drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mangelnde Prüfung von Umgebungsvariablen in Apache
| Name: |
Mangelnde Prüfung von Umgebungsvariablen in Apache |
|
| ID: |
DSA-3623-1 |
|
| Distribution: |
Debian |
|
| Plattformen: |
Debian jessie |
|
| Datum: |
Mi, 20. Juli 2016, 10:53 |
|
| Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387 |
|
| Applikationen: |
Apache |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3623-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 20, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : apache2
CVE ID : CVE-2016-5387
Scott Geary of VendHQ discovered that the Apache HTTPD server used the
value of the Proxy header from HTTP requests to initialize the
HTTP_PROXY environment variable for CGI scripts, which in turn was
incorrectly used by certain HTTP client implementations to configure the
proxy for outgoing HTTP requests. A remote attacker could possibly use
this flaw to redirect HTTP requests performed by a CGI script to an
attacker-controlled proxy via a malicious HTTP request.
For the stable distribution (jessie), this problem has been fixed in
version 2.4.10-10+deb8u5.
We recommend that you upgrade your apache2 packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJXjzUzAAoJEAVMuPMTQ89EUioP+wWzh9kdX1UZM5ATmobng6zu
qL1dAlsjUGf3jPG8M6PP3RSt0Sy/rDcd2L1ktM3PFXwkfrRrvTlZINcCGeUSqs2b
0L7fDZZ36ZUXJr4GC1ohWqvYShG20+aAmSdSLjyhxLPc9k7Cu4GUzIPVJuqJlw4U
66MBgEICyuhNb1NyYp3iunU71j948Fa1VbYoCeT4nA2+AkNOFHeNUwFTqzw3sUJK
7KXKrb0GVTkTt0ox/1iRLUnAouXpm8Z9t0nKsdA1kTH7hsMNGXWwOZZ1NSCstZHG
RWpjW67jjFU7Q/uHvkue2Fe70MXxGmSLOHjd+uUOTDVrvvzev1P+JVZb4QbIjf/x
DHsyuXtIe8GLla+7oSoAx6l9oXc40YJ+ycaE2geNKA1rLKznHaV2xwfa0trnNsK2
ffnxMR1scF6/tk46IlwypTZEADqmSYJqMOTKtWaGUyFMHc8d5Wranvz2kCkvT7o5
gIzPp7kE7ssPEmfkAg6rT0hCb8rUJm8Wy6Ju1pBH9fgw+aWCshnVUlr78z2592sx
XPK9B4J5A9GCUWjq2QQMAEwWEDRt/AIA4ykvWiYBL/TVRYMjCKYr/AEXueQxw5uW
rFtlkjH5hSn56zupDVB9KF9cayvdKPL3BFZjPAGybj7ZpWDS67t91k3Kn/8072QZ
mh8gBTatVkMSIDyYjxn8
=pWeA
-----END PGP SIGNATURE-----
|
|
|
|
