Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 589226 (CVE-2016-5387) - <www-servers/apache-{2.2.31-r1,2.4.23-r2}: HTTPoxy (CVE-2016-5387)
Summary: <www-servers/apache-{2.2.31-r1,2.4.23-r2}: HTTPoxy (CVE-2016-5387)
Status: RESOLVED FIXED
Alias: CVE-2016-5387
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa cve]
Keywords:
Depends on:
Blocks: 589224
  Show dependency tree
 
Reported: 2016-07-20 12:44 UTC by Aaron Bauman (RETIRED)
Modified: 2017-01-15 08:19 UTC (History)
2 users (show)

See Also:
Package list:
=www-servers/apache-2.2.31-r1 =www-servers/apache-2.4.23-r2
Runtime testing required: ---
kensington: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Aaron Bauman (RETIRED) gentoo-dev 2016-07-20 12:44:32 UTC 
HTTPoxy vulnerability
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-07-20 12:44:58 UTC 
CVE-2016-5387 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5387):
  The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and
  therefore does not protect applications from the presence of untrusted
  client data in the HTTP_PROXY environment variable, which might allow remote
  attackers to redirect an application's outbound HTTP traffic to an arbitrary
  proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy"
  issue.  NOTE: the vendor states "This mitigation has been assigned the
  identifier CVE-2016-5387"; in other words, this is not a CVE ID for a
  vulnerability.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-07-20 13:26:51 UTC 
Upstream patch:

https://www.apache.org/security/asf-httpoxy-response.txt
Comment 3 Tomáš Mózes 2016-07-28 06:00:05 UTC 
Maybe we could add a 00_mod_header.conf file with a simple:

<IfModule mod_headers.c>
   RequestHeader unset Proxy
</IfModule>
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2016-09-26 05:11:24 UTC 
Any updated on this bug?
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2016-11-01 06:13:21 UTC 
Please advise Debian and Red-Hat have this fixed in most versions.
Comment 6 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-11-02 14:43:46 UTC 
commit 692a27baa1b889755b928d2766f9efee17462291
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Wed Nov 2 15:38:57 2016

    www-servers/apache: Security revbumps for CVE-2016-5387 (bug #589226).

    Also fixes fcgi bug in apache-2.4.23 (bug #591288).

    Package-Manager: portage-2.3.2
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>


Arches please test and mark stable the following *two* versions:

=www-servers/apache-2.2.31-r1
=www-servers/apache-2.4.23-r2

Target KEYWORDS are:

alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~x64-macos ~x86-macos ~m68k-mint ~sparc64-solaris ~x64-solaris
Comment 7 Agostino Sarubbo gentoo-dev 2016-11-04 08:21:56 UTC 
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-11-04 08:25:15 UTC 
x86 stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2016-11-05 09:01:13 UTC 
Stable for HPPA PPC64.
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2016-11-14 14:54:01 UTC 
Stable on alpha.
Comment 11 Markus Meier gentoo-dev 2016-12-17 15:24:57 UTC 
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2016-12-19 14:36:46 UTC 
sparc stable
Comment 13 Agostino Sarubbo gentoo-dev 2016-12-19 15:13:38 UTC 
ia64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2016-12-20 09:46:09 UTC 
ppc stable.

Maintainer(s), please cleanup.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-01-15 08:19:34 UTC 
This issue was resolved and addressed in
 GLSA 201701-36 at https://security.gentoo.org/glsa/201701-36
by GLSA coordinator Aaron Bauman (b-man).