Описание
ELSA-2016-1421: httpd security update (IMPORTANT)
[2.2.3-92.0.1]
- Add the ability to read DH parameters from the (first) SSLCertificateFile (John Haxby) [orabug 21671194]
- fix mod_ssl always performing full renegotiation (Joe Jin) [orabug 12423387]
- replace index.html with Oracle's index page oracle_index.html
- update vstring and distro in specfile
[2.2.3-92]
- add security fix for CVE-2016-5387
Обновленные пакеты
Oracle Linux 6
Oracle Linux x86_64
httpd
2.2.15-54.0.1.el6_8
httpd-devel
2.2.15-54.0.1.el6_8
httpd-manual
2.2.15-54.0.1.el6_8
httpd-tools
2.2.15-54.0.1.el6_8
mod_ssl
2.2.15-54.0.1.el6_8
Oracle Linux i686
httpd
2.2.15-54.0.1.el6_8
httpd-devel
2.2.15-54.0.1.el6_8
httpd-manual
2.2.15-54.0.1.el6_8
httpd-tools
2.2.15-54.0.1.el6_8
mod_ssl
2.2.15-54.0.1.el6_8
Oracle Linux sparc64
httpd
2.2.15-54.0.1.el6_8
httpd-devel
2.2.15-54.0.1.el6_8
httpd-manual
2.2.15-54.0.1.el6_8
httpd-tools
2.2.15-54.0.1.el6_8
mod_ssl
2.2.15-54.0.1.el6_8
Oracle Linux 5
Oracle Linux ia64
httpd
2.2.3-92.0.1.el5_11
httpd-devel
2.2.3-92.0.1.el5_11
httpd-manual
2.2.3-92.0.1.el5_11
mod_ssl
2.2.3-92.0.1.el5_11
Oracle Linux x86_64
httpd
2.2.3-92.0.1.el5_11
httpd-devel
2.2.3-92.0.1.el5_11
httpd-manual
2.2.3-92.0.1.el5_11
mod_ssl
2.2.3-92.0.1.el5_11
Oracle Linux i386
httpd
2.2.3-92.0.1.el5_11
httpd-devel
2.2.3-92.0.1.el5_11
httpd-manual
2.2.3-92.0.1.el5_11
mod_ssl
2.2.3-92.0.1.el5_11
Связанные CVE
Связанные уязвимости
The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability.
The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability.
The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability.
The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 ...
