Bugzilla – Bug 1104826
VUL-1: CVE-2016-4975: apache2: Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir
Last modified: 2018-10-18 17:24:18 UTC
CVE-2016-4975 Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 (Affected 2.4.1-2.4.23). Fixed in Apache HTTP Server 2.2.32 (Affected 2.2.0-2.2.31). References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4975 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4975 https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-4975 https://httpd.apache.org/security/vulnerabilities_22.html#CVE-2016-4975
Hmm, I failed to even guess the correct commit so far. How this relate to CVE-2016-8743?
perhaps its https://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/http/http_filters.c?r1=1777405&r2=1777999&sortby=date
2.4 https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http/http_filters.c?r1=1775195&r2=1777672&pathrev=1777672&sortby=date
That is good, see bug 1016715 comment 19. That means we have this issue fixed already by apache2-CVE-2016-8743-1.patch. Should I just reference CVE in appropriate places? Should I think about a testcase?
yes, I think it is covered by these changes for bug 1016715 / CVE-2016-8743 already. You can reference it there on the next submissions. (And a testcase might be useful too ;)
Will submit for 12sp2, 12sp1 and 10sp3. I believe testcases are part of t/apache/http_strict.t ('tests for response headers' section, Apache:Test/apache-test, or home:pgajdos:apache-test{,:after}/apache-test respectively). Unfortunately I do not have much info to think about mod_userdir role.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2018-09-06. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64124
SUSE-SU-2018:2554-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1016715,1104826 CVE References: CVE-2016-4975,CVE-2016-8743 Sources used: SUSE Linux Enterprise Server for SAP 12-SP1 (src): apache2-2.4.16-20.19.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): apache2-2.4.16-20.19.1
SUSE-SU-2018:2815-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1016715,1104826 CVE References: CVE-2016-4975,CVE-2016-8743 Sources used: SUSE OpenStack Cloud 7 (src): apache2-2.4.23-29.24.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): apache2-2.4.23-29.24.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): apache2-2.4.23-29.24.1 SUSE Linux Enterprise Server 12-SP3 (src): apache2-2.4.23-29.24.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): apache2-2.4.23-29.24.1 SUSE Enterprise Storage 4 (src): apache2-2.4.23-29.24.1
openSUSE-SU-2018:2856-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1016715,1104826 CVE References: CVE-2016-4975,CVE-2016-8743 Sources used: openSUSE Leap 42.3 (src): apache2-2.4.23-28.1
released
SUSE-SU-2018:2815-2: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1016715,1104826 CVE References: CVE-2016-4975,CVE-2016-8743 Sources used: SUSE Linux Enterprise Server 12-SP2-BCL (src): apache2-2.4.23-29.24.1