What about Open Source/Community Edition members?
-----Original Message-----
From: John Clingan [mailto:john.clingan_at_oracle.com]
Sent: Thursday, February 27, 2014 9:36 AM
To: users_at_glassfish.java.net
Subject: Re: CPU-APR-2013 Patch
Glenn/Brian, these issues were fixed in the April '13 Critical Patch Update, which equates to Oracle GlassFish Server 3.1.2.5. Oracle GlassFish Server customers that have an active support contract can download and install this patch.
Hope this helps.
On Feb 26, 2014, at 4:44 AM, Wilkins, Brian <bwilkins_at_harris.com> wrote:
> Good question. This was in response to Retina reporting a finding. Maybe it doesn't affect 3.1.2.2.
>
> -----Original Message-----
> From: Glenn Holmer [mailto:gholmer_at_weycogroup.com]
> Sent: Tuesday, February 25, 2014 4:40 PM
> To: users_at_glassfish.java.net
> Subject: Re: CPU-APR-2013 Patch
>
> On 02/25/2014 11:06 AM, Wilkins, Brian wrote:
>> Where can I download the patch to fix the vulnerability in the REST
>> and ADMIN interface as detailed in CVE 2013-1508 and CVE 2013-1515
>> for GlassFish 3.1.2.2?
>
> Looking closely at the Oracle CPU:
>
> http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.h
> tml
>
> (search on the CVE number), it lists the affected versions as "3.0.1, 3.1.2". Does this vulnerability exist in 3.1.2.2 as well?
>
> --
> Glenn Holmer
> Weyco Group, Inc.
> phone: 414-908-1809
> fax: 414-908-1601
>