htpasswd and htdigest in Apache 2.0a9, 1.3.14, and others allows local users to overwrite arbitrary files via a symlink attack. Reference: http://www.securityfocus.com/bid/2182
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Enterprise Web Server 2 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
It's hard to see from the description, but I'm guessing this is about unsafe temp file creation in e.g.: https://github.com/apache/httpd/blob/1.3.x/src/support/htpasswd.c#L525 this will not affect any httpd 2.x release, which uses APR's safe temp file creation based off mkstemp().
Here is the equivalent code in 2.2: https://github.com/apache/httpd/blob/2.2.x/support/htdigest.c#L239 https://github.com/apache/httpd/blob/2.2.x/support/htpasswd.c#L565
Statement: All versions of httpd package shipped with Red Hat Products, uses APR's safe temp file creation and therefore they are not affected by this flaw