Overview

File _patchinfo of Package patchinfo.2875

<patchinfo incident="2875">
  <issue id="988488" tracker="bnc">VUL-0: CVE-2016-5387: apache2: Setting HTTP_PROXY environment variable via Proxy header (httpoxy)</issue>
  <issue id="2016-5387" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>psimons</packager>
  <description>
This update for apache2 fixes the following issues:

* It used to be possible to set an arbitrary $HTTP_PROXY environment variable
  for request handlers -- like CGI scripts -- by including a specially crafted
  HTTP header in the request (CVE-2016-5387). As a result, these server
  components would potentially direct all their outgoing HTTP traffic through a
  malicious proxy server. This patch fixes the issue: the updated Apache server
  ignores such HTTP headers and never sets $HTTP_PROXY for sub-processes
  (unless a value has been explicitly configured by the administrator in the
  configuration file). (bsc#988488)
</description>
  <summary>Security update for apache2</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places