htpasswd and htdigest in Apache 2.0a9, 1.3.14, and others allows local users to overwrite arbitrary files via a symlink attack.
This vulnerability is out of security support scope for the following product:
* Red Hat JBoss Enterprise Web Server 2
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
It's hard to see from the description, but I'm guessing this is about unsafe temp file creation in e.g.:
this will not affect any httpd 2.x release, which uses APR's safe temp file creation based off mkstemp().
Here is the equivalent code in 2.2:
All versions of httpd package shipped with Red Hat Products, uses APR's safe temp file creation and therefore they are not affected by this flaw