lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 20 Jul 2016 08:39:47 +0000
From: Salvatore Bonaccorso <carnil@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 3623-1] apache2 security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3623-1                   security@...ian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 20, 2016                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : apache2
CVE ID         : CVE-2016-5387

Scott Geary of VendHQ discovered that the Apache HTTPD server used the
value of the Proxy header from HTTP requests to initialize the
HTTP_PROXY environment variable for CGI scripts, which in turn was
incorrectly used by certain HTTP client implementations to configure the
proxy for outgoing HTTP requests. A remote attacker could possibly use
this flaw to redirect HTTP requests performed by a CGI script to an
attacker-controlled proxy via a malicious HTTP request.

For the stable distribution (jessie), this problem has been fixed in
version 2.4.10-10+deb8u5.

We recommend that you upgrade your apache2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@...ts.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXjzUzAAoJEAVMuPMTQ89EUioP+wWzh9kdX1UZM5ATmobng6zu
qL1dAlsjUGf3jPG8M6PP3RSt0Sy/rDcd2L1ktM3PFXwkfrRrvTlZINcCGeUSqs2b
0L7fDZZ36ZUXJr4GC1ohWqvYShG20+aAmSdSLjyhxLPc9k7Cu4GUzIPVJuqJlw4U
66MBgEICyuhNb1NyYp3iunU71j948Fa1VbYoCeT4nA2+AkNOFHeNUwFTqzw3sUJK
7KXKrb0GVTkTt0ox/1iRLUnAouXpm8Z9t0nKsdA1kTH7hsMNGXWwOZZ1NSCstZHG
RWpjW67jjFU7Q/uHvkue2Fe70MXxGmSLOHjd+uUOTDVrvvzev1P+JVZb4QbIjf/x
DHsyuXtIe8GLla+7oSoAx6l9oXc40YJ+ycaE2geNKA1rLKznHaV2xwfa0trnNsK2
ffnxMR1scF6/tk46IlwypTZEADqmSYJqMOTKtWaGUyFMHc8d5Wranvz2kCkvT7o5
gIzPp7kE7ssPEmfkAg6rT0hCb8rUJm8Wy6Ju1pBH9fgw+aWCshnVUlr78z2592sx
XPK9B4J5A9GCUWjq2QQMAEwWEDRt/AIA4ykvWiYBL/TVRYMjCKYr/AEXueQxw5uW
rFtlkjH5hSn56zupDVB9KF9cayvdKPL3BFZjPAGybj7ZpWDS67t91k3Kn/8072QZ
mh8gBTatVkMSIDyYjxn8
=pWeA
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ