[RHSA-2009:1618-01] Low: mod_jk security update for Red Hat Network Satellite Server

bugzilla at redhat.com bugzilla at redhat.com
Mon Nov 30 15:43:15 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: mod_jk security update for Red Hat Network Satellite Server
Advisory ID:       RHSA-2009:1618-01
Product:           Red Hat Network Satellite Server
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2009-1618.html
Issue date:        2009-11-30
CVE Names:         CVE-2008-5519 
=====================================================================

1. Summary:

An updated mod_jk package that fixes one security issue is now available
for Red Hat Network Satellite Server 5.1 and 5.2.

This update has been rated as having low security impact by the Red Hat
Security Response Team.

2. Relevant releases/architectures:

Red Hat Network Satellite Server 5.1 (RHEL v.4 AS) - i386, s390, s390x, x86_64
Red Hat Network Satellite Server 5.2 (RHEL v.4 AS) - i386, s390, s390x, x86_64

3. Description:

mod_jk is an Apache Tomcat connector that allows Apache Tomcat and the
Apache HTTP Server to communicate with each other.

An information disclosure flaw was found in mod_jk. In certain situations,
if a faulty client set the "Content-Length" header without providing data,
or if a user sent repeated requests very quickly, one user may view a
response intended for another user. (CVE-2008-5519)

Note: Red Hat Network Satellite Server is the only client that has access
to mod_jk on the system, and as such, the exposure and risk of this issue
is low.

Users of Red Hat Network Satellite Server 5.1 and 5.2 are advised to
upgrade to this updated mod_jk package, which contains a backported patch
to correct this issue.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network.  Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

490201 - CVE-2008-5519 mod_jk: session information leak

6. Package List:

Red Hat Network Satellite Server 5.1 (RHEL v.4 AS):

Source:
mod_jk-1.2.25-10.src.rpm

i386:
mod_jk-ap20-1.2.25-10.i386.rpm
mod_jk-debuginfo-1.2.25-10.i386.rpm

s390:
mod_jk-ap20-1.2.25-10.s390.rpm
mod_jk-debuginfo-1.2.25-10.s390.rpm

s390x:
mod_jk-ap20-1.2.25-10.s390x.rpm
mod_jk-debuginfo-1.2.25-10.s390x.rpm

x86_64:
mod_jk-ap20-1.2.25-10.x86_64.rpm
mod_jk-debuginfo-1.2.25-10.x86_64.rpm

Red Hat Network Satellite Server 5.2 (RHEL v.4 AS):

Source:
mod_jk-1.2.25-10.src.rpm

i386:
mod_jk-ap20-1.2.25-10.i386.rpm
mod_jk-debuginfo-1.2.25-10.i386.rpm

s390:
mod_jk-ap20-1.2.25-10.s390.rpm
mod_jk-debuginfo-1.2.25-10.s390.rpm

s390x:
mod_jk-ap20-1.2.25-10.s390x.rpm
mod_jk-debuginfo-1.2.25-10.s390x.rpm

x86_64:
mod_jk-ap20-1.2.25-10.x86_64.rpm
mod_jk-debuginfo-1.2.25-10.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5519
http://www.redhat.com/security/updates/classification/#low

8. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2009 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFLE+f7XlSAg2UNWIIRAl9mAKCIPGs2h/Ldq6itpFj4Tq1++PRhswCcCQhJ
w2GAoL3hnxqb0RsY1k0jzvU=
=hYHm
-----END PGP SIGNATURE-----

More information about the RHSA-announce mailing list