Bug 41828

Summary: apache2: Multiple issues (ES 3.2)
Product: UCS Reporter: Arvid Requate <requate>
Component: Security updatesAssignee: UCS maintainers <ucs-maintainers>
Status: CLOSED WONTFIX QA Contact:
Severity: normal    
Priority: P5    
Version: UCS 3.2   
Target Milestone: UCS 3.2-ES   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=33277
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score:
Bug Depends on: 41826, 41827, 43770    
Bug Blocks:    

Description Arvid Requate univentionstaff 2016-07-20 18:57:54 CEST 
We should check if we can backport the mitigation patch from 2.2.22 to 2.2.16.


+++ This bug was initially created as a clone of Bug #41827 +++

Upstream Debian package version 2.2.22-13+deb7u7 fixes the following issue:

* The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httproxy" issue.  NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability. (CVE-2016-5387)

CVSS v2 base score 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Please note that the current package has been rebuilt with the additional Debian patches from deb7u6 (Bug #40929)
Comment 1 Arvid Requate univentionstaff 2017-02-20 19:51:59 CET 
Advisory from Bug 39066 (patches from deb7u6):


 The following issues have been fixed in apache2:
  * HTTP request smuggling attack against chunked request parser, allowing
    cache poisoning or credential hijacking if an intermediary proxy is in
    use (CVE-2015-3183)
  * Don't limit default DH parameters to 1024 bits. This may cause problems
    with some Java based clients. A work-around is to configure these client
    not to use DHE key exchange but use ECDHE or RSA instead. A server-side
    work-around that limits the DH parameters to 1024 bits for all clients is
    described at http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh
  * Backport support for adding DH parameters to the SSLCertificateFile
    Custom DH parameters and an EC curve name for ephemeral keys,
    can be added to end of the first file configured using the
    SSLCertificateFile. Such parameters can be generated using the commands
    openssl dhparam and openssl ecparam. The parameters can be added as-is
    to the end of the first certificate file. Only the first file can be used
    for custom parameters, as they are applied independently of the
    authentication algorithm type. The package apache-doc provides more
    information about mod_ssl.
Comment 2 Stefan Gohmann univentionstaff 2017-06-16 20:40:00 CEST 
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4.

If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.