Security update for apache2
This update for apache2 fixes the following security issues:
Security issues fixed:
- CVE-2016-0736: Protect mod_session_crypto data with a MAC to prevent padding oracle attacks (bsc#1016712).
- CVE-2016-2161: Malicious input to mod_auth_digest could have caused the server to crash, resulting in DoS (bsc#1016714).
- CVE-2016-8743: Added new directive "HttpProtocolOptions Strict" to avoid proxy chain misinterpretation (bsc#1016715).
Bugfixes:
- Add missing copy of hcuri and hcexpr from the worker to the health check worker (bsc#1019380).
This update was imported from the SUSE:SLE-12-SP2:Update update project.
-
Submitted by
Petr Gajdos (pgajdos)
Fixed bugs
bnc#1016715
VUL-0: CVE-2016-8743: apache2: Apache HTTP Request Parsing Whitespace Defects
bnc#1016714
VUL-1: CVE-2016-2161: apache2: DoS vulnerability in mod_auth_digest
bnc#1016712
VUL-1: CVE-2016-0736: apache2: Padding Oracle in Apache mod_session_crypto
bnc#1019380
Apache httpd mod_proxy_hcheck ignores hcuri and hcexpr parameters
