Date: Wed, 20 Jul 2016 12:25:51 +0000 (UTC) From: Mark Felder <feld@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r418834 - head/security/vuxml Message-ID: <201607201225.u6KCPp6I009089@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: feld Date: Wed Jul 20 12:25:51 2016 New Revision: 418834 URL: https://svnweb.freebsd.org/changeset/ports/418834 Log: Remove HTTPoxy entry in vuxml until a we know if upstream vendors will patch this so things aren't marked vulnerable forever. Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Jul 20 11:37:36 2016 (r418833) +++ head/security/vuxml/vuln.xml Wed Jul 20 12:25:51 2016 (r418834) @@ -96,109 +96,6 @@ Notes: </dates> </vuln> - <vuln vid="cf0b5668-4d1b-11e6-b2ec-b499baebfeaf"> - <topic>Multiple ports -- Proxy HTTP header vulnerability (httpoxy)</topic> - <affects> - <package> - <name>apache22</name> - <name>apache22-event-mpm</name> - <name>apache22-itk-mpm</name> - <name>apache22-peruser-mpm</name> - <name>apache22-worker-mpm</name> - <range><lt>2.2.31_1</lt></range> - </package> - <package> - <name>apache24</name> - <range><lt>2.4.23_1</lt></range> - </package> - <package> - <name>tomcat6</name> - <range><ge>0</ge></range> - </package> - <package> - <name>tomcat7</name> - <range><ge>0</ge></range> - </package> - <package> - <name>tomcat8</name> - <range><ge>0</ge></range> - </package> - <package> - <name>php55</name> - <range><ge>0</ge></range> - </package> - <package> - <name>php56</name> - <range><ge>0</ge></range> - </package> - <package> - <name>php70</name> - <range><ge>0</ge></range> - </package> - <package> - <name>nginx</name> - <range><ge>0</ge></range> - </package> - <package> - <name>go</name> - <range><lt>1.6.3</lt></range> - </package> - <package> - <name>go14</name> - <range><ge>0</ge></range> - </package> - <package> - <name>python27</name> - <range><ge>0</ge></range> - </package> - <package> - <name>python33</name> - <range><ge>0</ge></range> - </package> - <package> - <name>python34</name> - <range><ge>0</ge></range> - </package> - <package> - <name>python35</name> - <range><ge>0</ge></range> - </package> - <package> - <name>haproxy</name> - <range><ge>0</ge></range> - </package> - </affects> - <description> - <body xmlns="http://www.w3.org/1999/xhtml">; - <p>httpoxy.org reports:</p> - <blockquote cite="https://httpoxy.org/">; - <p>httpoxy is a set of vulnerabilities that affect application code - running in CGI, or CGI-like environments. It comes down to a simple - namespace conflict:.</p> - <ul><li>RFC 3875 (CGI) puts the HTTP Proxy header from a request into - the environment variables as HTTP_PROXY</li> - <li>HTTP_PROXY is a popular environment variable used to configure - an outgoing proxy</li></ul> - <p>This leads to a remotely exploitable vulnerability.</p> - </blockquote> - </body> - </description> - <references> - <url>https://httpoxy.org/</url>; - <url>https://www.kb.cert.org/vuls/id/797896</url>; - <url>CVE-2016-5385</url> - <url>CVE-2016-5386</url> - <url>CVE-2016-5387</url> - <url>CVE-2016-5388</url> - <url>CVE-2016-1000110</url> - </references> - <dates> - <discovery>2016-07-18</discovery> - <entry>2016-07-18</entry> - <modified>2016-07-19</modified> - </dates> - </vuln> - <vuln vid="00cb1469-4afc-11e6-97ea-002590263bf5"> <topic>atutor -- multiple vulnerabilites</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201607201225.u6KCPp6I009089>