File _patchinfo of Package patchinfo.2876

<patchinfo incident="2876">
  <issue id="973381" tracker="bnc">Bogus /usr/share/apache2/rc.apache2 script included in SLES 12 apache2</issue>
  <issue id="970391" tracker="bnc">appcore generated by httpd2-prefork process in function apr_pool_destroy</issue>
  <issue id="951692" tracker="bnc">proxyerroroverride with proxy balancer causes requests to hang for 60 seconds when the underlying web server returns an error code</issue>
  <issue id="988488" tracker="bnc">VUL-0: CVE-2016-5387: apache2: Setting HTTP_PROXY environment variable via Proxy header (httpoxy)</issue>
  <issue id="2016-5387" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>psimons</packager>
  <description>
This update for apache2 fixes the following issues:

- It used to be possible to set an arbitrary $HTTP_PROXY environment variable for
  request handlers -- like CGI scripts -- by including a specially crafted HTTP
  header in the request (CVE-2016-5387). As a result, these server components
  would potentially direct all their outgoing HTTP traffic through a malicious
  proxy server. This patch fixes the issue: the updated Apache server ignores
  such HTTP headers and never sets $HTTP_PROXY for sub-processes (unless a value
  has been explicitly configured by the administrator in the configuration file).
  (bsc#988488)

- Ignore SIGINT signal in child processes. This fixes a race condition in
  signals handling when httpd is running on foreground and the user hits ctrl+c.
  (bsc#970391)

- Don't put the backend in error state (by default) when 500/503 is overridden.
  (bsc#951692)

- Remove obsolete /usr/share/apache2/rc.apache2 sample script. (bsc#973381)
</description>
  <summary>Security update for apache2</summary>
</patchinfo>