Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
  • Products

    Top Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Products

    Downloads and Containers

    • Downloads
    • Packages
    • Containers

    Top Resources

    • Documentation
    • Product Life Cycles
    • Product Compliance
    • Errata
  • Knowledge

    Red Hat Knowledge Center

    • Knowledgebase Solutions
    • Knowledgebase Articles
    • Customer Portal Labs
    • Errata

    Top Product Docs

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Product Docs

    Training and Certification

    • About
    • Course Index
    • Certification Index
    • Skill Assessment
  • Security

    Red Hat Product Security Center

    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Errata

    References

    • Security Bulletins
    • Security Measurement
    • Severity Ratings
    • Security Data

    Top Resources

    • Security Labs
    • Backporting Policies
    • Security Blog
  • Support

    Red Hat Support

    • Support Cases
    • Troubleshoot
    • Get Support
    • Contact Red Hat Support

    Red Hat Community Support

    • Customer Portal Community
    • Community Discussions
    • Red Hat Accelerator Program

    Top Resources

    • Product Life Cycles
    • Customer Portal Labs
    • Red Hat JBoss Supported Configurations
    • Red Hat Insights
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift
  • Red Hat OpenShift AI
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat build of Keycloak
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2016:1851 - Security Advisory
Issued:
2016-09-12
Updated:
2016-09-12

RHSA-2016:1851 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: Red Hat JBoss Core Services Apache HTTP 2.4.6 Service Pack 1 security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated packages are available for Red Hat Enterprise Linux 6 and 7 that provide Red Hat JBoss Core Services Service Pack 1 fixing one security issue.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

This release of Red Hat JBoss Core Services Service Pack 1 serves as a replacement for JBoss Core Services Apache HTTP Server.

Security Fix(es):

  • It was discovered that Apache HTTP Server used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5387)

Note: After this update, Apache HTTP Server will no longer pass the value of the Proxy request header to scripts via the HTTP_PROXY environment variable.

Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue.

Solution

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted
automatically.

Affected Products

  • Red Hat JBoss Core Services 1 for RHEL 7 x86_64
  • Red Hat JBoss Core Services 1 for RHEL 7 ppc64
  • Red Hat JBoss Core Services 1 for RHEL 6 x86_64
  • Red Hat JBoss Core Services 1 for RHEL 6 ppc64
  • Red Hat JBoss Core Services 1 for RHEL 6 i386

Fixes

  • BZ - 1353755 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header

CVEs

  • CVE-2016-5387

References

  • http://www.redhat.com/security/updates/classification/#normal
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat JBoss Core Services 1 for RHEL 7

SRPM
jbcs-httpd24-httpd-2.4.6-77.SP1.jbcs.el7.src.rpm SHA-256: a900d65eff393cc00e79f3cad9c6bfebf0daf3f15cd56bf8c8809389fa766c47
x86_64
jbcs-httpd24-httpd-2.4.6-77.SP1.jbcs.el7.x86_64.rpm SHA-256: 1615078a6568fbe1892f3e467790f04ce9a94513de5dbad4078f2066f975bd23
jbcs-httpd24-httpd-debuginfo-2.4.6-77.SP1.jbcs.el7.x86_64.rpm SHA-256: 512063751abdabf0265815904aea83c2b7c39396f766d62d9ee88f44f0b154db
jbcs-httpd24-httpd-devel-2.4.6-77.SP1.jbcs.el7.x86_64.rpm SHA-256: 336e870271116c3e58e74f79b69def4d2929786aabd1e4bb6b6124d7a0330493
jbcs-httpd24-httpd-manual-2.4.6-77.SP1.jbcs.el7.noarch.rpm SHA-256: a568d3b99d6878f0c5b33e18f4ac5cfb95acc037538527900e6fc0563833ed86
jbcs-httpd24-httpd-src-zip-2.4.6-77.SP1.jbcs.el7.x86_64.rpm SHA-256: 4be6e26d53f8f1af566d328b6ffd073f9365646186bad692b9ebed12bb014d56
jbcs-httpd24-httpd-tools-2.4.6-77.SP1.jbcs.el7.x86_64.rpm SHA-256: 7363e1817552f533acff4b09dc7d1d99cf4d68d393b5201ac90f671222041145
jbcs-httpd24-httpd-zip-2.4.6-77.SP1.jbcs.el7.x86_64.rpm SHA-256: b07f8f2e457a6ab1e4df721015b4d147f26d5c785a2900394605e4ec7d11a8f8
jbcs-httpd24-mod_ldap-2.4.6-77.SP1.jbcs.el7.x86_64.rpm SHA-256: d20a968098a0e3bc30b68580fafdff384190bcd84a1847c04d0154ff304731e7
jbcs-httpd24-mod_proxy_html-2.4.6-77.SP1.jbcs.el7.x86_64.rpm SHA-256: 4fb5b5c1646e88d239f067b211168c5e32484b733308440271773fefbc2f0ec7
jbcs-httpd24-mod_session-2.4.6-77.SP1.jbcs.el7.x86_64.rpm SHA-256: 577854d054d2f9b56d3fd52d55ef21b0bb0140d86e2718c61d3879986fd3ada3
jbcs-httpd24-mod_ssl-2.4.6-77.SP1.jbcs.el7.x86_64.rpm SHA-256: 89df5565e3691670a54ad94b4a9ec89709995f8647337ea69889a14e757b7480
ppc64
jbcs-httpd24-httpd-2.4.6-77.SP1.jbcs.el7.ppc64.rpm SHA-256: 7e308fed628c973ad8b51cf998ad2f0ea5068014663b1bf82c4925b57355f56f
jbcs-httpd24-httpd-debuginfo-2.4.6-77.SP1.jbcs.el7.ppc64.rpm SHA-256: 917fc639e9cc09ec371276ca99d9a90537c77e64e73c9ba1cf49e0ac6cfe29bb
jbcs-httpd24-httpd-devel-2.4.6-77.SP1.jbcs.el7.ppc64.rpm SHA-256: c3b8be370b09a934ed295ead7757794a641b8833f81575468399f30e78c60a66
jbcs-httpd24-httpd-manual-2.4.6-77.SP1.jbcs.el7.noarch.rpm SHA-256: a568d3b99d6878f0c5b33e18f4ac5cfb95acc037538527900e6fc0563833ed86
jbcs-httpd24-httpd-src-zip-2.4.6-77.SP1.jbcs.el7.ppc64.rpm SHA-256: ad45d07c66ef0e98493de2995a5fc500d49301de076229423a17c9e615764f3d
jbcs-httpd24-httpd-tools-2.4.6-77.SP1.jbcs.el7.ppc64.rpm SHA-256: 59b1cdf3377e69abd0b4052a3601088f7d9fa66a2f94972d06fd5e26fa96cf55
jbcs-httpd24-httpd-zip-2.4.6-77.SP1.jbcs.el7.ppc64.rpm SHA-256: 4fe2bc1f5ccd0bcb7909e1dbe3144ba0c4a70b46c2b93013cf36af224e5e31bf
jbcs-httpd24-mod_ldap-2.4.6-77.SP1.jbcs.el7.ppc64.rpm SHA-256: 94d29f41142b8b8785f2ab84cfa59cd15491deb31689de4b9d9cd7c2c937629c
jbcs-httpd24-mod_proxy_html-2.4.6-77.SP1.jbcs.el7.ppc64.rpm SHA-256: e16a9ea936f605db60a30bcfa529fe1e1317e25ac1b51f35d8f1cbe6bf85add8
jbcs-httpd24-mod_session-2.4.6-77.SP1.jbcs.el7.ppc64.rpm SHA-256: 721ba2a66b94b8e3fad126c2dc5a6f9da13cb52367a5ba9d3486de0e65117fdd
jbcs-httpd24-mod_ssl-2.4.6-77.SP1.jbcs.el7.ppc64.rpm SHA-256: 271225723572ecdd13a532b604f69b61ccd929d5b92ea4dd83a1edf77d559c58

Red Hat JBoss Core Services 1 for RHEL 6

SRPM
jbcs-httpd24-httpd-2.4.6-77.SP1.jbcs.el6.src.rpm SHA-256: a0eb8823b64ff2c30c797322de021f65c487feafa7c29c2586a146dd455de231
x86_64
jbcs-httpd24-httpd-2.4.6-77.SP1.jbcs.el6.x86_64.rpm SHA-256: 1ec7ab216da5b76cc309b95c74c1fc05724f44f115592b91ce4b72f235e84afd
jbcs-httpd24-httpd-debuginfo-2.4.6-77.SP1.jbcs.el6.x86_64.rpm SHA-256: 8ed631d8f3e92f9fe2f2ee92430de878f080f60f11867377fb3eb8476a76b684
jbcs-httpd24-httpd-devel-2.4.6-77.SP1.jbcs.el6.x86_64.rpm SHA-256: 92941bbd8b8d5c7127923c49927a82653ca47ddc68dc2e55a8f469e159fd7cc6
jbcs-httpd24-httpd-manual-2.4.6-77.SP1.jbcs.el6.noarch.rpm SHA-256: 84ca783084e2125fe4d2bfc5c4c63a5a8dabb91b24fff25a8849389577009b01
jbcs-httpd24-httpd-src-zip-2.4.6-77.SP1.jbcs.el6.x86_64.rpm SHA-256: 71013539d9eafffacd5b62cdcd28c565142c2e64f81710f49ce329362603813d
jbcs-httpd24-httpd-tools-2.4.6-77.SP1.jbcs.el6.x86_64.rpm SHA-256: 00be52135bdb9949d3e99a70d9896fb49add461afbccfb32006952f0bcd17985
jbcs-httpd24-httpd-zip-2.4.6-77.SP1.jbcs.el6.x86_64.rpm SHA-256: c7f5b01ecaebe308b4f4e844487bafb1d21ec2c8dff2418a803def34f707f845
jbcs-httpd24-mod_ldap-2.4.6-77.SP1.jbcs.el6.x86_64.rpm SHA-256: e472f1016117e955bf793802a8e0f1713811a3b7c1d58253a5750ddec6f7162f
jbcs-httpd24-mod_proxy_html-2.4.6-77.SP1.jbcs.el6.x86_64.rpm SHA-256: 26fb8ca514e43518e494f434682bc44a2a0495eb79d2b9ea8aaee31033188a84
jbcs-httpd24-mod_session-2.4.6-77.SP1.jbcs.el6.x86_64.rpm SHA-256: fa95e2893a55b3741199be88ee06af70c38a9645ebf0c0f39b1d6ed355f27455
jbcs-httpd24-mod_ssl-2.4.6-77.SP1.jbcs.el6.x86_64.rpm SHA-256: 2fc6c198abc174d7ca31adbee6c3c8d760c2c1c337d75be82eb9130ae0541ba2
ppc64
jbcs-httpd24-httpd-2.4.6-77.SP1.jbcs.el6.ppc64.rpm SHA-256: ebbbfeadbe9805135a27fe68421ec290562d81f3a73356132aa5d7ee5a5559c5
jbcs-httpd24-httpd-debuginfo-2.4.6-77.SP1.jbcs.el6.ppc64.rpm SHA-256: 4d3ee4879b73dac8ce70e86149fd7c68f88c5641adc15a10a92977a682fd3ce2
jbcs-httpd24-httpd-devel-2.4.6-77.SP1.jbcs.el6.ppc64.rpm SHA-256: 3ce219c1a7cdfd27ab18e3843c442903eb6ac77bb2656737a6e4c33008e18f49
jbcs-httpd24-httpd-manual-2.4.6-77.SP1.jbcs.el6.noarch.rpm SHA-256: 84ca783084e2125fe4d2bfc5c4c63a5a8dabb91b24fff25a8849389577009b01
jbcs-httpd24-httpd-src-zip-2.4.6-77.SP1.jbcs.el6.ppc64.rpm SHA-256: b0aed5b635cb60646bb39b364d475fd3ed5fccf885d6fba472ed93aff406af90
jbcs-httpd24-httpd-tools-2.4.6-77.SP1.jbcs.el6.ppc64.rpm SHA-256: c2be0765491b4bb96ffb84bb734b54cd0b053a9260c20978715d929a26ce3663
jbcs-httpd24-httpd-zip-2.4.6-77.SP1.jbcs.el6.ppc64.rpm SHA-256: 9f7124b3b507487f8c625811beebb2e40a58d123acb0eb4cb31cdca79a523b38
jbcs-httpd24-mod_ldap-2.4.6-77.SP1.jbcs.el6.ppc64.rpm SHA-256: ffa096e1dab0a696f864d326f73c2bad1cd335cdf7835978a4f5c9d1e0e941aa
jbcs-httpd24-mod_proxy_html-2.4.6-77.SP1.jbcs.el6.ppc64.rpm SHA-256: 0f0deb071fadcc3ece8f0cc28f8aadcc179ec2fa5f3206b98323ac80c5c26f87
jbcs-httpd24-mod_session-2.4.6-77.SP1.jbcs.el6.ppc64.rpm SHA-256: 4d8d436b7ed38956e4f313fdd5ac3662bf08c63255fc3920952b6c72b6dffd5e
jbcs-httpd24-mod_ssl-2.4.6-77.SP1.jbcs.el6.ppc64.rpm SHA-256: b2b32e1acf6710f89e66017acf4e05cec35b1d30036bcd0e7354997df73479c7
i386
jbcs-httpd24-httpd-2.4.6-77.SP1.jbcs.el6.i686.rpm SHA-256: 976a4691cdc2e4ba101622519fad9052e035288fa64e8762c77d771f5cc4ef93
jbcs-httpd24-httpd-debuginfo-2.4.6-77.SP1.jbcs.el6.i686.rpm SHA-256: e7453a73bc5945d17834f0f3a063f7e40d251fa745b1875ad124af0d7eafc12f
jbcs-httpd24-httpd-devel-2.4.6-77.SP1.jbcs.el6.i686.rpm SHA-256: a64ba3dbca8cd5216808f4b093be825701898f42dc6d3edb8ab09881097c5255
jbcs-httpd24-httpd-manual-2.4.6-77.SP1.jbcs.el6.noarch.rpm SHA-256: 84ca783084e2125fe4d2bfc5c4c63a5a8dabb91b24fff25a8849389577009b01
jbcs-httpd24-httpd-src-zip-2.4.6-77.SP1.jbcs.el6.i686.rpm SHA-256: fb1d08a2b33a927d981ad238e2a082ec25c8a1430a72eec6fb547f02579317cd
jbcs-httpd24-httpd-tools-2.4.6-77.SP1.jbcs.el6.i686.rpm SHA-256: badc33a6681671c0a1eb97cdb8fc6428409dab9fa9a36452870cd9694493f2f9
jbcs-httpd24-httpd-zip-2.4.6-77.SP1.jbcs.el6.i686.rpm SHA-256: 8ae4e08c50ae7494b9c74532320da82313fed3c3a95aa8d2252d489685e325a5
jbcs-httpd24-mod_ldap-2.4.6-77.SP1.jbcs.el6.i686.rpm SHA-256: 48867b3c60ddf8d30c39f1a54452a1b1e2ccdb5f4c56cd98c97687eb4ef8891f
jbcs-httpd24-mod_proxy_html-2.4.6-77.SP1.jbcs.el6.i686.rpm SHA-256: 935d8eef9f408a8424ca51d8180cddbc1c59649251980b9b1b728078880de895
jbcs-httpd24-mod_session-2.4.6-77.SP1.jbcs.el6.i686.rpm SHA-256: 1857212a1b5bebfec213d0566776f47b2a58854487498cd780db7132ec9a1b13
jbcs-httpd24-mod_ssl-2.4.6-77.SP1.jbcs.el6.i686.rpm SHA-256: a98f1cec0f6720c8c492906cd67bf49c23c1611fa2e5f6b893f9c9a8f8c8e7d8

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat LinkedIn YouTube Facebook X, formerly Twitter

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Red Hat legal and privacy links

  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Inclusion at Red Hat
  • Cool Stuff Store
  • Red Hat Summit
© 2025 Red Hat, Inc.

Red Hat legal and privacy links

  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility