Debian Security Advisory 3623-1

Debian Security Advisory 3623-1: Posted Jul 20, 2016; Authored by Debian | Site debian.org; Debian Linux Security Advisory 3623-1 - Scott Geary of VendHQ discovered that the Apache HTTPD server used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.; tags | advisory, remote, web, cgi; systems | linux, debian; advisories | CVE-2016-5387; SHA-256 | 3f0f077fa580f9c70a712a8e940ea126c15ee5ca79bb2cc5ae3afdb0dbc13ec9; Download | Favorite | View

Debian Security Advisory 3623-1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3623-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 20, 2016                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : apache2
CVE ID         : CVE-2016-5387

Scott Geary of VendHQ discovered that the Apache HTTPD server used the
value of the Proxy header from HTTP requests to initialize the
HTTP_PROXY environment variable for CGI scripts, which in turn was
incorrectly used by certain HTTP client implementations to configure the
proxy for outgoing HTTP requests. A remote attacker could possibly use
this flaw to redirect HTTP requests performed by a CGI script to an
attacker-controlled proxy via a malicious HTTP request.

For the stable distribution (jessie), this problem has been fixed in
version 2.4.10-10+deb8u5.

We recommend that you upgrade your apache2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXjzUzAAoJEAVMuPMTQ89EUioP+wWzh9kdX1UZM5ATmobng6zu
qL1dAlsjUGf3jPG8M6PP3RSt0Sy/rDcd2L1ktM3PFXwkfrRrvTlZINcCGeUSqs2b
0L7fDZZ36ZUXJr4GC1ohWqvYShG20+aAmSdSLjyhxLPc9k7Cu4GUzIPVJuqJlw4U
66MBgEICyuhNb1NyYp3iunU71j948Fa1VbYoCeT4nA2+AkNOFHeNUwFTqzw3sUJK
7KXKrb0GVTkTt0ox/1iRLUnAouXpm8Z9t0nKsdA1kTH7hsMNGXWwOZZ1NSCstZHG
RWpjW67jjFU7Q/uHvkue2Fe70MXxGmSLOHjd+uUOTDVrvvzev1P+JVZb4QbIjf/x
DHsyuXtIe8GLla+7oSoAx6l9oXc40YJ+ycaE2geNKA1rLKznHaV2xwfa0trnNsK2
ffnxMR1scF6/tk46IlwypTZEADqmSYJqMOTKtWaGUyFMHc8d5Wranvz2kCkvT7o5
gIzPp7kE7ssPEmfkAg6rT0hCb8rUJm8Wy6Ju1pBH9fgw+aWCshnVUlr78z2592sx
XPK9B4J5A9GCUWjq2QQMAEwWEDRt/AIA4ykvWiYBL/TVRYMjCKYr/AEXueQxw5uW
rFtlkjH5hSn56zupDVB9KF9cayvdKPL3BFZjPAGybj7ZpWDS67t91k3Kn/8072QZ
mh8gBTatVkMSIDyYjxn8
=pWeA
-----END PGP SIGNATURE-----

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Debian Security Advisory 3623-1

Debian Security Advisory 3623-1

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Debian Security Advisory 3623-1

Share This

Debian Security Advisory 3623-1

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems