From bugzilla at redhat.com Wed May 20 18:34:25 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 20 May 2009 14:34:25 -0400 Subject: [RHSA-2009:1058-01] Important: httpd security update Message-ID: <200905201834.n4KIYPtd024000@int-mx1.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: httpd security update Advisory ID: RHSA-2009:1058-01 Product: JBoss Enterprise Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1058.html Issue date: 2009-05-20 CVE Names: CVE-2009-1191 ===================================================================== 1. Summary: Updated httpd packages that fix a security issue in mod_proxy_ajp are now available for JBoss Enterprise Web Server 1.0.0. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: JBoss Enterprise Web Server 4AS-JBEWS-5.0.0 - i386, x86_64 JBoss Enterprise Web Server 4ES-JBEWS-5.0.0 - i386, x86_64 JBoss Enterprise Web Server 5Server-JBEWS-5.0.0 - i386, x86_64 3. Description: The Apache HTTP Server is a popular Web server. The Apache mod_proxy_ajp module provides Apache JServ Protocol (AJP) support to the Apache mod_proxy module. An information disclosure flaw was found in mod_proxy_ajp. In certain situations, if a user sent a carefully crafted HTTP request, the httpd server could return a response intended for another user. (CVE-2009-1191) Users are advised to upgrade to these updated packages, which resolve this issue. Users must restart httpd for this update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 496801 - CVE-2009-1191 httpd mod_proxy_ajp information disclosure 6. Package List: JBoss Enterprise Web Server 4AS-JBEWS-5.0.0: Source: ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/httpd22-2.2.10-16.1.ep5.el4.src.rpm i386: httpd22-2.2.10-16.1.ep5.el4.i386.rpm httpd22-apr-2.2.10-16.1.ep5.el4.i386.rpm httpd22-apr-devel-2.2.10-16.1.ep5.el4.i386.rpm httpd22-apr-util-2.2.10-16.1.ep5.el4.i386.rpm httpd22-apr-util-devel-2.2.10-16.1.ep5.el4.i386.rpm httpd22-debuginfo-2.2.10-16.1.ep5.el4.i386.rpm httpd22-devel-2.2.10-16.1.ep5.el4.i386.rpm mod_ssl22-2.2.10-16.1.ep5.el4.i386.rpm x86_64: httpd22-2.2.10-16.1.ep5.el4.x86_64.rpm httpd22-apr-2.2.10-16.1.ep5.el4.x86_64.rpm httpd22-apr-devel-2.2.10-16.1.ep5.el4.x86_64.rpm httpd22-apr-util-2.2.10-16.1.ep5.el4.x86_64.rpm httpd22-apr-util-devel-2.2.10-16.1.ep5.el4.x86_64.rpm httpd22-debuginfo-2.2.10-16.1.ep5.el4.x86_64.rpm httpd22-devel-2.2.10-16.1.ep5.el4.x86_64.rpm mod_ssl22-2.2.10-16.1.ep5.el4.x86_64.rpm JBoss Enterprise Web Server 4ES-JBEWS-5.0.0: Source: ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/httpd22-2.2.10-16.1.ep5.el4.src.rpm i386: httpd22-2.2.10-16.1.ep5.el4.i386.rpm httpd22-apr-2.2.10-16.1.ep5.el4.i386.rpm httpd22-apr-devel-2.2.10-16.1.ep5.el4.i386.rpm httpd22-apr-util-2.2.10-16.1.ep5.el4.i386.rpm httpd22-apr-util-devel-2.2.10-16.1.ep5.el4.i386.rpm httpd22-debuginfo-2.2.10-16.1.ep5.el4.i386.rpm httpd22-devel-2.2.10-16.1.ep5.el4.i386.rpm mod_ssl22-2.2.10-16.1.ep5.el4.i386.rpm x86_64: httpd22-2.2.10-16.1.ep5.el4.x86_64.rpm httpd22-apr-2.2.10-16.1.ep5.el4.x86_64.rpm httpd22-apr-devel-2.2.10-16.1.ep5.el4.x86_64.rpm httpd22-apr-util-2.2.10-16.1.ep5.el4.x86_64.rpm httpd22-apr-util-devel-2.2.10-16.1.ep5.el4.x86_64.rpm httpd22-debuginfo-2.2.10-16.1.ep5.el4.x86_64.rpm httpd22-devel-2.2.10-16.1.ep5.el4.x86_64.rpm mod_ssl22-2.2.10-16.1.ep5.el4.x86_64.rpm JBoss Enterprise Web Server 5Server-JBEWS-5.0.0: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/httpd-2.2.10-4.ep5.el5.src.rpm i386: httpd-2.2.10-4.ep5.el5.i386.rpm httpd-debuginfo-2.2.10-4.ep5.el5.i386.rpm httpd-devel-2.2.10-4.ep5.el5.i386.rpm httpd-manual-2.2.10-4.ep5.el5.i386.rpm mod_ssl-2.2.10-4.ep5.el5.i386.rpm x86_64: httpd-2.2.10-4.ep5.el5.x86_64.rpm httpd-debuginfo-2.2.10-4.ep5.el5.x86_64.rpm httpd-devel-2.2.10-4.ep5.el5.x86_64.rpm httpd-manual-2.2.10-4.ep5.el5.x86_64.rpm mod_ssl-2.2.10-4.ep5.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1191 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFKFE0iXlSAg2UNWIIRAoINAJwK3QiyoP5meD5h36diCXbYJP00CACfejA9 f5oCnRTJ86fgPy1lVSUFW1s= =ugg4 -----END PGP SIGNATURE-----