Security update for apache2-mod_fcgid SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2115-1 Final 1 1 2016-08-19T13:26:34Z current 2016-08-19T13:26:34Z 2016-08-19T13:26:34Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache2-mod_fcgid This update for apache2-mod_fcgid fixes the following issues: - CVE-2016-1000104 / CVE-2016-5387: A remote attacker could have set the HTTP_PROXY environment variable of CGI scripts (boo#988488) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2016-08/msg00084.html E-Mail link for openSUSE-SU-2016:2115-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 apache2-mod_fcgid-2.3.9-7.1 apache2-mod_fcgid-2.3.9-7.1 as a component of openSUSE Leap 42.1 A security Bypass vulnerability exists in the FcgidPassHeader Proxy in mod_fcgid through 2016-07-07. CVE-2016-1000104 openSUSE Leap 42.1:apache2-mod_fcgid-2.3.9-7.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-08/msg00084.html https://www.suse.com/security/cve/CVE-2016-1000104.html CVE-2016-1000104 https://bugzilla.suse.com/988492 SUSE Bug 988492 The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability. CVE-2016-5387 openSUSE Leap 42.1:apache2-mod_fcgid-2.3.9-7.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-08/msg00084.html https://www.suse.com/security/cve/CVE-2016-5387.html CVE-2016-5387 https://bugzilla.suse.com/988484 SUSE Bug 988484 https://bugzilla.suse.com/988486 SUSE Bug 988486 https://bugzilla.suse.com/988487 SUSE Bug 988487 https://bugzilla.suse.com/988488 SUSE Bug 988488 https://bugzilla.suse.com/988489 SUSE Bug 988489 https://bugzilla.suse.com/988491 SUSE Bug 988491 https://bugzilla.suse.com/988492 SUSE Bug 988492 https://bugzilla.suse.com/989125 SUSE Bug 989125 https://bugzilla.suse.com/989174 SUSE Bug 989174 https://bugzilla.suse.com/989684 SUSE Bug 989684