SUSE-SU-2016:1818-1

Опубликовано: 18 июл. 2016

Источник: suse-cvrf

Описание

Security update for apache2

This update for apache2 fixes the following issues:

It used to be possible to set an arbitrary $HTTP_PROXY environment variable for request handlers -- like CGI scripts -- by including a specially crafted HTTP header in the request (CVE-2016-5387). As a result, these server components would potentially direct all their outgoing HTTP traffic through a malicious proxy server. This patch fixes the issue: the updated Apache server ignores such HTTP headers and never sets $HTTP_PROXY for sub-processes (unless a value has been explicitly configured by the administrator in the configuration file). (bsc#988488)

Список пакетов

SUSE Linux Enterprise Server 12 SP1

apache2-2.4.16-7.1

apache2-doc-2.4.16-7.1

apache2-example-pages-2.4.16-7.1

apache2-prefork-2.4.16-7.1

apache2-utils-2.4.16-7.1

apache2-worker-2.4.16-7.1

SUSE Linux Enterprise Server for SAP Applications 12 SP1

apache2-2.4.16-7.1

apache2-doc-2.4.16-7.1

apache2-example-pages-2.4.16-7.1

apache2-prefork-2.4.16-7.1

apache2-utils-2.4.16-7.1

apache2-worker-2.4.16-7.1

SUSE Linux Enterprise Software Development Kit 12 SP1

apache2-devel-2.4.16-7.1

Ссылки

https://www.suse.com/support/update/announcement/2016/suse-su-20161818-1/
Link for SUSE-SU-2016:1818-1
https://lists.suse.com/pipermail/sle-security-updates/2016-July/002157.html
E-Mail link for SUSE-SU-2016:1818-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/988488
SUSE Bug 988488
https://www.suse.com/security/cve/CVE-2016-5387/
SUSE CVE CVE-2016-5387 page

Описание

The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability.

Затронутые продукты

SUSE Linux Enterprise Server 12 SP1:apache2-2.4.16-7.1

SUSE Linux Enterprise Server 12 SP1:apache2-doc-2.4.16-7.1

SUSE Linux Enterprise Server 12 SP1:apache2-example-pages-2.4.16-7.1

SUSE Linux Enterprise Server 12 SP1:apache2-prefork-2.4.16-7.1

Ссылки

https://www.suse.com/security/cve/CVE-2016-5387.html
CVE-2016-5387
https://bugzilla.suse.com/988484
SUSE Bug 988484
https://bugzilla.suse.com/988486
SUSE Bug 988486
https://bugzilla.suse.com/988487
SUSE Bug 988487
https://bugzilla.suse.com/988488
SUSE Bug 988488
https://bugzilla.suse.com/988489
SUSE Bug 988489
https://bugzilla.suse.com/988491
SUSE Bug 988491
https://bugzilla.suse.com/988492
SUSE Bug 988492
https://bugzilla.suse.com/989125
SUSE Bug 989125
https://bugzilla.suse.com/989174
SUSE Bug 989174
https://bugzilla.suse.com/989684
SUSE Bug 989684

SUSE-SU-2016:1818-1

Описание

Список пакетов

SUSE Linux Enterprise Server 12 SP1

SUSE Linux Enterprise Server for SAP Applications 12 SP1

SUSE Linux Enterprise Software Development Kit 12 SP1

Ссылки

Уязвимость: CVE-2016-5387

Описание

Затронутые продукты

Ссылки