Bug 18991 - apache new security issue CVE-2016-5387
Summary: apache new security issue CVE-2016-5387
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/694861/
Whiteboard: has_procedure MGA5-32-OK advisory
Keywords: validated_update
Depends on:
Blocks: 19009
  Show dependency treegraph
 
Reported: 2016-07-19 18:33 CEST by David Walser
Modified: 2016-07-26 23:17 CEST (History)
2 users (show)

See Also:
Source RPM: apache-2.4.10-16.3.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-07-19 18:33:15 CEST
RedHat has issued an advisory on July 18:
http://rhn.redhat.com/errata/RHSA-2016-1422.html

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated apache packages fix security vulnerability:

It was discovered that httpd used the value of the Proxy header from HTTP
requests to initialize the HTTP_PROXY environment variable for CGI scripts,
which in turn was incorrectly used by certain HTTP client implementations to
configure the proxy for outgoing HTTP requests. A remote attacker could possibly
use this flaw to redirect HTTP requests performed by a CGI script to an
attacker-controlled proxy via a malicious HTTP request (CVE-2016-5387).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387
https://httpoxy.org/
https://access.redhat.com/security/vulnerabilities/httpoxy
http://rhn.redhat.com/errata/RHSA-2016-1422.html
========================

Updated packages in core/updates_testing:
========================
apache-2.4.10-16.4.mga5
apache-mod_dav-2.4.10-16.4.mga5
apache-mod_ldap-2.4.10-16.4.mga5
apache-mod_session-2.4.10-16.4.mga5
apache-mod_cache-2.4.10-16.4.mga5
apache-mod_proxy-2.4.10-16.4.mga5
apache-mod_proxy_html-2.4.10-16.4.mga5
apache-mod_suexec-2.4.10-16.4.mga5
apache-mod_userdir-2.4.10-16.4.mga5
apache-mod_ssl-2.4.10-16.4.mga5
apache-mod_dbd-2.4.10-16.4.mga5
apache-htcacheclean-2.4.10-16.4.mga5
apache-devel-2.4.10-16.4.mga5
apache-doc-2.4.10-16.4.mga5

from apache-2.4.10-16.4.mga5.src.rpm
David Walser 2016-07-22 14:18:45 CEST

Blocks: (none) => 19009

Comment 1 David Walser 2016-07-24 00:30:19 CEST
Here's my own PoC.  With apache-mod_userdir installed, I saved this as foo.php in /home/david/public_html/foo.php:
<?php
print getenv('HTTP_PROXY');
?>

Then, I ran this following command and wrote the two following lines to stdin:
$ telnet localhost 80
GET /~david/foo.php HTTP/1.0
Proxy: wario:3128

Before the update, the output ended in:
wario:3128Connection closed by foreign host.

After the update, the "wario:3128" does not appear (and the Content-Length is 0).

Note that *either* the apache or php update in updates_testing will fix this issue, so if you want to verify the fix for Apache, only install that update and not PHP.

Testing complete Mageia 5 i586.

Whiteboard: (none) => has_procedure MGA5-32-OK

Dave Hodgins 2016-07-26 22:42:49 CEST

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 2 Mageia Robot 2016-07-26 23:17:06 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0262.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.