Bug 1358118
Summary: | CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header [jbews-2.1.0] | ||
---|---|---|---|
Product: | [JBoss] JBoss Enterprise Web Server 2 | Reporter: | Jason Shepherd <jshepherd> |
Component: | httpd | Assignee: | George Zaronikas <gzaronik> |
Status: | CLOSED ERRATA | QA Contact: | fgoldefu |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 2.1.0 | CC: | csutherl, jclere, jdoyle, lakagwu, lgao, mbabacek, myarboro, pslavice, rsvoboda, twalsh, weli |
Target Milestone: | CR01 | Keywords: | Security, SecurityTracking |
Target Release: | 2.1.1 | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Release Note | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-08-22 18:10:47 UTC | Type: | Support Patch |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1353755, 1360356 |
Description
Jason Shepherd
2016-07-20 06:18:25 UTC
EAP 5.2: ======== HTTPD wasn't shipped with EAP 5.2. Customers had to have a subscription to EWS for httpd support. This was changed in EAP 6.4.9 when httpd became bundled. There is a httpd.dll that appears in the natives which is being investigated. Customers still using EAP 5.2 are directed to use the EWS 2.1.1 release currently GA early August. jclere: After some research the httpd comes from EWS per: https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/HTTP_Connectors_Load_Balancing_Guide/ch06s02.html but we have the ./native/bin/libhttpd.dll and I think it contains the affected code, according to makefile see http://git.app.eng.bos.redhat.com/git/httpd.git/tree/NMAKElibhttpd?h=jbcs-httpd-2.4.18#n82 I don't think that the makefile ever changed since 2.0.x, so we are affected. The investigation done with Michal/Coty shows: 1 - customer uses EWS for Apache httpd server and it has it own libhttpd.dll we are fixing the issue in ews-2.1.1 2 - the libhttpd.dll in eap5.2 seems to be a packaging error and shouldn't be used. We need to document those facts to prevent any one using the libhttpd.dll of eap5.2 once we have ews-2.1.1 ready. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1353762#c50 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-1650.html |