Security update for apache2
This update for apache2 provides the following fixes:
Security issues fixed:
- CVE-2016-0736: Protect mod_session_crypto data with a MAC to prevent padding oracle attacks (bsc#1016712).
- CVE-2016-2161: Malicious input to mod_auth_digest could have caused the server to crash, resulting in DoS (bsc#1016714).
- CVE-2016-8743: Added new directive "HttpProtocolOptions Strict" to avoid proxy chain misinterpretation (bsc#1016715).
Bugfixes:
- Add NotifyAccess=all to systemd service files to prevent warnings in the log when using mod_systemd (bsc#980663).
This update was imported from the SUSE:SLE-12-SP1:Update update project.
- Submitted by Petr Gajdos (pgajdos)
Fixed bugs
bnc#980663
apache systemd notify related log message
bnc#1016715
VUL-0: CVE-2016-8743: apache2: Apache HTTP Request Parsing Whitespace Defects
bnc#1016714
VUL-1: CVE-2016-2161: apache2: DoS vulnerability in mod_auth_digest
bnc#1016712
VUL-1: CVE-2016-0736: apache2: Padding Oracle in Apache mod_session_crypto