Oval Definition:oval:com.redhat.rhsa:def:20161421
Revision Date:2016-07-18Version:638
Title:RHSA-2016:1421: httpd security update (Important)
Description:The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Security Fix(es):

  • It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5387)

    Note: After this update, httpd will no longer pass the value of the Proxy request header to scripts via the HTTP_PROXY environment variable.

    Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue.
    • Family:unixClass:patch
    Status:Reference(s):CVE-2016-5387
    RHSA-2016:1421
    RHSA-2016:1421-00
    RHSA-2016:1421-02
    RHSA-2016:1421-03
    Platform(s):Red Hat Enterprise Linux 5
    Red Hat Enterprise Linux 6
    		Product(s):
    Definition Synopsis
  • Red Hat Enterprise Linux must be installed
  • OR Package Information
  • Red Hat Enterprise Linux 5 is installed
  • AND
  • httpd is earlier than 0:2.2.3-92.el5_11
  • AND httpd is signed with Red Hat redhatrelease2 key
  • httpd-devel is earlier than 0:2.2.3-92.el5_11
  • AND httpd-devel is signed with Red Hat redhatrelease2 key
  • httpd-manual is earlier than 0:2.2.3-92.el5_11
  • AND httpd-manual is signed with Red Hat redhatrelease2 key
  • mod_ssl is earlier than 1:2.2.3-92.el5_11
  • AND mod_ssl is signed with Red Hat redhatrelease2 key
  • OR Package Information
  • Red Hat Enterprise Linux 6 is installed
  • AND
  • httpd is earlier than 0:2.2.15-54.el6_8
  • AND httpd is signed with Red Hat redhatrelease2 key
  • httpd-devel is earlier than 0:2.2.15-54.el6_8
  • AND httpd-devel is signed with Red Hat redhatrelease2 key
  • httpd-manual is earlier than 0:2.2.15-54.el6_8
  • AND httpd-manual is signed with Red Hat redhatrelease2 key
  • httpd-tools is earlier than 0:2.2.15-54.el6_8
  • AND httpd-tools is signed with Red Hat redhatrelease2 key
  • mod_ssl is earlier than 1:2.2.15-54.el6_8
  • AND mod_ssl is signed with Red Hat redhatrelease2 key
    • Definition Synopsis
  • Release Information
  • Red Hat Enterprise Linux 5 is installed
  • AND
  • httpd is earlier than 0:2.2.3-92.el5_11
  • AND httpd is signed with Red Hat redhatrelease key
  • httpd-devel is earlier than 0:2.2.3-92.el5_11
  • AND httpd-devel is signed with Red Hat redhatrelease key
  • httpd-manual is earlier than 0:2.2.3-92.el5_11
  • AND httpd-manual is signed with Red Hat redhatrelease key
  • mod_ssl is earlier than 1:2.2.3-92.el5_11
  • AND mod_ssl is signed with Red Hat redhatrelease key
  • OR Package Information
  • Red Hat Enterprise Linux 6 Client is installed
  • OR Red Hat Enterprise Linux 6 Server is installed
  • OR Red Hat Enterprise Linux 6 Workstation is installed
  • OR Red Hat Enterprise Linux 6 ComputeNode is installed
  • AND
  • httpd is earlier than 0:2.2.15-54.el6_8
  • AND httpd is signed with Red Hat redhatrelease2 key
  • httpd-devel is earlier than 0:2.2.15-54.el6_8
  • AND httpd-devel is signed with Red Hat redhatrelease2 key
  • httpd-manual is earlier than 0:2.2.15-54.el6_8
  • AND httpd-manual is signed with Red Hat redhatrelease2 key
  • httpd-tools is earlier than 0:2.2.15-54.el6_8
  • AND httpd-tools is signed with Red Hat redhatrelease2 key
  • mod_ssl is earlier than 1:2.2.15-54.el6_8
  • AND mod_ssl is signed with Red Hat redhatrelease2 key
    • BACK