[RHSA-2009:1058-01] Important: httpd security update
bugzilla at redhat.com
bugzilla at redhat.com
Wed May 20 18:34:25 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: httpd security update
Advisory ID: RHSA-2009:1058-01
Product: JBoss Enterprise Web Server
Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1058.html
Issue date: 2009-05-20
CVE Names: CVE-2009-1191
=====================================================================
1. Summary:
Updated httpd packages that fix a security issue in mod_proxy_ajp are now
available for JBoss Enterprise Web Server 1.0.0.
This update has been rated as having important security impact by the Red
Hat Security Response Team.
2. Relevant releases/architectures:
JBoss Enterprise Web Server 4AS-JBEWS-5.0.0 - i386, x86_64
JBoss Enterprise Web Server 4ES-JBEWS-5.0.0 - i386, x86_64
JBoss Enterprise Web Server 5Server-JBEWS-5.0.0 - i386, x86_64
3. Description:
The Apache HTTP Server is a popular Web server. The Apache mod_proxy_ajp
module provides Apache JServ Protocol (AJP) support to the Apache mod_proxy
module.
An information disclosure flaw was found in mod_proxy_ajp. In certain
situations, if a user sent a carefully crafted HTTP request, the httpd
server could return a response intended for another user. (CVE-2009-1191)
Users are advised to upgrade to these updated packages, which resolve this
issue. Users must restart httpd for this update to take effect.
4. Solution:
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
496801 - CVE-2009-1191 httpd mod_proxy_ajp information disclosure
6. Package List:
JBoss Enterprise Web Server 4AS-JBEWS-5.0.0:
Source:
ftp://updates.redhat.com/enterprise/4AS/en/JBEAP/SRPMS/httpd22-2.2.10-16.1.ep5.el4.src.rpm
i386:
httpd22-2.2.10-16.1.ep5.el4.i386.rpm
httpd22-apr-2.2.10-16.1.ep5.el4.i386.rpm
httpd22-apr-devel-2.2.10-16.1.ep5.el4.i386.rpm
httpd22-apr-util-2.2.10-16.1.ep5.el4.i386.rpm
httpd22-apr-util-devel-2.2.10-16.1.ep5.el4.i386.rpm
httpd22-debuginfo-2.2.10-16.1.ep5.el4.i386.rpm
httpd22-devel-2.2.10-16.1.ep5.el4.i386.rpm
mod_ssl22-2.2.10-16.1.ep5.el4.i386.rpm
x86_64:
httpd22-2.2.10-16.1.ep5.el4.x86_64.rpm
httpd22-apr-2.2.10-16.1.ep5.el4.x86_64.rpm
httpd22-apr-devel-2.2.10-16.1.ep5.el4.x86_64.rpm
httpd22-apr-util-2.2.10-16.1.ep5.el4.x86_64.rpm
httpd22-apr-util-devel-2.2.10-16.1.ep5.el4.x86_64.rpm
httpd22-debuginfo-2.2.10-16.1.ep5.el4.x86_64.rpm
httpd22-devel-2.2.10-16.1.ep5.el4.x86_64.rpm
mod_ssl22-2.2.10-16.1.ep5.el4.x86_64.rpm
JBoss Enterprise Web Server 4ES-JBEWS-5.0.0:
Source:
ftp://updates.redhat.com/enterprise/4ES/en/JBEAP/SRPMS/httpd22-2.2.10-16.1.ep5.el4.src.rpm
i386:
httpd22-2.2.10-16.1.ep5.el4.i386.rpm
httpd22-apr-2.2.10-16.1.ep5.el4.i386.rpm
httpd22-apr-devel-2.2.10-16.1.ep5.el4.i386.rpm
httpd22-apr-util-2.2.10-16.1.ep5.el4.i386.rpm
httpd22-apr-util-devel-2.2.10-16.1.ep5.el4.i386.rpm
httpd22-debuginfo-2.2.10-16.1.ep5.el4.i386.rpm
httpd22-devel-2.2.10-16.1.ep5.el4.i386.rpm
mod_ssl22-2.2.10-16.1.ep5.el4.i386.rpm
x86_64:
httpd22-2.2.10-16.1.ep5.el4.x86_64.rpm
httpd22-apr-2.2.10-16.1.ep5.el4.x86_64.rpm
httpd22-apr-devel-2.2.10-16.1.ep5.el4.x86_64.rpm
httpd22-apr-util-2.2.10-16.1.ep5.el4.x86_64.rpm
httpd22-apr-util-devel-2.2.10-16.1.ep5.el4.x86_64.rpm
httpd22-debuginfo-2.2.10-16.1.ep5.el4.x86_64.rpm
httpd22-devel-2.2.10-16.1.ep5.el4.x86_64.rpm
mod_ssl22-2.2.10-16.1.ep5.el4.x86_64.rpm
JBoss Enterprise Web Server 5Server-JBEWS-5.0.0:
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/httpd-2.2.10-4.ep5.el5.src.rpm
i386:
httpd-2.2.10-4.ep5.el5.i386.rpm
httpd-debuginfo-2.2.10-4.ep5.el5.i386.rpm
httpd-devel-2.2.10-4.ep5.el5.i386.rpm
httpd-manual-2.2.10-4.ep5.el5.i386.rpm
mod_ssl-2.2.10-4.ep5.el5.i386.rpm
x86_64:
httpd-2.2.10-4.ep5.el5.x86_64.rpm
httpd-debuginfo-2.2.10-4.ep5.el5.x86_64.rpm
httpd-devel-2.2.10-4.ep5.el5.x86_64.rpm
httpd-manual-2.2.10-4.ep5.el5.x86_64.rpm
mod_ssl-2.2.10-4.ep5.el5.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package
7. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1191
http://www.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/
Copyright 2009 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFKFE0iXlSAg2UNWIIRAoINAJwK3QiyoP5meD5h36diCXbYJP00CACfejA9
f5oCnRTJ86fgPy1lVSUFW1s=
=ugg4
-----END PGP SIGNATURE-----
More information about the Jboss-watch-list
mailing list