Univention Bugzilla – Bug 41826
apache2: Multiple issues (4.1)
Last modified: 2017-03-09 14:09:29 CET
Upstream Debian package version 2.2.22-13+deb7u7 fixes the following issue: * The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httproxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability. (CVE-2016-5387) CVSS v2 base score 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N) Please note that the current package has been rebuilt with the additional Debian patches from deb7u6 (Bug #40929)
Ticket#2016082321000687
repo_admin.py -U -r 4.1 -s errata4.1-3 -d wheezy -p apache2 r16746 Package: apache2 Version: 2.2.22-13.101.201609281005 Branch: ucs_4.1-0 Scope: errata4.1-3 r72849 | Bug #42491,Bug #32018 home: Fix umount apache2.yaml
Verified: * Package imported and built with existing patches * OK: ucs-test -s apache -E dangerous * Advisory Ok
<http://errata.software-univention.de/ucs/4.1/289.html>