Issued:: 2009-05-20
Updated:: 2009-05-20

RHSA-2009:1058 - Security Advisory

Overview
Updated Packages

Synopsis

Important: httpd security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated httpd packages that fix a security issue in mod_proxy_ajp are now
available for JBoss Enterprise Web Server 1.0.0.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

Description

The Apache HTTP Server is a popular Web server. The Apache mod_proxy_ajp
module provides Apache JServ Protocol (AJP) support to the Apache mod_proxy
module.

An information disclosure flaw was found in mod_proxy_ajp. In certain
situations, if a user sent a carefully crafted HTTP request, the httpd
server could return a response intended for another user. (CVE-2009-1191)

Users are advised to upgrade to these updated packages, which resolve this
issue. Users must restart httpd for this update to take effect.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

JBoss Enterprise Web Server 1 for RHEL 5 x86_64
JBoss Enterprise Web Server 1 for RHEL 5 i386

Fixes

BZ - 496801 - CVE-2009-1191 httpd mod_proxy_ajp information disclosure

CVEs

CVE-2009-1191

References

http://www.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

JBoss Enterprise Web Server 1 for RHEL 5

SRPM
httpd-2.2.10-4.ep5.el5.src.rpm	SHA-256: 2e1cbcb101c190fd1308c25916d544c49465dae8009920b25958b9ee500f3adf
x86_64
httpd-2.2.10-4.ep5.el5.x86_64.rpm	SHA-256: 4e13e087f585c57e74c3de955c691536b40ab08e97d411e5de4e9880b110be56
httpd-devel-2.2.10-4.ep5.el5.x86_64.rpm	SHA-256: e174d8340dd894e79416dc9df76d60de1a0c6e088802c1d383594a4801554546
httpd-manual-2.2.10-4.ep5.el5.x86_64.rpm	SHA-256: 26d0ab87a3d8c768c2e58b13c0d888be1ec300185a4b3eb4a12bfcb55c9483b3
mod_ssl-2.2.10-4.ep5.el5.x86_64.rpm	SHA-256: 7d18fb2d0e91058b840c6c4f3f7a9c030631c203685aae0bd64df8d29a47414e
i386
httpd-2.2.10-4.ep5.el5.i386.rpm	SHA-256: 6a4cecb168bed5aa3b5db527e059b734241f29f0e7a3ce3a826951f230defd06
httpd-devel-2.2.10-4.ep5.el5.i386.rpm	SHA-256: e0aa4c58fc5f9492d9239d4f016debfc0bfbb01862611634cd8cbb6446bc09c3
httpd-manual-2.2.10-4.ep5.el5.i386.rpm	SHA-256: 13f5e24ee3cf32a4cbbf1a4db61eac59f20a6ee0b514a36d84acea6b7db9fccb
mod_ssl-2.2.10-4.ep5.el5.i386.rpm	SHA-256: d2b7d946e0976b3cac5e3f196e6640d81be1fcb4f6a2df9e5cc893fd0349c14e

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation