Rapid7 VulnDB

RHSA-2012:1537: jasperreports-server-pro security and bug fix update

Back to Search

RHSA-2012:1537: jasperreports-server-pro security and bug fix update



An updated jasperreports-server-pro package that fixes one security issue and various bugs is now available. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

JasperReports Server is a reporting server. A flaw was found in the way the Apache Xerces2 Java Parser processed the SYSTEM identifier in DTDs. A remote attacker could provide a specially-crafted XML file, which once parsed by an application using the Apache Xerces2 Java Parser, would lead to a denial of service (application hang due to excessive CPU use). (CVE-2009-2625) This update also fixes the following bugs: * Adding a user to any ROLE caused an unexpected exception. (BZ#730712) * Previously, the jasperreports-server-pro RPM spec file contained the "%{dist}" tag on the "Release" line. To comply with the packaging and naming guidelines, the tag has been changed to "%{?dist}" with this update. (BZ#868927) * In some cases reports were opened with an incorrect list of Entity/Entities. (BZ#842687) Note: The jasperreports-server-pro package replaces rhevm-reports-server from Red Hat Enterprise Virtualization Manager 3.0. Users are advised to upgrade to this updated package, which corrects these issues.


  • redhat-upgrade-jasperreports-server-pro


  • redhat-upgrade-jasperreports-server-pro

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center