ClearOS Documentation

×

Warning

301 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


CVE 2016-4975

'Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the “Location” or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 (Affected 2.4.1-2.4.23). Fixed in Apache HTTP Server 2.2.32 (Affected 2.2.0-2.2.31).'

ClearCenter response

This issue affects ClearOS 7. While this affects ClearOS 6 as well, no plan is in place to fix this issue at this time.

Short response

This issue affects the use of mod_userdir which is enabled by default in both the Web Server module and its core as well as Webconfig. At this time, no fix exists. Please ensure that Webconfig is not opened to the Internet and that access to websites that use mod_userdir are restricted.

Long response

This issue affects the use of mod_userdir which is enabled by default in both the Web Server module and its core as well as Webconfig. At this time, no fix exists. Please ensure that Webconfig is not opened to the Internet and that access to websites that use mod_userdir are restricted.

Resolution

While this issue is pending, ensure that Webconfig access is restricted to local networks and login to Webconfig and web sites is restricted in areas that leverage the mod_userdir module.

ClearOS 7

An open ticket to provide a fix is pending for this issue but not yet available.

https://tracker.clearos.com/view.php?id=21651

ClearOS 6

No fix for this issue is scheduled for ClearOS 6 at this time. Please upgrade to 7 if affected by this issue. To mitigate this issue, ensure that port 81 is closed to the Internet and move web services to ClearOS 7.

content/en_us/announcements_cve_cve-2016-4975.txt · Last modified: 2018/10/01 11:41 by dloper

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3Aannouncements_cve_cve-2016-4975&1558294764