Issued:: 2007-05-30
Updated:: 2007-05-30

RHSA-2007:0380 - Important: mod_jk security update

Synopsis

Important: mod_jk security update

Type/Severity

Security Advisory Important

Topic

Updated mod_jk packages that fix a security issue are now available for Red Hat Application Server.

This update has been rated as having Important security impact by the Red Hat Security Response Team.

Description

mod_jk is a Tomcat connector that can be used to communicate between Tomcat and the Apache HTTP Server 2.

Versions of mod_jk before 1.2.23 decoded request URLs by default inside Apache httpd and forwarded the encoded URL to Tomcat, which itself did a second decoding. If Tomcat was used behind mod_jk and configured to only proxy some contexts, an attacker could construct a carefully crafted HTTP request to work around the context restriction and potentially access non-proxied content (CVE-2007-1860).

Users of mod_jk should upgrade to these updated packages, which address this issue by changing the default so mod_jk forwards the original unchanged request URL to Tomcat.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs.

Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.

Affected Products

Product	Version	Arch
Red Hat Application Server v.2	2	x86_64
Red Hat Application Server v.2	2	ppc
Red Hat Application Server v.2	2	ia64
Red Hat Application Server v.2	2	i386

Updated Packages

mod_jk-manual-1.2.20-1jpp_2rh.x86_64.rpm
mod_jk-manual-1.2.20-1jpp_2rh.i386.rpm
mod_jk-ap20-1.2.20-1jpp_2rh.ppc.rpm
mod_jk-manual-1.2.20-1jpp_2rh.ia64.rpm
mod_jk-ap20-1.2.20-1jpp_2rh.i386.rpm
mod_jk-manual-1.2.20-1jpp_2rh.ppc.rpm
mod_jk-ap20-1.2.20-1jpp_2rh.x86_64.rpm
mod_jk-ap20-1.2.20-1jpp_2rh.ia64.rpm

Fixes

This content is not included.BZ - 237656

CVEs

CVE-2007-1860

References

http://www.redhat.com/security/updates/classification/#important

Additional information

The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.