- Issued:
- 2016-01-21
- Updated:
- 2016-01-21
RHSA-2016:0061 - Security Advisory
Synopsis
Moderate: httpd and httpd22 security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
Updated httpd and httpd22 packages that fix two security issues are now
available for Red Hat JBoss Web Server 2.1.0 for Red Hat Enterprise Linux
5, 6, and 7.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which
give detailed severity ratings, are available from the CVE links in the
References section.
Description
Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.
Multiple flaws were found in the way httpd parsed HTTP requests and
responses using chunked transfer encoding. A remote attacker could use
these flaws to create a specially crafted request, which httpd would decode
differently from an HTTP proxy software in front of it, possibly leading to
HTTP request smuggling attacks. (CVE-2015-3183)
A flaw was found in the way httpd handled HTTP Trailer headers when
processing requests using chunked encoding. A malicious client could use
Trailer headers to set additional HTTP headers after header processing was
performed by other modules. This could, for example, lead to a bypass of
header restrictions defined with mod_headers. (CVE-2013-5704)
Users of httpd or httpd22 are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue. After installing
the updated packages, the httpd or httpd22 service must be restarted
manually for this update to take effect.
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
Affected Products
- JBoss Enterprise Web Server 2 for RHEL 7 x86_64
- JBoss Enterprise Web Server 2 for RHEL 6 x86_64
- JBoss Enterprise Web Server 2 for RHEL 6 i386
- JBoss Enterprise Web Server 2 for RHEL 5 x86_64
- JBoss Enterprise Web Server 2 for RHEL 5 i386
Fixes
- BZ - 1082903 - CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests
- BZ - 1243887 - CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser
JBoss Enterprise Web Server 2 for RHEL 7
| SRPM | |
|---|---|
| httpd22-2.2.26-42.ep6.el7.src.rpm | SHA-256: b7302a7253c68ffb3a31d26bd6308263ca2d31b394149b8448f4c1c93bf2af6d |
| mod_cluster-native-1.2.9-6.Final_redhat_2.ep6.el7.src.rpm | SHA-256: 371d96c807818f3ada809256cc323243b3dd07f0b87e9e2bf6e3ccac0dc855d0 |
| x86_64 | |
| httpd22-2.2.26-42.ep6.el7.x86_64.rpm | SHA-256: adfbe99feb67b7bb7ffa16d689d6524d3548cb2a0aa61ed975942248571c3ecf |
| httpd22-debuginfo-2.2.26-42.ep6.el7.x86_64.rpm | SHA-256: 888081f2face8ade8bb2b4927db524d3ec825cbe9dce686717bb23ef319579fb |
| httpd22-devel-2.2.26-42.ep6.el7.x86_64.rpm | SHA-256: ba30509147d978da808fc6dfb9d7c4793692837c36a9d8fe92bd87a05fdad868 |
| httpd22-manual-2.2.26-42.ep6.el7.x86_64.rpm | SHA-256: b149f9abf5d409a042c3470154d441fc39b82e214a96814ae94d0ce15790badb |
| httpd22-tools-2.2.26-42.ep6.el7.x86_64.rpm | SHA-256: ae7e36b79c20e37e1eedc0d1247a83303b97163df4731da2b571be933443683d |
| mod_cluster-native-1.2.9-6.Final_redhat_2.ep6.el7.x86_64.rpm | SHA-256: a1f0e448ab82416a0274865866e8a4e69290066a645f3f14d39e91058882c696 |
| mod_cluster-native-debuginfo-1.2.9-6.Final_redhat_2.ep6.el7.x86_64.rpm | SHA-256: f28756bf33fa0f9f0beb4723638862ea86563b76dfb1616caf9b19f2850c5e04 |
| mod_ssl22-2.2.26-42.ep6.el7.x86_64.rpm | SHA-256: fd341ff6400897ea5687d2e131cdb6ee43fdd20e801fdbd76e90e4cfc4631687 |
JBoss Enterprise Web Server 2 for RHEL 6
| SRPM | |
|---|---|
| httpd-2.2.26-41.ep6.el6.src.rpm | SHA-256: 1db25d17c1c66ba43fa171797afdc6d28f9f130db00c521f767b67043da3da2d |
| mod_cluster-native-1.2.9-6.Final_redhat_2.ep6.el6.src.rpm | SHA-256: 7d27c87b8cf6df27bf9f20186038feb9d04be642b45131dc7edae27d23905be3 |
| x86_64 | |
| httpd-2.2.26-41.ep6.el6.x86_64.rpm | SHA-256: 425c0a8db0808ecf8fc1b8ffef665137e9add6a87f8cb9326b13137c18bda122 |
| httpd-debuginfo-2.2.26-41.ep6.el6.x86_64.rpm | SHA-256: c1e44052a3978e3fb9ba8eabbc08481e7cea4f9e4bbc249c30db023b6ca7e381 |
| httpd-devel-2.2.26-41.ep6.el6.x86_64.rpm | SHA-256: 1d59f42a694a87506111da706dc57ff749d016578ea3696065ac7468751114be |
| httpd-manual-2.2.26-41.ep6.el6.x86_64.rpm | SHA-256: 642dea55128205a19d7ef42ec22d0b5ec56a6f71fa8753a78c951028ab4c8a84 |
| httpd-tools-2.2.26-41.ep6.el6.x86_64.rpm | SHA-256: e279a65c38387676c7ea9481c1a417b84625c7c23cc4203696ec81ecfdfbbea2 |
| mod_cluster-native-1.2.9-6.Final_redhat_2.ep6.el6.x86_64.rpm | SHA-256: 1836f8426f64ca88114b95b463062a75e58652efea23148944340d2fd5419c05 |
| mod_cluster-native-debuginfo-1.2.9-6.Final_redhat_2.ep6.el6.x86_64.rpm | SHA-256: c96ef5ec74fa11d2a9ef5cd5108f1628f1834705ba2ecd8f6ba461c58eddcebf |
| mod_ssl-2.2.26-41.ep6.el6.x86_64.rpm | SHA-256: 2965f0c5ab5c11c903d88fdb136ccce6d3d5632de80e5d8c70a533dc8b5063c3 |
| i386 | |
| httpd-2.2.26-41.ep6.el6.i386.rpm | SHA-256: c57e5dd009492acf8c4034078c9955c26095895a504a8378e22b426544ba3cb0 |
| httpd-debuginfo-2.2.26-41.ep6.el6.i386.rpm | SHA-256: ae4363032aefa2b7636babc55be114ce09b3822b5380c6bac04655a6ce000a86 |
| httpd-devel-2.2.26-41.ep6.el6.i386.rpm | SHA-256: 84005b3b0c644e656060dcac9a8aff12336cd674991edb905fcad829ddf0979e |
| httpd-manual-2.2.26-41.ep6.el6.i386.rpm | SHA-256: 43371f2c6ad3cf3f33a8694c7e02eca86c693094c44d1178f328ad65621ec770 |
| httpd-tools-2.2.26-41.ep6.el6.i386.rpm | SHA-256: b2eacba685d14871b8e04fc9ea5adca8d4f1c24693cddc57582bfa6254d17132 |
| mod_cluster-native-1.2.9-6.Final_redhat_2.ep6.el6.i386.rpm | SHA-256: 1ebf3e6e7742cfd5cc9915e3ff751358e85056a5ef691cbbdaa875f615954028 |
| mod_cluster-native-debuginfo-1.2.9-6.Final_redhat_2.ep6.el6.i386.rpm | SHA-256: 1ea3cb93afef9ad6afaf4120ec5ecf5b34c8811c844edf26e19d6367e7c5ba9b |
| mod_ssl-2.2.26-41.ep6.el6.i386.rpm | SHA-256: 43e0ab229cd39a3d490c2cf56dbf82b86d18afedeaefde7ea39793bcc295cf36 |
JBoss Enterprise Web Server 2 for RHEL 5
| SRPM | |
|---|---|
| httpd-2.2.26-41.ep6.el5.src.rpm | SHA-256: 4d9a1bf47bd7830ceb4a53832b1b16d6b988c5e709b0af5820ae0e22476fa34b |
| mod_cluster-native-1.2.9-6.Final_redhat_2.ep6.el5.src.rpm | SHA-256: 4e2c220ab3a0968f05c5a20b765596b3a3d96488cb50d4bbe1281b83b78e83a6 |
| x86_64 | |
| httpd-2.2.26-41.ep6.el5.x86_64.rpm | SHA-256: 1457f7d785ab13b35438aba35a416763726c4c8c5c67b46d7ae6762d91a42383 |
| httpd-devel-2.2.26-41.ep6.el5.x86_64.rpm | SHA-256: b2a1d02b5793c76f1f70507d500641a914eb66bbf2cc3b53998002f3615e386b |
| httpd-manual-2.2.26-41.ep6.el5.x86_64.rpm | SHA-256: 2595c0d52fe20a1099bec064ac732f151b111c4018588c370b39e4c1b8336ef4 |
| httpd-tools-2.2.26-41.ep6.el5.x86_64.rpm | SHA-256: 0ae677d7245c5a16701ecee9ffa9a9923586a0f535bfa409f0957e2c9ce5ff16 |
| mod_cluster-native-1.2.9-6.Final_redhat_2.ep6.el5.x86_64.rpm | SHA-256: 2839375539918d327f42c4eb34e957d22bf2652fc76501ddd2e97f46e7171b72 |
| mod_ssl-2.2.26-41.ep6.el5.x86_64.rpm | SHA-256: 50fe3cd121fa40d12bfddf3dc625e763386c5af2c710822e3ef7ad266a89d9f5 |
| i386 | |
| httpd-2.2.26-41.ep6.el5.i386.rpm | SHA-256: 6f28ba9de89e8ed93b23372a3aa10ddb8317b772dedb64e226353647eed3b395 |
| httpd-devel-2.2.26-41.ep6.el5.i386.rpm | SHA-256: f49a3056fdf65c743a0faa1df69cc291bb5e066d22b4a2ce944c356fa4915f94 |
| httpd-manual-2.2.26-41.ep6.el5.i386.rpm | SHA-256: 3d8d2912851fb4f46eaba440036afd03e96d5fffd0d9dda1aa514990253fdc25 |
| httpd-tools-2.2.26-41.ep6.el5.i386.rpm | SHA-256: 5f249d7f01fe2f25475259fec9d98b07f5b7466475ec4a8b83af5eb96d1c07fe |
| mod_cluster-native-1.2.9-6.Final_redhat_2.ep6.el5.i386.rpm | SHA-256: 6d0d2972aeec878bfe9b6ef949407aa27a93c1b50a2df97e68acb45bb11934c2 |
| mod_ssl-2.2.26-41.ep6.el5.i386.rpm | SHA-256: 60690c4a1e8d4826ca7fd8ca877def6958e6cdc4117fdb404b1e319f7592a8e8 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.