ELSA-2016-1422

Опубликовано: 18 июл. 2016

Источник: oracle-oval

Платформа: Oracle Linux 7

Описание

ELSA-2016-1422: httpd security and bug fix update (IMPORTANT)

[2.4.6-40.0.1.4]

replace index.html with Oracle's index page oracle_index.html

[2.4.6-40.4]

add security fix for CVE-2016-5387

[2.4.6-40.3]

add 451 (Unavailable For Legal Reasons) response status-code (#1353269)

[2.4.6-40.2]

mod_cache: treat cache as valid with changed Expires in 304 (#1347648)

Обновленные пакеты

Oracle Linux 7

Oracle Linux x86_64

httpd

2.4.6-40.0.1.el7_2.4

httpd-devel

2.4.6-40.0.1.el7_2.4

httpd-manual

2.4.6-40.0.1.el7_2.4

httpd-tools

2.4.6-40.0.1.el7_2.4

mod_ldap

2.4.6-40.0.1.el7_2.4

mod_proxy_html

2.4.6-40.0.1.el7_2.4

mod_session

2.4.6-40.0.1.el7_2.4

mod_ssl

2.4.6-40.0.1.el7_2.4

Связанные CVE

CVE-2016-5387

Ссылки на источники

Связанные уязвимости

CVE-2016-5387

CVSS3: 8.1

ubuntu

около 9 лет назад

The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability.