-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: httpd and httpd22 security update Advisory ID: RHSA-2016:0061-01 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0061.html Issue date: 2016-01-21 CVE Names: CVE-2013-5704 CVE-2015-3183 ===================================================================== 1. Summary: Updated httpd and httpd22 packages that fix two security issues are now available for Red Hat JBoss Web Server 2.1.0 for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 2 for RHEL 5 Server - i386, x86_64 Red Hat JBoss Web Server 2 for RHEL 6 Server - i386, x86_64 Red Hat JBoss Web Server 2 for RHEL 7 Server - x86_64 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. (CVE-2015-3183) A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers. (CVE-2013-5704) Users of httpd or httpd22 are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the httpd or httpd22 service must be restarted manually for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1082903 - CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests 1243887 - CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser 6. Package List: Red Hat JBoss Web Server 2 for RHEL 5 Server: Source: httpd-2.2.26-41.ep6.el5.src.rpm mod_cluster-native-1.2.9-6.Final_redhat_2.ep6.el5.src.rpm i386: httpd-2.2.26-41.ep6.el5.i386.rpm httpd-debuginfo-2.2.26-41.ep6.el5.i386.rpm httpd-devel-2.2.26-41.ep6.el5.i386.rpm httpd-manual-2.2.26-41.ep6.el5.i386.rpm httpd-tools-2.2.26-41.ep6.el5.i386.rpm mod_cluster-native-1.2.9-6.Final_redhat_2.ep6.el5.i386.rpm mod_cluster-native-debuginfo-1.2.9-6.Final_redhat_2.ep6.el5.i386.rpm mod_ssl-2.2.26-41.ep6.el5.i386.rpm x86_64: httpd-2.2.26-41.ep6.el5.x86_64.rpm httpd-debuginfo-2.2.26-41.ep6.el5.x86_64.rpm httpd-devel-2.2.26-41.ep6.el5.x86_64.rpm httpd-manual-2.2.26-41.ep6.el5.x86_64.rpm httpd-tools-2.2.26-41.ep6.el5.x86_64.rpm mod_cluster-native-1.2.9-6.Final_redhat_2.ep6.el5.x86_64.rpm mod_cluster-native-debuginfo-1.2.9-6.Final_redhat_2.ep6.el5.x86_64.rpm mod_ssl-2.2.26-41.ep6.el5.x86_64.rpm Red Hat JBoss Web Server 2 for RHEL 6 Server: Source: httpd-2.2.26-41.ep6.el6.src.rpm mod_cluster-native-1.2.9-6.Final_redhat_2.ep6.el6.src.rpm i386: httpd-2.2.26-41.ep6.el6.i386.rpm httpd-debuginfo-2.2.26-41.ep6.el6.i386.rpm httpd-devel-2.2.26-41.ep6.el6.i386.rpm httpd-manual-2.2.26-41.ep6.el6.i386.rpm httpd-tools-2.2.26-41.ep6.el6.i386.rpm mod_cluster-native-1.2.9-6.Final_redhat_2.ep6.el6.i386.rpm mod_cluster-native-debuginfo-1.2.9-6.Final_redhat_2.ep6.el6.i386.rpm mod_ssl-2.2.26-41.ep6.el6.i386.rpm x86_64: httpd-2.2.26-41.ep6.el6.x86_64.rpm httpd-debuginfo-2.2.26-41.ep6.el6.x86_64.rpm httpd-devel-2.2.26-41.ep6.el6.x86_64.rpm httpd-manual-2.2.26-41.ep6.el6.x86_64.rpm httpd-tools-2.2.26-41.ep6.el6.x86_64.rpm mod_cluster-native-1.2.9-6.Final_redhat_2.ep6.el6.x86_64.rpm mod_cluster-native-debuginfo-1.2.9-6.Final_redhat_2.ep6.el6.x86_64.rpm mod_ssl-2.2.26-41.ep6.el6.x86_64.rpm Red Hat JBoss Web Server 2 for RHEL 7 Server: Source: httpd22-2.2.26-42.ep6.el7.src.rpm mod_cluster-native-1.2.9-6.Final_redhat_2.ep6.el7.src.rpm x86_64: httpd22-2.2.26-42.ep6.el7.x86_64.rpm httpd22-debuginfo-2.2.26-42.ep6.el7.x86_64.rpm httpd22-devel-2.2.26-42.ep6.el7.x86_64.rpm httpd22-manual-2.2.26-42.ep6.el7.x86_64.rpm httpd22-tools-2.2.26-42.ep6.el7.x86_64.rpm mod_cluster-native-1.2.9-6.Final_redhat_2.ep6.el7.x86_64.rpm mod_cluster-native-debuginfo-1.2.9-6.Final_redhat_2.ep6.el7.x86_64.rpm mod_ssl22-2.2.26-42.ep6.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2013-5704 https://access.redhat.com/security/cve/CVE-2015-3183 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWoP+GXlSAg2UNWIIRAl+vAJ0Xcs6ZW4dyE4Po3FbTYRTnC5eibwCghna6 uwTN3stBd2AbzXGPk9SFRDI= =n95V -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce