First Last Prev Next    This bug is not in your last search results.
Bug 41828 - apache2: Multiple issues (ES 3.2)
apache2: Multiple issues (ES 3.2)
Status: CLOSED WONTFIX
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-ES
Assigned To: UCS maintainers
:
Depends on: 41826 41827 43770
Blocks:
  Show dependency treegraph
 
Reported: 2016-07-20 18:57 CEST by Arvid Requate
Modified: 2019-04-11 19:25 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-07-20 18:57:54 CEST 
We should check if we can backport the mitigation patch from 2.2.22 to 2.2.16.


+++ This bug was initially created as a clone of Bug #41827 +++

Upstream Debian package version 2.2.22-13+deb7u7 fixes the following issue:

* The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httproxy" issue.  NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability. (CVE-2016-5387)

CVSS v2 base score 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Please note that the current package has been rebuilt with the additional Debian patches from deb7u6 (Bug #40929)
Comment 1 Arvid Requate univentionstaff 2017-02-20 19:51:59 CET 
Advisory from Bug 39066 (patches from deb7u6):


 The following issues have been fixed in apache2:
  * HTTP request smuggling attack against chunked request parser, allowing
    cache poisoning or credential hijacking if an intermediary proxy is in
    use (CVE-2015-3183)
  * Don't limit default DH parameters to 1024 bits. This may cause problems
    with some Java based clients. A work-around is to configure these client
    not to use DHE key exchange but use ECDHE or RSA instead. A server-side
    work-around that limits the DH parameters to 1024 bits for all clients is
    described at http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh
  * Backport support for adding DH parameters to the SSLCertificateFile
    Custom DH parameters and an EC curve name for ephemeral keys,
    can be added to end of the first file configured using the
    SSLCertificateFile. Such parameters can be generated using the commands
    openssl dhparam and openssl ecparam. The parameters can be added as-is
    to the end of the first certificate file. Only the first file can be used
    for custom parameters, as they are applied independently of the
    authentication algorithm type. The package apache-doc provides more
    information about mod_ssl.
Comment 2 Stefan Gohmann univentionstaff 2017-06-16 20:40:00 CEST 
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4.

If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
First Last Prev Next    This bug is not in your last search results.