Date: Mon, 18 Jul 2016 19:47:27 +0000 (UTC) From: Bernard Spil <brnrd@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r418737 - head/security/vuxml Message-ID: <201607181947.u6IJlRTX096840@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: brnrd Date: Mon Jul 18 19:47:27 2016 New Revision: 418737 URL: https://svnweb.freebsd.org/changeset/ports/418737 Log: httpoxy: Mark ports as vulnerable - apache22, apache24, go, go14, php55, php56, php70, python27, python33, python34, python35, nginx are all vulnerable. - No new versions fixing the HTTP Proxy header vulnerability Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Mon Jul 18 19:12:57 2016 (r418736) +++ head/security/vuxml/vuln.xml Mon Jul 18 19:47:27 2016 (r418737) @@ -58,6 +58,99 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="cf0b5668-4d1b-11e6-b2ec-b499baebfeaf"> + <topic>Multiple ports -- Proxy HTTP header vulnerability (httpoxy)</topic> + <affects> + <package> + <name>apache22</name> + <range><ge>0</ge></range> + </package> + <package> + <name>apache24</name> + <range><ge>0</ge></range> + </package> + <package> + <name>tomcat6</name> + <range><ge>0</ge></range> + </package> + <package> + <name>tomcat7</name> + <range><ge>0</ge></range> + </package> + <package> + <name>tomcat8</name> + <range><ge>0</ge></range> + </package> + <package> + <name>php55</name> + <range><ge>0</ge></range> + </package> + <package> + <name>php56</name> + <range><ge>0</ge></range> + </package> + <package> + <name>php70</name> + <range><ge>0</ge></range> + </package> + <package> + <name>nginx</name> + <range><ge>0</ge></range> + </package> + <package> + <name>go</name> + <range><ge>0</ge></range> + </package> + <package> + <name>go14</name> + <range><ge>0</ge></range> + </package> + <package> + <name>python27</name> + <range><ge>0</ge></range> + </package> + <package> + <name>python33</name> + <range><ge>0</ge></range> + </package> + <package> + <name>python34</name> + <range><ge>0</ge></range> + </package> + <package> + <name>python35</name> + <range><ge>0</ge></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>httpoxy.org reports:</p> + <blockquote cite="https://httpoxy.org/">; + <p>httpoxy is a set of vulnerabilities that affect application code + running in CGI, or CGI-like environments. It comes down to a simple + namespace conflict:.</p> + <ul><li>RFC 3875 (CGI) puts the HTTP Proxy header from a request into + the environment variables as HTTP_PROXY</li> + <li>HTTP_PROXY is a popular environment variable used to configure + an outgoing proxy</li></ul> + <p>This leads to a remotely exploitable vulnerability.</p> + </blockquote> + </body> + </description> + <references> + <url>https://httpoxy.org/</url>; + <url>https://www.kb.cert.org/vuls/id/797896</url>; + <url>CVE-2016-5385</url> + <url>CVE-2016-5386</url> + <url>CVE-2016-5388</url> + <url>CVE-2016-1000110</url> + </references> + <dates> + <discovery>2016-07-18</discovery> + <entry>2016-07-18</entry> + </dates> + </vuln> + <vuln vid="00cb1469-4afc-11e6-97ea-002590263bf5"> <topic>atutor -- multiple vulnerabilites</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201607181947.u6IJlRTX096840>