Rapid7 Vulnerability & Exploit Database

RHSA-2008:0966: Red Hat Application Stack v2.2 security and enhancement update

Back to Search

RHSA-2008:0966: Red Hat Application Stack v2.2 security and enhancement update



Red Hat Application Stack v2.2 is now available. This update fixes several security issues and adds various enhancements. This update has been rated as having moderate security impact by the Red Hat Security Response Team. [Updated 11th December 2008] This erratum has been updated to correct a typo in the version number of the Apache HTTP server packages mentioned in the erratum description. The proper version of the Apache HTTP server packages shipped with this erratum is 2.2.10. No changes have been made to the packages.

The Red Hat Application Stack v2.2 is an integrated open source application stack, that includes Red Hat Enterprise Linux 5 and JBoss Enterprise Application Platform (EAP) 4.2. This erratum updates the Apache HTTP Server package to version 2.2.10 which addresses the following security issues: A flaw was found in the mod_proxy module. An attacker who has control of a web server to which requests are being proxied could cause a limited denial of service due to CPU consumption and stack exhaustion. (CVE-2008-2364) A flaw was found in the mod_proxy_ftp module. Where Apache is configured to support ftp-over-httpd proxying, a remote attacker could perform a cross-site scripting attack. (CVE-2008-2939) A cross-site request forgery issue was found in the mod_proxy_balancer module. A remote attacker could cause a denial of service if mod_proxy_balancer is enabled and an authenticated user is targeted. (CVE-2007-6420) The JBoss Enterprise Application Platform (EAP) 4.2 has been updated to version 4.2.0.CP05. The following packages were also updated: * mysql to 5.0.60sp1 * mysql-connector-odbc to 3.51.26r1127 * perl-DBI to 1.607 * perl-DBD-MySQL to 4.008 * perl-DBD-Pg to 1.49 * php-pear to 1.7.2 * postgresql to 8.2.11 * postgresqlclient81 to 8.1.11


  • redhat-upgrade-httpd
  • redhat-upgrade-httpd-devel
  • redhat-upgrade-httpd-manual
  • redhat-upgrade-mod_ssl
  • redhat-upgrade-mysql
  • redhat-upgrade-mysql-bench
  • redhat-upgrade-mysql-cluster
  • redhat-upgrade-mysql-connector-odbc
  • redhat-upgrade-mysql-devel
  • redhat-upgrade-mysql-libs
  • redhat-upgrade-mysql-server
  • redhat-upgrade-mysql-test
  • redhat-upgrade-perl-dbd-mysql
  • redhat-upgrade-perl-dbd-pg
  • redhat-upgrade-perl-dbi
  • redhat-upgrade-php-pear
  • redhat-upgrade-postgresql
  • redhat-upgrade-postgresql-contrib
  • redhat-upgrade-postgresql-devel
  • redhat-upgrade-postgresql-docs
  • redhat-upgrade-postgresql-libs
  • redhat-upgrade-postgresql-plperl
  • redhat-upgrade-postgresql-plpython
  • redhat-upgrade-postgresql-pltcl
  • redhat-upgrade-postgresql-python
  • redhat-upgrade-postgresql-server
  • redhat-upgrade-postgresql-tcl
  • redhat-upgrade-postgresql-test
  • redhat-upgrade-postgresqlclient81

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center