[RHSA-2009:1058-01] Important: httpd security update

bugzilla at redhat.com bugzilla at redhat.com
Wed May 20 18:34:25 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: httpd security update
Advisory ID:       RHSA-2009:1058-01
Product:           JBoss Enterprise Web Server
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2009-1058.html
Issue date:        2009-05-20
CVE Names:         CVE-2009-1191 
=====================================================================

1. Summary:

Updated httpd packages that fix a security issue in mod_proxy_ajp are now
available for JBoss Enterprise Web Server 1.0.0.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

JBoss Enterprise Web Server 4AS-JBEWS-5.0.0 - i386, x86_64
JBoss Enterprise Web Server 4ES-JBEWS-5.0.0 - i386, x86_64
JBoss Enterprise Web Server 5Server-JBEWS-5.0.0 - i386, x86_64

3. Description:

The Apache HTTP Server is a popular Web server. The Apache mod_proxy_ajp
module provides Apache JServ Protocol (AJP) support to the Apache mod_proxy
module.

An information disclosure flaw was found in mod_proxy_ajp. In certain
situations, if a user sent a carefully crafted HTTP request, the httpd
server could return a response intended for another user. (CVE-2009-1191)

Users are advised to upgrade to these updated packages, which resolve this
issue. Users must restart httpd for this update to take effect.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network.  Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

496801 - CVE-2009-1191 httpd mod_proxy_ajp information disclosure

6. Package List:

JBoss Enterprise Web Server 4AS-JBEWS-5.0.0:

Source:
ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/httpd22-2.2.10-16.1.ep5.el4.src.rpm

i386:
httpd22-2.2.10-16.1.ep5.el4.i386.rpm
httpd22-apr-2.2.10-16.1.ep5.el4.i386.rpm
httpd22-apr-devel-2.2.10-16.1.ep5.el4.i386.rpm
httpd22-apr-util-2.2.10-16.1.ep5.el4.i386.rpm
httpd22-apr-util-devel-2.2.10-16.1.ep5.el4.i386.rpm
httpd22-debuginfo-2.2.10-16.1.ep5.el4.i386.rpm
httpd22-devel-2.2.10-16.1.ep5.el4.i386.rpm
mod_ssl22-2.2.10-16.1.ep5.el4.i386.rpm

x86_64:
httpd22-2.2.10-16.1.ep5.el4.x86_64.rpm
httpd22-apr-2.2.10-16.1.ep5.el4.x86_64.rpm
httpd22-apr-devel-2.2.10-16.1.ep5.el4.x86_64.rpm
httpd22-apr-util-2.2.10-16.1.ep5.el4.x86_64.rpm
httpd22-apr-util-devel-2.2.10-16.1.ep5.el4.x86_64.rpm
httpd22-debuginfo-2.2.10-16.1.ep5.el4.x86_64.rpm
httpd22-devel-2.2.10-16.1.ep5.el4.x86_64.rpm
mod_ssl22-2.2.10-16.1.ep5.el4.x86_64.rpm

JBoss Enterprise Web Server 4ES-JBEWS-5.0.0:

Source:
ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/httpd22-2.2.10-16.1.ep5.el4.src.rpm

i386:
httpd22-2.2.10-16.1.ep5.el4.i386.rpm
httpd22-apr-2.2.10-16.1.ep5.el4.i386.rpm
httpd22-apr-devel-2.2.10-16.1.ep5.el4.i386.rpm
httpd22-apr-util-2.2.10-16.1.ep5.el4.i386.rpm
httpd22-apr-util-devel-2.2.10-16.1.ep5.el4.i386.rpm
httpd22-debuginfo-2.2.10-16.1.ep5.el4.i386.rpm
httpd22-devel-2.2.10-16.1.ep5.el4.i386.rpm
mod_ssl22-2.2.10-16.1.ep5.el4.i386.rpm

x86_64:
httpd22-2.2.10-16.1.ep5.el4.x86_64.rpm
httpd22-apr-2.2.10-16.1.ep5.el4.x86_64.rpm
httpd22-apr-devel-2.2.10-16.1.ep5.el4.x86_64.rpm
httpd22-apr-util-2.2.10-16.1.ep5.el4.x86_64.rpm
httpd22-apr-util-devel-2.2.10-16.1.ep5.el4.x86_64.rpm
httpd22-debuginfo-2.2.10-16.1.ep5.el4.x86_64.rpm
httpd22-devel-2.2.10-16.1.ep5.el4.x86_64.rpm
mod_ssl22-2.2.10-16.1.ep5.el4.x86_64.rpm

JBoss Enterprise Web Server 5Server-JBEWS-5.0.0:

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/httpd-2.2.10-4.ep5.el5.src.rpm

i386:
httpd-2.2.10-4.ep5.el5.i386.rpm
httpd-debuginfo-2.2.10-4.ep5.el5.i386.rpm
httpd-devel-2.2.10-4.ep5.el5.i386.rpm
httpd-manual-2.2.10-4.ep5.el5.i386.rpm
mod_ssl-2.2.10-4.ep5.el5.i386.rpm

x86_64:
httpd-2.2.10-4.ep5.el5.x86_64.rpm
httpd-debuginfo-2.2.10-4.ep5.el5.x86_64.rpm
httpd-devel-2.2.10-4.ep5.el5.x86_64.rpm
httpd-manual-2.2.10-4.ep5.el5.x86_64.rpm
mod_ssl-2.2.10-4.ep5.el5.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1191
http://www.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2009 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFKFE0iXlSAg2UNWIIRAoINAJwK3QiyoP5meD5h36diCXbYJP00CACfejA9
f5oCnRTJ86fgPy1lVSUFW1s=
=ugg4
-----END PGP SIGNATURE-----





More information about the Jboss-watch-list mailing list