-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Core Services Apache HTTP 2.4.6 Service Pack 1 security update
Advisory ID:       RHSA-2016:1625-02
Product:           Red Hat JBoss Core Services
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2016-1625.html
Issue date:        2016-08-17
CVE Names:         CVE-2016-5387 
=====================================================================

1. Summary:

Red Hat JBoss Core Services Service Pack 1 is now available from the Red
Hat Customer Portal for Solaris and Microsoft Windows systems.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

This release of Red Hat JBoss Core Services Service Pack 1 serves as a
replacement for JBoss Core Services Apache HTTP Server.

Security Fix(es):

* It was discovered that Apache HTTP Server used the value of the Proxy
header from HTTP requests to initialize the HTTP_PROXY environment variable
for CGI scripts, which in turn was incorrectly used by certain HTTP client
implementations to configure the proxy for outgoing HTTP requests. A remote
attacker could possibly use this flaw to redirect HTTP requests performed
by a CGI script to an attacker-controlled proxy via a malicious HTTP
request. (CVE-2016-5387)

Note: After this update, Apache HTTP Server will no longer pass the value
of the Proxy request header to scripts via the HTTP_PROXY environment
variable.

Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, back up your
existing Red Hat JBoss Web Server installation (including all applications
and configuration files).

After installing the updated packages, the httpd daemon will be restarted
automatically.

4. Bugs fixed (https://bugzilla.redhat.com/):

1353755 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header

5. References:

https://access.redhat.com/security/cve/CVE-2016-5387
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.apachehttp&downloadType=securityPatches&version=2.4.6
https://access.redhat.com/security/vulnerabilities/httpoxy

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFXtL4tXlSAg2UNWIIRArwEAJ9y6bOXAixHyIsxXAoemLeL+Sc6kACffk7q
juMwStxc+LbMEMn5wgVfs3o=
=u7ql
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce