[3.2] apache2: sets environmental variable based on user supplied Proxy request header (CVE-2016-5387)
The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18
and therefore does not protect applications from
the presence of untrusted client data in the HTTP_PROXY environment
variable, which might allow remote attackers to redirect
an application’s outbound HTTP traffic to an arbitrary proxy server via
a crafted Proxy header in an HTTP request, aka an “httpoxy” issue.
References:
https://www.apache.org/security/asf-httpoxy-response.txt
http://www.securityfocus.com/bid/91816
Patch:
https://www.apache.org/security/asf-httpoxy-response.txt
(from redmine: issue id 5938, created on 2016-07-20, closed on 2017-04-08)
- Relations:
- parent #5934 (closed)
- Changesets:
- Revision fb231f9f by Natanael Copa on 2016-07-25T13:01:20Z:
main/apache2: security fix for CVE-2016-5387
fixes #5938