Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 589228 (CVE-2016-5388) - <www-servers/tomcat-{7.0.73,8.0.37,8.5.5}: HTTPoxy (CVE-2016-5388)
Summary: <www-servers/tomcat-{7.0.73,8.0.37,8.5.5}: HTTPoxy (CVE-2016-5388)
Alias: CVE-2016-5388
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on: CVE-2016-0762, CVE-2016-5018, CVE-2016-6794, CVE-2016-6796, CVE-2016-6797, CVE-2016-6816, CVE-2016-6817, CVE-2016-8735
Blocks: 589224
  Show dependency tree
Reported: 2016-07-20 12:46 UTC by Aaron Bauman (RETIRED)
Modified: 2016-12-13 14:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Aaron Bauman (RETIRED) gentoo-dev 2016-07-20 12:46:05 UTC
HTTPoxy vulnerability
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-07-20 12:46:30 UTC
CVE-2016-5388 (
  Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC
  3875 section 4.1.18 and therefore does not protect applications from the
  presence of untrusted client data in the HTTP_PROXY environment variable,
  which might allow remote attackers to redirect an application's outbound
  HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an
  HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation
  is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in
  other words, this is not a CVE ID for a vulnerability.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-19 16:12:40 UTC
v8.5.x branch was fixed via v8.5.5 in

v8.0.x branch was fixed via v8.0.37 in

We are only missing a bump for v7.0.x branch.

@ Maintainer(s): Are you going to bump >=www-servers/tomcat-7.0.72 as well?
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-09 16:06:57 UTC
Stabilization of remaining tomcat-7.x happens in bug 598324.