589226 – (CVE-2016-5387) <www-servers/apache-{2.2.31-r1,2.4.23-r2}: HTTPoxy (CVE-2016-5387)

Bug 589226 (CVE-2016-5387) - <www-servers/apache-{2.2.31-r1,2.4.23-r2}: HTTPoxy (CVE-2016-5387)

Summary: <www-servers/apache-{2.2.31-r1,2.4.23-r2}: HTTPoxy (CVE-2016-5387)

Status:	RESOLVED FIXED

Alias:	CVE-2016-5387

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [glsa cve]
Keywords:

Depends on:
Blocks:	589224
	Show dependency tree

Reported:	2016-07-20 12:44 UTC by Aaron Bauman (RETIRED)
Modified:	2017-01-15 08:19 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	=www-servers/apache-2.2.31-r1 =www-servers/apache-2.4.23-r2
Runtime testing required:	---

Flags:	kensington: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Aaron Bauman (RETIRED) gentoo-dev

2016-07-20 12:44:32 UTC

HTTPoxy vulnerability

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2016-07-20 12:44:58 UTC

CVE-2016-5387 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5387):
  The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and
  therefore does not protect applications from the presence of untrusted
  client data in the HTTP_PROXY environment variable, which might allow remote
  attackers to redirect an application's outbound HTTP traffic to an arbitrary
  proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy"
  issue.  NOTE: the vendor states "This mitigation has been assigned the
  identifier CVE-2016-5387"; in other words, this is not a CVE ID for a
  vulnerability.

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2016-07-20 13:26:51 UTC

Upstream patch:

https://www.apache.org/security/asf-httpoxy-response.txt

Comment 3 Tomáš Mózes 2016-07-28 06:00:05 UTC

Maybe we could add a 00_mod_header.conf file with a simple:

<IfModule mod_headers.c>
   RequestHeader unset Proxy
</IfModule>

Comment 4 Yury German Gentoo Infrastructure

2016-09-26 05:11:24 UTC

Any updated on this bug?

Comment 5 Yury German Gentoo Infrastructure

2016-11-01 06:13:21 UTC

Please advise Debian and Red-Hat have this fixed in most versions.

Comment 6 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2016-11-02 14:43:46 UTC

commit 692a27baa1b889755b928d2766f9efee17462291
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Wed Nov 2 15:38:57 2016

    www-servers/apache: Security revbumps for CVE-2016-5387 (bug #589226).

    Also fixes fcgi bug in apache-2.4.23 (bug #591288).

    Package-Manager: portage-2.3.2
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>


Arches please test and mark stable the following *two* versions:

=www-servers/apache-2.2.31-r1
=www-servers/apache-2.4.23-r2

Target KEYWORDS are:

alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~x64-macos ~x86-macos ~m68k-mint ~sparc64-solaris ~x64-solaris

Comment 7 Agostino Sarubbo gentoo-dev

2016-11-04 08:21:56 UTC

amd64 stable

Comment 8 Agostino Sarubbo gentoo-dev

2016-11-04 08:25:15 UTC

x86 stable

Comment 9 Jeroen Roovers (RETIRED) gentoo-dev

2016-11-05 09:01:13 UTC

Stable for HPPA PPC64.

Comment 10 Tobias Klausmann (RETIRED) gentoo-dev

2016-11-14 14:54:01 UTC

Stable on alpha.

Comment 11 Markus Meier gentoo-dev

2016-12-17 15:24:57 UTC

arm stable

Comment 12 Agostino Sarubbo gentoo-dev

2016-12-19 14:36:46 UTC

sparc stable

Comment 13 Agostino Sarubbo gentoo-dev

2016-12-19 15:13:38 UTC

ia64 stable

Comment 14 Agostino Sarubbo gentoo-dev

2016-12-20 09:46:09 UTC

ppc stable.

Maintainer(s), please cleanup.

Comment 15 GLSAMaker/CVETool Bot gentoo-dev

2017-01-15 08:19:34 UTC

This issue was resolved and addressed in
 GLSA 201701-36 at https://security.gentoo.org/glsa/201701-36
by GLSA coordinator Aaron Bauman (b-man).