httpoxy
httpoxy CGI application vulnerability
httpoxy is a vulnerability in CGI environments related to handling the Proxy header:
- RFC3875 puts the HTTP Proxy header from requests into environment variables as HTTP_PROXY
- HTTP_PROXY in a common environment variable used to configure a proxy server
Resolution
This issue will be fixed in pending security updates. Some of the packages affected by this issue are:
CVE-2016-5385: PHP
CVE-2016-5386: Go
CVE-2016-5387: Apache HTTP Server - Update released
CVE-2016-5388: Apache Tomcat
- CVE-2016-1000109: HHVM
- CVE-2016-1000110: Python
Mitigation
The Ubuntu Security team encourages everyone to apply the mitigations listed on the httpoxy information page.
Timeline
2016 Jul 18: The httpoxy disclosure team discloses their findings
SecurityTeam/KnowledgeBase/httpoxy (last edited 2016-07-18 18:31:23 by mdeslaur)