Summary: | <www-servers/apache-{2.2.31-r1,2.4.23-r2}: HTTPoxy (CVE-2016-5387) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Aaron Bauman (RETIRED) <bman> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | hydrapolic, polynomial-c |
Priority: | Normal | Flags: | kensington:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B4 [glsa cve] | ||
Package list: |
=www-servers/apache-2.2.31-r1
=www-servers/apache-2.4.23-r2
|
Runtime testing required: | --- |
Bug Depends on: | |||
Bug Blocks: | 589224 |
Description
Aaron Bauman (RETIRED)
2016-07-20 12:44:32 UTC
CVE-2016-5387 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5387): The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability. Upstream patch: https://www.apache.org/security/asf-httpoxy-response.txt Maybe we could add a 00_mod_header.conf file with a simple: <IfModule mod_headers.c> RequestHeader unset Proxy </IfModule> Any updated on this bug? Please advise Debian and Red-Hat have this fixed in most versions. commit 692a27baa1b889755b928d2766f9efee17462291 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Wed Nov 2 15:38:57 2016 www-servers/apache: Security revbumps for CVE-2016-5387 (bug #589226). Also fixes fcgi bug in apache-2.4.23 (bug #591288). Package-Manager: portage-2.3.2 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> Arches please test and mark stable the following *two* versions: =www-servers/apache-2.2.31-r1 =www-servers/apache-2.4.23-r2 Target KEYWORDS are: alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~x64-macos ~x86-macos ~m68k-mint ~sparc64-solaris ~x64-solaris amd64 stable x86 stable Stable for HPPA PPC64. Stable on alpha. arm stable sparc stable ia64 stable ppc stable. Maintainer(s), please cleanup. This issue was resolved and addressed in GLSA 201701-36 at https://security.gentoo.org/glsa/201701-36 by GLSA coordinator Aaron Bauman (b-man). |