Status: RELEASED

Patch Id: 136986-03

***********************************************************************
READ THE TERMS OF THE AGREEMENT ("AGREEMENT") IN THE LEGAL_LICENSE.TXT
FILE CAREFULLY BEFORE USING THIS SOFTWARE. BY USING THE SOFTWARE, YOU
AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE
TERMS, PROMPTLY DESTROY THE UNUSED SOFTWARE.
***********************************************************************
For further information on patching best practices and resources, please
see the Big Admin Patching Center, http://www.sun.com/bigadmin/patches/ 
***********************************************************************

Summary: Sun Java Web Console 3.0.2_x86: Security fixes

Date:  Jun/25/2009

Installation Requirements:

NA

Solaris Release: 8_x86

Sun OS Release: 5.8_x86

Unbundled Product: Sun Java Web Console

Unbundled Release: 3.0.2

Xref: This patch is available for Solaris SPARC as 136987, 125950, 125952, for Solaris x86 as 136986, 125951, 125953, for RHEL3.0, RHEL4.0 as 125954, for Windows Unbundled as 127534, Windows bundled with JES as 125955

Topic: 

Relevant Architecture: x86

BugId's fixed with this patch:

6505096 6614074 6731783 6763558

Changes incorporated in this version:

6763558

Patches accumulated and obsoleted by this patch:

Patches which conflict with this patch: 

Required Patches:

Obsoleted by:

Files Included in this Patch: 

/usr/share/webconsole/lib/SMIWebCommon.jar
    /usr/share/webconsole/lib/cc.jar
    /usr/share/webconsole/private/container/server/webapps/manager/WEB-INF/lib/console_manager.jar
    /usr/share/webconsole/private/lib/console_admin.jar
    /usr/share/webconsole/private/lib/console_config.jar
    /usr/share/webconsole/private/lib/console_manager.jar
    /usr/share/webconsole/private/templates/tomcat/consolelogin_conf.tpl
    /usr/share/webconsole/webapps/console/WEB-INF/lib/SMIWebConsole.jar
    /usr/share/webconsole/webapps/console/com_sun_web_ui/help/helpwindow.jsp
    /usr/share/webconsole/webapps/console/com_sun_web_ui/help/masthead.jsp
    /usr/share/webconsole/webapps/console/html/en/console_version.shtml
/usr/lib/webconsole/libwebconsole_services.so

Problem Description: 

6763558 cross-site scripting (XSS) vulnerability reported in two Sun Java Web Console help jsp scripts
 
(from 136986_02)
6731783 /console/faces/jsp/login/BeginLogin.jsp (redirect_url takes arbitrary urls)
 
(from 136986_01)
6614074 adminverifier needs to bracket its privileges
6505096 Security vulnerability in Sun Java Web Console

Revision History: 

136986-02 136986-01

Patch Installation Instructions: 

-------------------------------- 
For Solaris 8 releases, refer to the man pages for instructions
on using 'patchadd' and 'patchrm' scripts provided with Solaris.
Any other special or non-generic installation instructions should be
described below as special instructions.  The following example
installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/136986-03
 
The following example removes a patch from a standalone system:
 
       example# patchrm 136986-03
 
For additional examples please see the appropriate man pages.

Special Install Instructions: 

-----------------------------

README -- Last modified date:  Thursday, June 25, 2009