Red Hat Bugzilla – Bug 1358118
CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header [jbews-2.1.0]
Last modified: 2016-08-22 14:10:47 EDT
jbews-2.1.0 tracking bug for httpd: see blocks bug list for full details of the security issue(s). This bug is never intended to be made public, please put any public notes in the blocked bugs. [bug automatically created by: add-tracking-bugs]
EAP 5.2: ======== HTTPD wasn't shipped with EAP 5.2. Customers had to have a subscription to EWS for httpd support. This was changed in EAP 6.4.9 when httpd became bundled. There is a httpd.dll that appears in the natives which is being investigated. Customers still using EAP 5.2 are directed to use the EWS 2.1.1 release currently GA early August. jclere: After some research the httpd comes from EWS per: https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/HTTP_Connectors_Load_Balancing_Guide/ch06s02.html but we have the ./native/bin/libhttpd.dll and I think it contains the affected code, according to makefile see http://git.app.eng.bos.redhat.com/git/httpd.git/tree/NMAKElibhttpd?h=jbcs-httpd-2.4.18#n82 I don't think that the makefile ever changed since 2.0.x, so we are affected. The investigation done with Michal/Coty shows: 1 - customer uses EWS for Apache httpd server and it has it own libhttpd.dll we are fixing the issue in ews-2.1.1 2 - the libhttpd.dll in eap5.2 seems to be a packaging error and shouldn't be used. We need to document those facts to prevent any one using the libhttpd.dll of eap5.2 once we have ews-2.1.1 ready. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1353762#c50
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-1650.html