-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3623-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 20, 2016                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : apache2
CVE ID         : CVE-2016-5387

Scott Geary of VendHQ discovered that the Apache HTTPD server used the
value of the Proxy header from HTTP requests to initialize the
HTTP_PROXY environment variable for CGI scripts, which in turn was
incorrectly used by certain HTTP client implementations to configure the
proxy for outgoing HTTP requests. A remote attacker could possibly use
this flaw to redirect HTTP requests performed by a CGI script to an
attacker-controlled proxy via a malicious HTTP request.

For the stable distribution (jessie), this problem has been fixed in
version 2.4.10-10+deb8u5.

We recommend that you upgrade your apache2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXjzUzAAoJEAVMuPMTQ89EUioP+wWzh9kdX1UZM5ATmobng6zu
qL1dAlsjUGf3jPG8M6PP3RSt0Sy/rDcd2L1ktM3PFXwkfrRrvTlZINcCGeUSqs2b
0L7fDZZ36ZUXJr4GC1ohWqvYShG20+aAmSdSLjyhxLPc9k7Cu4GUzIPVJuqJlw4U
66MBgEICyuhNb1NyYp3iunU71j948Fa1VbYoCeT4nA2+AkNOFHeNUwFTqzw3sUJK
7KXKrb0GVTkTt0ox/1iRLUnAouXpm8Z9t0nKsdA1kTH7hsMNGXWwOZZ1NSCstZHG
RWpjW67jjFU7Q/uHvkue2Fe70MXxGmSLOHjd+uUOTDVrvvzev1P+JVZb4QbIjf/x
DHsyuXtIe8GLla+7oSoAx6l9oXc40YJ+ycaE2geNKA1rLKznHaV2xwfa0trnNsK2
ffnxMR1scF6/tk46IlwypTZEADqmSYJqMOTKtWaGUyFMHc8d5Wranvz2kCkvT7o5
gIzPp7kE7ssPEmfkAg6rT0hCb8rUJm8Wy6Ju1pBH9fgw+aWCshnVUlr78z2592sx
XPK9B4J5A9GCUWjq2QQMAEwWEDRt/AIA4ykvWiYBL/TVRYMjCKYr/AEXueQxw5uW
rFtlkjH5hSn56zupDVB9KF9cayvdKPL3BFZjPAGybj7ZpWDS67t91k3Kn/8072QZ
mh8gBTatVkMSIDyYjxn8
=pWeA
-----END PGP SIGNATURE-----