CVE-2016-5387

NameCVE-2016-5387
DescriptionThe Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-553-1, DSA-3623-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache2 (PTS)wheezy2.2.22-13+deb7u6vulnerable
wheezy (security)2.2.22-13+deb7u10fixed
jessie2.4.10-10+deb8u9fixed
jessie (security)2.4.10-10+deb8u10fixed
stretch2.4.25-3+deb9u1fixed
stretch (security)2.4.25-3+deb9u2fixed
buster, sid2.4.27-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apache2source(unstable)2.4.23-2medium
apache2sourcejessie2.4.10-10+deb8u5mediumDSA-3623-1
apache2sourcewheezy2.2.22-13+deb7u7mediumDLA-553-1

Notes

https://www.apache.org/security/asf-httpoxy-response.txt
https://httpoxy.org

Search for package or bug name: Reporting problems