Synopsis:          Important: httpd security update
Advisory ID:       SLSA-2016:1421-1
Issue Date:        2016-07-18
CVE Numbers:       CVE-2016-5387
--

Security Fix(es):

* It was discovered that httpd used the value of the Proxy header from
HTTP requests to initialize the HTTP_PROXY environment variable for CGI
scripts, which in turn was incorrectly used by certain HTTP client
implementations to configure the proxy for outgoing HTTP requests. A
remote attacker could possibly use this flaw to redirect HTTP requests
performed by a CGI script to an attacker-controlled proxy via a malicious
HTTP request. (CVE-2016-5387)

Note: After this update, httpd will no longer pass the value of the Proxy
request header to scripts via the HTTP_PROXY environment variable.
--

SL5
  x86_64
    httpd-2.2.3-92.el5_11.x86_64.rpm
    httpd-debuginfo-2.2.3-92.el5_11.x86_64.rpm
    mod_ssl-2.2.3-92.el5_11.x86_64.rpm
    httpd-debuginfo-2.2.3-92.el5_11.i386.rpm
    httpd-devel-2.2.3-92.el5_11.i386.rpm
    httpd-devel-2.2.3-92.el5_11.x86_64.rpm
    httpd-manual-2.2.3-92.el5_11.x86_64.rpm
  i386
    httpd-2.2.3-92.el5_11.i386.rpm
    httpd-debuginfo-2.2.3-92.el5_11.i386.rpm
    mod_ssl-2.2.3-92.el5_11.i386.rpm
    httpd-devel-2.2.3-92.el5_11.i386.rpm
    httpd-manual-2.2.3-92.el5_11.i386.rpm
SL6
  x86_64
    httpd-2.2.15-54.el6_8.x86_64.rpm
    httpd-debuginfo-2.2.15-54.el6_8.x86_64.rpm
    httpd-tools-2.2.15-54.el6_8.x86_64.rpm
    httpd-debuginfo-2.2.15-54.el6_8.i686.rpm
    httpd-devel-2.2.15-54.el6_8.i686.rpm
    httpd-devel-2.2.15-54.el6_8.x86_64.rpm
    mod_ssl-2.2.15-54.el6_8.x86_64.rpm
  i386
    httpd-2.2.15-54.el6_8.i686.rpm
    httpd-debuginfo-2.2.15-54.el6_8.i686.rpm
    httpd-tools-2.2.15-54.el6_8.i686.rpm
    httpd-devel-2.2.15-54.el6_8.i686.rpm
    mod_ssl-2.2.15-54.el6_8.i686.rpm
  noarch
    httpd-manual-2.2.15-54.el6_8.noarch.rpm

- Scientific Linux Development Team