mod_proxy_ajp did not correctly process certain malformed HTTP requests, which could cause it to incorrectly put a backend server to an error state until the retry timeout expired. A remote attacker could send malicious requests to trigger this issue, resulting in a temporary denial of service. Upstream commit: http://svn.apache.org/viewvc?view=revision&revision=1166551 Reference: http://community.jboss.org/message/625307
(In reply to comment #0) > Upstream commit: > http://svn.apache.org/viewvc?view=revision&revision=1166551 Replaced by: http://svn.apache.org/viewvc?view=revision&revision=1166657
Public now via upstream httpd release 2.2.21: http://httpd.apache.org/security/vulnerabilities_22.html#2.2.21 http://www.apache.org/dist/httpd/CHANGES_2.2.21 http://mail-archives.apache.org/mod_mbox/httpd-announce/201109.mbox/%3C4E704A90.2000200@apache.org%3E
Statement: This issue did not affect the versions of httpd as shipped with Red Hat Enterprise Linux 4 and 5 as this flaw was introduced in version 2.2.12.
External References: http://httpd.apache.org/security/vulnerabilities_22.html#2.2.21
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1391 https://rhn.redhat.com/errata/RHSA-2011-1391.html
This issue has been addressed in following products: JBoss Enterprise Web Server 1.0.2 Via RHSA-2012:0543 https://rhn.redhat.com/errata/RHSA-2012-0543.html
This issue has been addressed in following products: JBEWS 1.0 for RHEL 5 JBEWS 1.0 for RHEL 6 Via RHSA-2012:0542 https://rhn.redhat.com/errata/RHSA-2012-0542.html