openSUSE Security Update: Security update for apache2 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2016:1824-1 Rating: moderate References: #988488 Cross-References: CVE-2016-5387 Affected Products: openSUSE Leap 42.1 openSUSE 13.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for apache2 fixes the following issues: * It used to be possible to set an arbitrary $HTTP_PROXY environment variable for request handlers -- like CGI scripts -- by including a specially crafted HTTP header in the request (CVE-2016-5387). As a result, these server components would potentially direct all their outgoing HTTP traffic through a malicious proxy server. This patch fixes the issue: the updated Apache server ignores such HTTP headers and never sets $HTTP_PROXY for sub-processes (unless a value has been explicitly configured by the administrator in the configuration file). (bsc#988488) This update was imported from the SUSE:SLE-12-SP1:Update update project. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.1: zypper in -t patch openSUSE-2016-880=1 - openSUSE 13.2: zypper in -t patch openSUSE-2016-880=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.1 (i586 x86_64): apache2-2.4.16-12.1 apache2-debuginfo-2.4.16-12.1 apache2-debugsource-2.4.16-12.1 apache2-devel-2.4.16-12.1 apache2-event-2.4.16-12.1 apache2-event-debuginfo-2.4.16-12.1 apache2-example-pages-2.4.16-12.1 apache2-prefork-2.4.16-12.1 apache2-prefork-debuginfo-2.4.16-12.1 apache2-utils-2.4.16-12.1 apache2-utils-debuginfo-2.4.16-12.1 apache2-worker-2.4.16-12.1 apache2-worker-debuginfo-2.4.16-12.1 - openSUSE Leap 42.1 (noarch): apache2-doc-2.4.16-12.1 - openSUSE 13.2 (i586 x86_64): apache2-2.4.10-31.1 apache2-debuginfo-2.4.10-31.1 apache2-debugsource-2.4.10-31.1 apache2-devel-2.4.10-31.1 apache2-event-2.4.10-31.1 apache2-event-debuginfo-2.4.10-31.1 apache2-example-pages-2.4.10-31.1 apache2-prefork-2.4.10-31.1 apache2-prefork-debuginfo-2.4.10-31.1 apache2-utils-2.4.10-31.1 apache2-utils-debuginfo-2.4.10-31.1 apache2-worker-2.4.10-31.1 apache2-worker-debuginfo-2.4.10-31.1 - openSUSE 13.2 (noarch): apache2-doc-2.4.10-31.1 References: https://www.suse.com/security/cve/CVE-2016-5387.html https://bugzilla.suse.com/988488