| Summary: | <www-servers/tomcat-{7.0.73,8.0.37,8.5.5}: HTTPoxy (CVE-2016-5388) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Aaron Bauman (RETIRED) <bman> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | java |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | B4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 598324 | ||
| Bug Blocks: | 589224 | ||
|
Description
Aaron Bauman (RETIRED)
2016-07-20 12:46:05 UTC
CVE-2016-5388 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5388): Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability. v8.5.x branch was fixed via v8.5.5 in https://gitweb.gentoo.org/repo/gentoo.git/commit/www-servers/tomcat?id=3de55fc614b7eb6aa2edebb09e059cbc0a0ab1e2 v8.0.x branch was fixed via v8.0.37 in https://gitweb.gentoo.org/repo/gentoo.git/commit/www-servers/tomcat?id=3de55fc614b7eb6aa2edebb09e059cbc0a0ab1e2 We are only missing a bump for v7.0.x branch. @ Maintainer(s): Are you going to bump >=www-servers/tomcat-7.0.72 as well? Stabilization of remaining tomcat-7.x happens in bug 598324. |