Red Hat Security Advisory 2016-2056-01 - Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release includes bug fixes and enhancements, as well as a new release of OpenSSL that addresses a number of outstanding security flaws. For further information, see the knowledge base article linked to in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. Multiple security issues have been addressed.
ea553c08860849009667df96d4bb4ac9f9ed5393a7a1d6d2528f751f1ce0f397
Red Hat Security Advisory 2016-2055-01 - Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release includes bug fixes and enhancements, as well as a new release of OpenSSL that addresses a number of outstanding security flaws. For further information, see the knowledge base article linked to in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
a7b2eb5a9c12ee9bc53605cee9a680c2b81ac5bb1418a9f70a03df56e04036ad
Red Hat Security Advisory 2016-2054-01 - Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release includes bug fixes and enhancements, as well as a new release of OpenSSL that addresses a number of outstanding security flaws. For further information, see the knowledge base article linked to in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 7 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
982c4a7bfd70d24e72be40bff675e274e81f1aba2542d3e8c93db025c8315296
Gentoo Linux Security Advisory 201610-2 - Multiple vulnerabilities have been found in Apache, the worst of which could allow HTTP request smuggling attacks or a Denial of Service condition. Versions less than 2.4.23 are affected.
f52938e600b9ac39ca2ead14c607d873649a2281cb33d93efd4e5d0973d35baf
Red Hat Security Advisory 2016-0062-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks.
1636a44af0501528e041cd74d9e0faab81917561cfbed4a1bef6268292d7e47c
Red Hat Security Advisory 2016-0061-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks.
24a856d50a46db75a2b42715c16401c84cab00721d784dc0aaf04982e3864f7b
HPE Security Bulletin HPSBUX03435 SSRT102977 1 - Potential security vulnerabilities have been identified with HP-UX Web Server Suite running Apache on HP-UX 11iv3. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) and other impacts including: The TLS vulnerability using US export-grade 512-bit keys in Diffie-Hellman key exchange known as "Logjam" could be exploited remotely to allow unauthorized modification. The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" could be exploited remotely to allow disclosure of information. Apache does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters. Revision 1 of this advisory.
918b77ebec19829d1b59175aae0a8ee89dbdd934b71e72c94b5d47c034841f94
Red Hat Security Advisory 2015-2661-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and prevent further, legitimate connections to the Tomcat server.
cf1a4249c4f08aac42a4d15cf5cb14bcad7304449de1390dcbf1127a209baab1
Red Hat Security Advisory 2015-2660-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and prevent further, legitimate connections to the Tomcat server.
66e05ca1b341f7d3c1b9cca1e65d11a6cababeedfb7b575eef78359569661f63
Red Hat Security Advisory 2015-2659-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and prevent further, legitimate connections to the Tomcat server.
4c1a70a35cd943eaffc8cf30bea91ac0cda719d92d0f834d27138d3c8ca550ef
HPE Security Bulletin HPSBUX03512 SSRT102254 1 - Potential security vulnerabilities have been identified with HP-UX Web Server Suite running Apache. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) and other impacts including.. - The TLS vulnerability using US export-grade 512-bit keys in Diffie-Hellman key exchange known as "Logjam" could be exploited remotely to allow unauthorized modification. - The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" could be exploited remotely to allow disclosure of information. Revision 1 of this advisory.
18b317e7f0098c34b8f49719b2e63ed788cd23d93ced85911b489c5da5329541
Apple Security Advisory 2015-09-16-4 - OS X Server 5.0.3 is now available and addresses denial of service, code execution, and various other vulnerabilities.
8254c8d55f2667e65687c75dc0e4ebbbd127b907729adba11b4a141d12fc30b2
Red Hat Security Advisory 2015-1666-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied.
0f0af590cf4c621e7c0a3e37a8fe52a41b798cb1d1718c319834d751b885ed27
Red Hat Security Advisory 2015-1667-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied.
cc995bdec6db74fa4bd9ed6a37fcb3a2d131bada36289012607e855214d38823
Red Hat Security Advisory 2015-1668-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. All httpd users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the httpd service will be restarted automatically.
9dd5f07e7506c6bdca39972af899a077f6c01994adbef396b1168dfcf44aceb8
Debian Linux Security Advisory 3325-2 - The security update from DSA-3325-1 caused a regression for the oldstable distribution (wheezy). In some configurations, apache2 would fail to start with a spurious error message about the certificate chain. This update fixes this problem.
fd4d8ea6fb703a779ebd203d0b03250043668ae38cf071ff46e94eebb23692e2
Debian Linux Security Advisory 3325-1 - Several vulnerabilities have been found in the Apache HTTPD server.
7eb41d5e0dde8b13a8166433bf5d89842f644f90dca24040daea5c78a82cd56d
Ubuntu Security Notice 2686-1 - It was discovered that the Apache HTTP Server incorrectly parsed chunk headers. A remote attacker could possibly use this issue to perform HTTP request smuggling attacks. It was discovered that the Apache HTTP Server incorrectly handled the ap_some_auth_required API. A remote attacker could possibly use this issue to bypass intended access restrictions. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.04. Various other issues were also addressed.
3c6254fd60e8dfa90b9d54b8281fd49cf2896d7495e64eaffb88a8ceccf7aed2
Slackware Security Advisory - New httpd packages are available for Slackware 14.0, 14.1, and -current to fix security issues.
36799e7bd8fbb814ff99012997a8e5d129d9c75f98b4f4fa759d4b8c20dff96f