Vulnerability CVE-2016-5387: Information
Description
The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability.
Severity: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
apache2 | sisyphus | 2.4.25-alt1 | 2.4.59-alt1 | ALT-PU-2017-1655-1 | 183315 | Fixed |
apache2 | p10 | 2.4.25-alt1 | 2.4.59-alt1 | ALT-PU-2017-1655-1 | 183315 | Fixed |
apache2 | p9 | 2.4.25-alt1 | 2.4.58-alt1 | ALT-PU-2017-1655-1 | 183315 | Fixed |
apache2 | p8 | 2.4.25-alt2.M80P.1 | 2.4.43-alt1 | ALT-PU-2017-1750-1 | 184324 | Fixed |
apache2 | c10f1 | 2.4.25-alt1 | 2.4.59-alt1 | ALT-PU-2017-1655-1 | 183315 | Fixed |
apache2 | c9f2 | 2.4.25-alt1 | 2.4.59-alt1 | ALT-PU-2017-1655-1 | 183315 | Fixed |
apache2 | c7 | 2.2.31-alt1.M70C.1 | 2.2.31-alt1.M70C.1 | ALT-PU-2016-2274-1 | 172115 | Fixed |
apache2 | p11 | 2.4.25-alt1 | 2.4.59-alt1 | ALT-PU-2017-1655-1 | 183315 | Fixed |