Security update for apache2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:2554-1 Final 1 1 2018-08-30T06:44:40Z current 2018-08-30T06:44:40Z 2018-08-30T06:44:40Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache2 This update for apache2 fixes the following issues: Security issues fixed: - CVE-2016-8743: Fixed liberal whitespace interpretation accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution. (bsc#1016715) - CVE-2016-4975: Fixed possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes which prohibit CR or LF injection into the 'Location' or other outbound header key or value. (bsc#1104826) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-SAP-12-SP1-2018-1791,SUSE-SLE-SERVER-12-SP1-2018-1791 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20182554-1/ Link for SUSE-SU-2018:2554-1 https://lists.suse.com/pipermail/sle-security-updates/2018-August/004509.html E-Mail link for SUSE-SU-2018:2554-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1016715 SUSE Bug 1016715 https://bugzilla.suse.com/1104826 SUSE Bug 1104826 https://www.suse.com/security/cve/CVE-2016-4975/ SUSE CVE CVE-2016-4975 page https://www.suse.com/security/cve/CVE-2016-8743/ SUSE CVE CVE-2016-8743 page SUSE Linux Enterprise Server 12 SP1-LTSS SUSE Linux Enterprise Server for SAP Applications 12 SP1 apache2-2.4.16-20.19.1 apache2-doc-2.4.16-20.19.1 apache2-example-pages-2.4.16-20.19.1 apache2-prefork-2.4.16-20.19.1 apache2-utils-2.4.16-20.19.1 apache2-worker-2.4.16-20.19.1 apache2-2.4.16-20.19.1 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS apache2-doc-2.4.16-20.19.1 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS apache2-example-pages-2.4.16-20.19.1 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS apache2-prefork-2.4.16-20.19.1 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS apache2-utils-2.4.16-20.19.1 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS apache2-worker-2.4.16-20.19.1 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS apache2-2.4.16-20.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 apache2-doc-2.4.16-20.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 apache2-example-pages-2.4.16-20.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 apache2-prefork-2.4.16-20.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 apache2-utils-2.4.16-20.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 apache2-worker-2.4.16-20.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 (Affected 2.4.1-2.4.23). Fixed in Apache HTTP Server 2.2.32 (Affected 2.2.0-2.2.31). CVE-2016-4975 SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-2.4.16-20.19.1 SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-doc-2.4.16-20.19.1 SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-example-pages-2.4.16-20.19.1 SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-prefork-2.4.16-20.19.1 SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-utils-2.4.16-20.19.1 SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-worker-2.4.16-20.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:apache2-2.4.16-20.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:apache2-doc-2.4.16-20.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:apache2-example-pages-2.4.16-20.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:apache2-prefork-2.4.16-20.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:apache2-utils-2.4.16-20.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:apache2-worker-2.4.16-20.19.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20182554-1/ https://www.suse.com/security/cve/CVE-2016-4975.html CVE-2016-4975 https://bugzilla.suse.com/1104826 SUSE Bug 1104826 Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution. CVE-2016-8743 SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-2.4.16-20.19.1 SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-doc-2.4.16-20.19.1 SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-example-pages-2.4.16-20.19.1 SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-prefork-2.4.16-20.19.1 SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-utils-2.4.16-20.19.1 SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-worker-2.4.16-20.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:apache2-2.4.16-20.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:apache2-doc-2.4.16-20.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:apache2-example-pages-2.4.16-20.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:apache2-prefork-2.4.16-20.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:apache2-utils-2.4.16-20.19.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:apache2-worker-2.4.16-20.19.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20182554-1/ https://www.suse.com/security/cve/CVE-2016-8743.html CVE-2016-8743 https://bugzilla.suse.com/1016715 SUSE Bug 1016715 https://bugzilla.suse.com/1033513 SUSE Bug 1033513 https://bugzilla.suse.com/1086774 SUSE Bug 1086774 https://bugzilla.suse.com/1104826 SUSE Bug 1104826 https://bugzilla.suse.com/930944 SUSE Bug 930944