Univention Bugzilla – Full Text Bug Listing |
Summary: | apache2: Multiple issues (ES 3.2) | ||
---|---|---|---|
Product: | UCS | Reporter: | Arvid Requate <requate> |
Component: | Security updates | Assignee: | UCS maintainers <ucs-maintainers> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | normal | ||
Priority: | P5 | ||
Version: | UCS 3.2 | ||
Target Milestone: | UCS 3.2-ES | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=33277 | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Security | |
Max CVSS v3 score: | |||
Bug Depends on: | 41826, 41827, 43770 | ||
Bug Blocks: |
Description
Arvid Requate
2016-07-20 18:57:54 CEST
Advisory from Bug 39066 (patches from deb7u6): The following issues have been fixed in apache2: * HTTP request smuggling attack against chunked request parser, allowing cache poisoning or credential hijacking if an intermediary proxy is in use (CVE-2015-3183) * Don't limit default DH parameters to 1024 bits. This may cause problems with some Java based clients. A work-around is to configure these client not to use DHE key exchange but use ECDHE or RSA instead. A server-side work-around that limits the DH parameters to 1024 bits for all clients is described at http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh * Backport support for adding DH parameters to the SSLCertificateFile Custom DH parameters and an EC curve name for ephemeral keys, can be added to end of the first file configured using the SSLCertificateFile. Such parameters can be generated using the commands openssl dhparam and openssl ecparam. The parameters can be added as-is to the end of the first certificate file. Only the first file can be used for custom parameters, as they are applied independently of the authentication algorithm type. The package apache-doc provides more information about mod_ssl. This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4. If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks. |