Univention Bugzilla – Bug 41827
apache2: Multiple issues (ES 3.3)
Last modified: 2019-04-11 19:25:00 CEST
+++ This bug was initially created as a clone of Bug #41826 +++ Upstream Debian package version 2.2.22-13+deb7u7 fixes the following issue: * The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httproxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability. (CVE-2016-5387) CVSS v2 base score 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N) Please note that the current package has been rebuilt with the additional Debian patches from deb7u6 (Bug #40929)
Advisory from Bug 39066 (patches from deb7u6): The following issues have been fixed in apache2: * HTTP request smuggling attack against chunked request parser, allowing cache poisoning or credential hijacking if an intermediary proxy is in use (CVE-2015-3183) * Don't limit default DH parameters to 1024 bits. This may cause problems with some Java based clients. A work-around is to configure these client not to use DHE key exchange but use ECDHE or RSA instead. A server-side work-around that limits the DH parameters to 1024 bits for all clients is described at http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh * Backport support for adding DH parameters to the SSLCertificateFile Custom DH parameters and an EC curve name for ephemeral keys, can be added to end of the first file configured using the SSLCertificateFile. Such parameters can be generated using the commands openssl dhparam and openssl ecparam. The parameters can be added as-is to the end of the first certificate file. Only the first file can be used for custom parameters, as they are applied independently of the authentication algorithm type. The package apache-doc provides more information about mod_ssl.
This issue has been filled against UCS 3.3. The maintenance with bug and security fixes for UCS 3.3 has ended on 31st of December 2016. Customers still on UCS 3.3 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.