This is a 2-part question. I'm currently running 4.2.3.GA with an updated jbossweb jar from 2.0.0.GA.CP15 tag. I would like to know if my server is vulnerable with the latest security issues and what version of jbossweb I can get to help me. Looking at https://community.jboss.org/wiki/VersionOfTomcatInJBossAS, I need to get the latest jbossweb 2.0.1 version which is 2.0.1.GA found here: http://anonsvn.jboss.org/repos/jbossweb/tags/. Is this correct, as far as getting the latest version of jbossweb for 4.2.3.GA?
In IAVM 2011-B-0148, multiple security vulnerabilities were addressed by tomcat and the fix is to update to the latest tomcat 6.0.35. Seeing that jbossweb is forked from tomcat, how do I know if I'm vulnerable or not to these issues? How do security vulnerabilities get addressed in jbossweb and isn't there a list that I can go to that shows this info?