.el6_7.noarch.rpm     MD5: aa1d718e4ab5abafdaa20aae3be42946
SHA-256: c6103cb04bb01f4e44be0e322faac51866d367dc17eea2a05bc3e7bee71bccaa
jakarta-taglibs-standard-javadoc-1.1.1-11.7.el6_7.noarch.rpm     MD5: e9492def076e43d5f6ec59e4df4cfa56
SHA-256: c5792ed9f26e729b4f47c97f9714a8712777f804489c88b2dd3a6c79ca064699
 
Red Hat Enterprise Linux Workstation (v. 7)

SRPMS:
jakarta-taglibs-standard-1.1.2-14.el7_1.src.rpm     MD5: 136350f102ce08c8ddba40b2d1f66a1f
SHA-256: c3070d3878de4f5cbe24af1ccdc93e5cd33b5898693978dd5c2a80b0c1f19c1b
 
x86_64:
jakarta-taglibs-standard-1.1.2-14.el7_1.noarch.rpm     MD5: 737c190950bb9fa2d8e908aa502fee7c
SHA-256: 158ce353bde180f79378a45a8268661c4bcb75748bf990040ba3a9c2757ff5f3
jakarta-taglibs-standard-javadoc-1.1.2-14.el7_1.noarch.rpm     MD5: 8d187ede0ccfa9d23b92cde995970bd9
SHA-256: bf465a3ac4af22b2eee507d0d1be115b8c022c8a41418b8743e8e911c489259d
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1198606 - CVE-2015-0254 jakarta-taglibs-standard: XXE and RCE via XSL extension in JSTL XML tags


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/