RHSA-2009:1618 - Security Advisory

Topic

An updated mod_jk package that fixes one security issue is now available
for Red Hat Network Satellite Server 5.1 and 5.2.

This update has been rated as having low security impact by the Red Hat
Security Response Team.

Description

mod_jk is an Apache Tomcat connector that allows Apache Tomcat and the
Apache HTTP Server to communicate with each other.

An information disclosure flaw was found in mod_jk. In certain situations,
if a faulty client set the "Content-Length" header without providing data,
or if a user sent repeated requests very quickly, one user may view a
response intended for another user. (CVE-2008-5519)

Note: Red Hat Network Satellite Server is the only client that has access
to mod_jk on the system, and as such, the exposure and risk of this issue
is low.

Users of Red Hat Network Satellite Server 5.1 and 5.2 are advised to
upgrade to this updated mod_jk package, which contains a backported patch
to correct this issue.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

• Red Hat Network Satellite 5.2 (for RHEL Mainframe) 5.2 s390x
• Red Hat Network Satellite 5.2 (for RHEL Mainframe) 5.2 s390
• Red Hat Network Satellite 5.2 (for RHEL Server) 5.2 x86_64
• Red Hat Network Satellite 5.2 (for RHEL Server) 5.2 i386
• Red Hat Network Satellite 5.1 (for RHEL Mainframe) 5.1 s390x
• Red Hat Network Satellite 5.1 (for RHEL Mainframe) 5.1 s390
• Red Hat Network Satellite 5.1 (for RHEL Server) 5.1 x86_64
• Red Hat Network Satellite 5.1 (for RHEL Server) 5.1 i386

Fixes

• BZ - 490201 - CVE-2008-5519 mod_jk: session information leak

CVEs

• CVE-2008-5519

References

• http://www.redhat.com/security/updates/classification/#low