Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2018:2554-1

Опубликовано: 30 авг. 2018
Источник: suse-cvrf

Описание

Security update for apache2

This update for apache2 fixes the following issues:

Security issues fixed:

  • CVE-2016-8743: Fixed liberal whitespace interpretation accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution. (bsc#1016715)
  • CVE-2016-4975: Fixed possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes which prohibit CR or LF injection into the 'Location' or other outbound header key or value. (bsc#1104826)

Список пакетов

SUSE Linux Enterprise Server 12 SP1-LTSS
apache2-2.4.16-20.19.1
apache2-doc-2.4.16-20.19.1
apache2-example-pages-2.4.16-20.19.1
apache2-prefork-2.4.16-20.19.1
apache2-utils-2.4.16-20.19.1
apache2-worker-2.4.16-20.19.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1
apache2-2.4.16-20.19.1
apache2-doc-2.4.16-20.19.1
apache2-example-pages-2.4.16-20.19.1
apache2-prefork-2.4.16-20.19.1
apache2-utils-2.4.16-20.19.1
apache2-worker-2.4.16-20.19.1

Ссылки

Описание

Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 (Affected 2.4.1-2.4.23). Fixed in Apache HTTP Server 2.2.32 (Affected 2.2.0-2.2.31).

Затронутые продукты
SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-2.4.16-20.19.1
SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-doc-2.4.16-20.19.1
SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-example-pages-2.4.16-20.19.1
SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-prefork-2.4.16-20.19.1
Ссылки

Описание

Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution.

Затронутые продукты
SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-2.4.16-20.19.1
SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-doc-2.4.16-20.19.1
SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-example-pages-2.4.16-20.19.1
SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-prefork-2.4.16-20.19.1
Ссылки
Уязвимость SUSE-SU-2018:2554-1