Univention Bugzilla – Bug 41828
apache2: Multiple issues (ES 3.2)
Last modified: 2019-04-11 19:25:16 CEST
We should check if we can backport the mitigation patch from 2.2.22 to 2.2.16. +++ This bug was initially created as a clone of Bug #41827 +++ Upstream Debian package version 2.2.22-13+deb7u7 fixes the following issue: * The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httproxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability. (CVE-2016-5387) CVSS v2 base score 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N) Please note that the current package has been rebuilt with the additional Debian patches from deb7u6 (Bug #40929)
Advisory from Bug 39066 (patches from deb7u6): The following issues have been fixed in apache2: * HTTP request smuggling attack against chunked request parser, allowing cache poisoning or credential hijacking if an intermediary proxy is in use (CVE-2015-3183) * Don't limit default DH parameters to 1024 bits. This may cause problems with some Java based clients. A work-around is to configure these client not to use DHE key exchange but use ECDHE or RSA instead. A server-side work-around that limits the DH parameters to 1024 bits for all clients is described at http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh * Backport support for adding DH parameters to the SSLCertificateFile Custom DH parameters and an EC curve name for ephemeral keys, can be added to end of the first file configured using the SSLCertificateFile. Such parameters can be generated using the commands openssl dhparam and openssl ecparam. The parameters can be added as-is to the end of the first certificate file. Only the first file can be used for custom parameters, as they are applied independently of the authentication algorithm type. The package apache-doc provides more information about mod_ssl.
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4. If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.