Security update for apache2 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:2856-1 Final 1 1 2018-09-25T09:10:10Z current 2018-09-25T09:10:10Z 2018-09-25T09:10:10Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache2 This update for apache2 fixes the following issues: Security issues fixed: - CVE-2016-8743: Fixed liberal whitespace interpretation accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution. (bsc#1016715) - CVE-2016-4975: Fixed possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes which prohibit CR or LF injection into the 'Location' or other outbound header key or value. (bsc#1104826) This update was imported from the SUSE:SLE-12-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2018-09/msg00076.html E-Mail link for openSUSE-SU-2018:2856-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 apache2-2.4.23-28.1 apache2-devel-2.4.23-28.1 apache2-doc-2.4.23-28.1 apache2-event-2.4.23-28.1 apache2-example-pages-2.4.23-28.1 apache2-prefork-2.4.23-28.1 apache2-utils-2.4.23-28.1 apache2-worker-2.4.23-28.1 apache2-2.4.23-28.1 as a component of openSUSE Leap 42.3 apache2-devel-2.4.23-28.1 as a component of openSUSE Leap 42.3 apache2-doc-2.4.23-28.1 as a component of openSUSE Leap 42.3 apache2-event-2.4.23-28.1 as a component of openSUSE Leap 42.3 apache2-example-pages-2.4.23-28.1 as a component of openSUSE Leap 42.3 apache2-prefork-2.4.23-28.1 as a component of openSUSE Leap 42.3 apache2-utils-2.4.23-28.1 as a component of openSUSE Leap 42.3 apache2-worker-2.4.23-28.1 as a component of openSUSE Leap 42.3 Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 (Affected 2.4.1-2.4.23). Fixed in Apache HTTP Server 2.2.32 (Affected 2.2.0-2.2.31). CVE-2016-4975 openSUSE Leap 42.3:apache2-2.4.23-28.1 openSUSE Leap 42.3:apache2-devel-2.4.23-28.1 openSUSE Leap 42.3:apache2-doc-2.4.23-28.1 openSUSE Leap 42.3:apache2-event-2.4.23-28.1 openSUSE Leap 42.3:apache2-example-pages-2.4.23-28.1 openSUSE Leap 42.3:apache2-prefork-2.4.23-28.1 openSUSE Leap 42.3:apache2-utils-2.4.23-28.1 openSUSE Leap 42.3:apache2-worker-2.4.23-28.1 low Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-09/msg00076.html https://www.suse.com/security/cve/CVE-2016-4975.html CVE-2016-4975 https://bugzilla.suse.com/1104826 SUSE Bug 1104826 Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution. CVE-2016-8743 openSUSE Leap 42.3:apache2-2.4.23-28.1 openSUSE Leap 42.3:apache2-devel-2.4.23-28.1 openSUSE Leap 42.3:apache2-doc-2.4.23-28.1 openSUSE Leap 42.3:apache2-event-2.4.23-28.1 openSUSE Leap 42.3:apache2-example-pages-2.4.23-28.1 openSUSE Leap 42.3:apache2-prefork-2.4.23-28.1 openSUSE Leap 42.3:apache2-utils-2.4.23-28.1 openSUSE Leap 42.3:apache2-worker-2.4.23-28.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-09/msg00076.html https://www.suse.com/security/cve/CVE-2016-8743.html CVE-2016-8743 https://bugzilla.suse.com/1016715 SUSE Bug 1016715 https://bugzilla.suse.com/1033513 SUSE Bug 1033513 https://bugzilla.suse.com/1086774 SUSE Bug 1086774 https://bugzilla.suse.com/1104826 SUSE Bug 1104826 https://bugzilla.suse.com/930944 SUSE Bug 930944