Описание
Security update for apache2
This update for apache2 fixes the following issues:
- It used to be possible to set an arbitrary $HTTP_PROXY environment variable for request handlers -- like CGI scripts -- by including a specially crafted HTTP header in the request (CVE-2016-5387). As a result, these server components would potentially direct all their outgoing HTTP traffic through a malicious proxy server. This patch fixes the issue: the updated Apache server ignores such HTTP headers and never sets $HTTP_PROXY for sub-processes (unless a value has been explicitly configured by the administrator in the configuration file). (bsc#988488)
This update was imported from the SUSE:SLE-12-SP1:Update update project.
Список пакетов
openSUSE Leap 42.1
apache2-2.4.16-12.1
apache2-devel-2.4.16-12.1
apache2-doc-2.4.16-12.1
apache2-event-2.4.16-12.1
apache2-example-pages-2.4.16-12.1
apache2-prefork-2.4.16-12.1
apache2-utils-2.4.16-12.1
apache2-worker-2.4.16-12.1
Ссылки
- E-Mail link for openSUSE-SU-2016:1824-1
- SUSE Security Ratings
Описание
The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability.
Затронутые продукты
openSUSE Leap 42.1:apache2-2.4.16-12.1
openSUSE Leap 42.1:apache2-devel-2.4.16-12.1
openSUSE Leap 42.1:apache2-doc-2.4.16-12.1
openSUSE Leap 42.1:apache2-event-2.4.16-12.1
Ссылки
- CVE-2016-5387
- SUSE Bug 988484
- SUSE Bug 988486
- SUSE Bug 988487
- SUSE Bug 988488
- SUSE Bug 988489
- SUSE Bug 988491
- SUSE Bug 988492
- SUSE Bug 989125
- SUSE Bug 989174
- SUSE Bug 989684