Security update for apache2

Announcement ID:	SUSE-SU-2016:2090-1
Rating:	moderate
References:	bsc#951692 bsc#970391 bsc#973381 bsc#988488
Cross-References:	CVE-2016-5387
CVSS scores:	CVE-2016-5387 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-5387 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 LTSS 12 SUSE Linux Enterprise Server for SAP Applications 12

An update that solves one vulnerability and has three security fixes can now be installed.

Description:

This update for apache2 fixes the following issues:

• It used to be possible to set an arbitrary $HTTP_PROXY environment variable for request handlers -- like CGI scripts -- by including a specially crafted HTTP header in the request (CVE-2016-5387). As a result, these server components would potentially direct all their outgoing HTTP traffic through a malicious proxy server. This patch fixes the issue: the updated Apache server ignores such HTTP headers and never sets $HTTP_PROXY for sub-processes (unless a value has been explicitly configured by the administrator in the configuration file). (bsc#988488)

• Ignore SIGINT signal in child processes. This fixes a race condition in signals handling when httpd is running on foreground and the user hits ctrl+c. (bsc#970391)

• Don't put the backend in error state (by default) when 500/503 is overridden. (bsc#951692)

• Remove obsolete /usr/share/apache2/rc.apache2 sample script. (bsc#973381)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server for SAP Applications 12
  zypper in -t patch SUSE-SLE-SAP-12-2016-1235=1
• SUSE Linux Enterprise Server 12 LTSS 12
  zypper in -t patch SUSE-SLE-SERVER-12-2016-1235=1

Package List:

• SUSE Linux Enterprise Server for SAP Applications 12 (x86_64)
  • apache2-worker-debuginfo-2.4.10-14.17.1
  • apache2-debugsource-2.4.10-14.17.1
  • apache2-example-pages-2.4.10-14.17.1
  • apache2-prefork-debuginfo-2.4.10-14.17.1
  • apache2-worker-2.4.10-14.17.1
  • apache2-utils-2.4.10-14.17.1
  • apache2-utils-debuginfo-2.4.10-14.17.1
  • apache2-prefork-2.4.10-14.17.1
  • apache2-2.4.10-14.17.1
  • apache2-debuginfo-2.4.10-14.17.1
• SUSE Linux Enterprise Server for SAP Applications 12 (noarch)
  • apache2-doc-2.4.10-14.17.1
• SUSE Linux Enterprise Server 12 LTSS 12 (ppc64le s390x x86_64)
  • apache2-worker-debuginfo-2.4.10-14.17.1
  • apache2-debugsource-2.4.10-14.17.1
  • apache2-example-pages-2.4.10-14.17.1
  • apache2-prefork-debuginfo-2.4.10-14.17.1
  • apache2-worker-2.4.10-14.17.1
  • apache2-utils-2.4.10-14.17.1
  • apache2-utils-debuginfo-2.4.10-14.17.1
  • apache2-prefork-2.4.10-14.17.1
  • apache2-2.4.10-14.17.1
  • apache2-debuginfo-2.4.10-14.17.1
• SUSE Linux Enterprise Server 12 LTSS 12 (noarch)
  • apache2-doc-2.4.10-14.17.1

References:

• https://www.suse.com/security/cve/CVE-2016-5387.html
• https://bugzilla.suse.com/show_bug.cgi?id=951692
• https://bugzilla.suse.com/show_bug.cgi?id=970391
• https://bugzilla.suse.com/show_bug.cgi?id=973381
• https://bugzilla.suse.com/show_bug.cgi?id=988488