RedHat has issued an advisory on July 18: http://rhn.redhat.com/errata/RHSA-2016-1422.html Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated apache packages fix security vulnerability: It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request (CVE-2016-5387). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387 https://httpoxy.org/ https://access.redhat.com/security/vulnerabilities/httpoxy http://rhn.redhat.com/errata/RHSA-2016-1422.html ======================== Updated packages in core/updates_testing: ======================== apache-2.4.10-16.4.mga5 apache-mod_dav-2.4.10-16.4.mga5 apache-mod_ldap-2.4.10-16.4.mga5 apache-mod_session-2.4.10-16.4.mga5 apache-mod_cache-2.4.10-16.4.mga5 apache-mod_proxy-2.4.10-16.4.mga5 apache-mod_proxy_html-2.4.10-16.4.mga5 apache-mod_suexec-2.4.10-16.4.mga5 apache-mod_userdir-2.4.10-16.4.mga5 apache-mod_ssl-2.4.10-16.4.mga5 apache-mod_dbd-2.4.10-16.4.mga5 apache-htcacheclean-2.4.10-16.4.mga5 apache-devel-2.4.10-16.4.mga5 apache-doc-2.4.10-16.4.mga5 from apache-2.4.10-16.4.mga5.src.rpm
Blocks: (none) => 19009
Here's my own PoC. With apache-mod_userdir installed, I saved this as foo.php in /home/david/public_html/foo.php: <?php print getenv('HTTP_PROXY'); ?> Then, I ran this following command and wrote the two following lines to stdin: $ telnet localhost 80 GET /~david/foo.php HTTP/1.0 Proxy: wario:3128 Before the update, the output ended in: wario:3128Connection closed by foreign host. After the update, the "wario:3128" does not appear (and the Content-Length is 0). Note that *either* the apache or php update in updates_testing will fix this issue, so if you want to verify the fix for Apache, only install that update and not PHP. Testing complete Mageia 5 i586.
Whiteboard: (none) => has_procedure MGA5-32-OK
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0262.html
Status: NEW => RESOLVEDResolution: (none) => FIXED