#DEPRECATED
#REFRESH 10 https://ubuntu.com/security/vulnerabilities/httpoxy

== httpoxy CGI application vulnerability ==

[[https://httpoxy.org/|httpoxy]] is a vulnerability in CGI environments related to handling the Proxy header:

 * RFC3875 puts the HTTP Proxy header from requests into environment variables as HTTP_PROXY
 * HTTP_PROXY in a common environment variable used to configure a proxy server

=== Resolution ===

This issue will be fixed in pending security updates. Some of the packages affected by this issue are:

 * [[https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5385.html|CVE-2016-5385]]: PHP
 * [[https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5386.html|CVE-2016-5386]]: Go
 * [[https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5387.html|CVE-2016-5387]]: Apache HTTP Server - [[http://www.ubuntu.com/usn/usn-3038-1/|Update released]]
 * [[https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5388.html|CVE-2016-5388]]: Apache Tomcat
 * CVE-2016-1000109: HHVM
 * CVE-2016-1000110: Python

=== Mitigation ===

The Ubuntu Security team encourages everyone to apply the mitigations listed on the [[https://httpoxy.org/|httpoxy information page.]]

=== Timeline ===
 * 2016 Jul 18: The httpoxy disclosure team discloses their [[https://httpoxy.org/|findings]]