Bug 18991

Summary: apache new security issue CVE-2016-5387
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/694861/
Whiteboard: has_procedure MGA5-32-OK advisory
Source RPM: apache-2.4.10-16.3.mga5.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 19009    

Description David Walser 2016-07-19 18:33:15 CEST 
RedHat has issued an advisory on July 18:
http://rhn.redhat.com/errata/RHSA-2016-1422.html

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated apache packages fix security vulnerability:

It was discovered that httpd used the value of the Proxy header from HTTP
requests to initialize the HTTP_PROXY environment variable for CGI scripts,
which in turn was incorrectly used by certain HTTP client implementations to
configure the proxy for outgoing HTTP requests. A remote attacker could possibly
use this flaw to redirect HTTP requests performed by a CGI script to an
attacker-controlled proxy via a malicious HTTP request (CVE-2016-5387).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387
https://httpoxy.org/
https://access.redhat.com/security/vulnerabilities/httpoxy
http://rhn.redhat.com/errata/RHSA-2016-1422.html
========================

Updated packages in core/updates_testing:
========================
apache-2.4.10-16.4.mga5
apache-mod_dav-2.4.10-16.4.mga5
apache-mod_ldap-2.4.10-16.4.mga5
apache-mod_session-2.4.10-16.4.mga5
apache-mod_cache-2.4.10-16.4.mga5
apache-mod_proxy-2.4.10-16.4.mga5
apache-mod_proxy_html-2.4.10-16.4.mga5
apache-mod_suexec-2.4.10-16.4.mga5
apache-mod_userdir-2.4.10-16.4.mga5
apache-mod_ssl-2.4.10-16.4.mga5
apache-mod_dbd-2.4.10-16.4.mga5
apache-htcacheclean-2.4.10-16.4.mga5
apache-devel-2.4.10-16.4.mga5
apache-doc-2.4.10-16.4.mga5

from apache-2.4.10-16.4.mga5.src.rpm
David Walser 2016-07-22 14:18:45 CEST

Blocks: (none) => 19009

Comment 1 David Walser 2016-07-24 00:30:19 CEST 
Here's my own PoC.  With apache-mod_userdir installed, I saved this as foo.php in /home/david/public_html/foo.php:
<?php
print getenv('HTTP_PROXY');
?>

Then, I ran this following command and wrote the two following lines to stdin:
$ telnet localhost 80
GET /~david/foo.php HTTP/1.0
Proxy: wario:3128

Before the update, the output ended in:
wario:3128Connection closed by foreign host.

After the update, the "wario:3128" does not appear (and the Content-Length is 0).

Note that *either* the apache or php update in updates_testing will fix this issue, so if you want to verify the fix for Apache, only install that update and not PHP.

Testing complete Mageia 5 i586.

Whiteboard: (none) => has_procedure MGA5-32-OK

Dave Hodgins 2016-07-26 22:42:49 CEST

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 2 Mageia Robot 2016-07-26 23:17:06 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0262.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED