Описание
Security update for apache2-mod_fcgid
This update for apache2-mod_fcgid fixes the following issues:
- It used to be possible to set an arbitrary $HTTP_PROXY environment variable for request handlers -- like CGI scripts -- by including a specially crafted HTTP header in the request (CVE-2016-1000104). As a result, these server components would potentially direct all their outgoing HTTP traffic through a malicious proxy server. This patch fixes the issue: the updated Apache server ignores such HTTP headers and never sets $HTTP_PROXY for sub-processes (unless a value has been explicitly configured by the administrator in the configuration file). (bsc#988492)
Список пакетов
SUSE Linux Enterprise Software Development Kit 11 SP4
apache2-mod_fcgid-2.2-31.29.1
Ссылки
- Link for SUSE-SU-2016:1820-1
- E-Mail link for SUSE-SU-2016:1820-1
- SUSE Security Ratings
- SUSE Bug 988492
- SUSE CVE CVE-2016-1000104 page
Описание
A security Bypass vulnerability exists in the FcgidPassHeader Proxy in mod_fcgid through 2016-07-07.
Затронутые продукты
SUSE Linux Enterprise Software Development Kit 11 SP4:apache2-mod_fcgid-2.2-31.29.1
Ссылки
- CVE-2016-1000104
- SUSE Bug 988486
- SUSE Bug 988487
- SUSE Bug 988488
- SUSE Bug 988489
- SUSE Bug 988491
- SUSE Bug 988492
- SUSE Bug 989174