3. Changes and Resolved Issues

httpd

1182341 - httpd22 service is not enabling the right MPM

Prior to JBoss Web Server 2.1.1, it was not possible to use the worker MPM. This is because the systemd unit explicitly called the httpd prefork binary. This is resolved by updating the systemd unit so that it uses the HTTPD variable defined in the sysconfig file, or prefork, by default.

1292824 - httpd22: rpm scripts act on httpd.service rather than httpd22.service

httpd22 package for EL7 provides a service file named httpd22.service. The rpm scripts are now updated to use that name and not to use httpd.service

httpd,openssl,tomcat-native

1342073 - Upgrade openssl from 0.9.8 to 1.0.2h

Added support of TLSv1.2 and new ciphers. This is because openssl 0.9.8 is end of life and no longer supported. SSLv2 and SSLv3 and some unsafe ciphers have been removed.

1358118 CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header [jbews-2.1.0]

1338646 CVE-2016-3110 CVE-2016-3110 mod_cluster: remotely Segfault Apache http server

1337151 CVE-2016-2105 CVE-2016-2105 openssl: EVP_EncodeUpdate overflow [jbews-2.1.0]

1337155 CVE-2016-2106 CVE-2016-2106 openssl: EVP_EncryptUpdate overflow [jbews-2.1.0]

1182872 CVE-2014-3570 CVE-2014-3570 CVE-2015-0204 openssl: various flaws [jbews-2.1.0]

1305629 CVE-2014-0226 httpd: changelog typo for previous release notes relative to CVE-2014-0226

1219591 - /var/run/httpd22 file is deleted after reboot

Prior to EWS 2.1.1, when a rhel-7 server reboots the /var/run/httpd22 file was deleted and it was not possible to start the httpd22 service again. This was resolved by adding the directory to the system’s tmpfiles.d configuration so that the system recreates the directory after every reboot.

1305580 - httpd supplied jb-ews-2-for-rhel-6-server-rpms deplist is missing apr-util-ldap

Included a sub-package that contains the ldap dependency. apr-util-ldap is in an optional RHEL7 channel, therefore the new sub-package is added, customers using ldap authentication need to install it with the dependency.

1251796 - Need 2048-bit DH support for JWS HTTPD

OpenSSL is updated to version 1.0.2h allowing to append newly generated DH_PARAM key to default certification file localhost.crt.

After installing httpd and running .postinstall script use few more commands to extend default certification file if needed. Run openssl provided by zip/rpm package with <path_to_provided_openssl_folder>/openssl dhparam -out dh_2048.pem 2048 for generating DH_PARAM with 2048-bit key. Append the content of dh_2048.pem to localhost.crt created by .postinstall script. httpd/conf.d/ssl.conf should show the destination of file. Now, start the httpd server.

The server starts with extended Server Temp Key: DH, 2048 bits. You can verify it by running <path_to_provided_openssl_folder>/openssl s_client -connect localhost:443 -cipher DHE-RSA-AES256-GCM-SHA384.

1342071 - Upgrade mod_jk to 1.2.41

Previously in JBoss Enterprise Web Server, an outdated version of mod_jk was included in the product. This is now fixed in JBoss Enterprise Web Server 2.1 by including mod_jk version 1.2.41, which incorporates the required miscellaneous bug fixes into the product.

httpd,mod_cluster

1309598 - ProxyErrorOverride On disables workers when a 50x error code is returned by the backend server

When a VirtualHost uses ProxyPass to proxy traffic, the backend uses ProxyErrorOverride to host custom error pages on the Apache httpd side. When the backend replies with a 50x error code mod_proxy/mod_cluster marks that worker as down, breaking the session stickiness. This issue is fixed.

1339966 - upgrade mod_cluster native to 1.2.13.Final

Previously in JBoss Enterprise Web Server, an outdated version of mod_jk was included in the product. This is now fixed in JBoss Enterprise Web Server 2.1 by including mod_jk version 1.2.41 is included which incorporates the required miscellaneous bug fixes into the product.

1342074 - Upgrade mod_cluster from 1.2.12.Final to 1.2.13.Final

Previously in JBoss Enterprise Web Server, an outdated version of mod_cluster was included in the product. This is now fixed in JBoss Enterprise Web Server 2.1 by including mod_cluster version 1.2.13 is included, which incorporates the required miscellaneous bug fixes into the product.

mod_jk

1328231 - mod_jk Segmentation fault when trying to resolve unknown host

mod_cluster

1338642 - mod_cluster undersizes the connection pool

The connection pool was undersized causing the ping to fail when all connections of the pool were used. Causing the following error message: [error] (70007)The timeout specified has expired: proxy: ajp: failed to acquire connection for …​

This is fixed to increase the connection to ThreadsPerChild+1.

1340958 - UpperCase Alias never matches any context

The worker virtual host aliases were treated as case-sensitive. So, one FQDN used as an alias, typed once upper case and once lower case were treated as two different aliases. This issue is fixed in this release. All aliases are converted to lower case. For example, EXAMPLE.COM or example.com, alias is handled as the same alias.

mod_cluster

1338644 - Add JVMRoute or node identifier to httpd/mod_cluster errors

Mod_cluster error messages used to state merely the fact that an error occurred. With this patch, the offending worker’s JVMRoute is printed in the log so as it is easier for user to determine the cause of the problem.

1338641 - StickySessions does not work for ProxyPass from unenabled context

The StickySessions works for ProxyPass from unenabled context. This has been fixed in this release.