[gentoo-announce] [ GLSA 201607-13 ] libbsd: Arbitrary code execution

[news 28]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

Package : apache2

Version : 2.2.22-13+deb7u7

CVE ID : CVE-2016-5387

 

Scott Geary of VendHQ discovered that the Apache HTTPD server used the

value of the Proxy header from HTTP requests to initialize the

HTTP_PROXY environment variable for CGI scripts, which in turn was

incorrectly used by certain HTTP client implementations to configure the

proxy for outgoing HTTP requests. A remote attacker could possibly use

this flaw to redirect HTTP requests performed by a CGI script to an

attacker-controlled proxy via a malicious HTTP request.

 

For Debian 7 "Wheezy", this problem has been fixed in version

2.2.22-13+deb7u7.

 

We recommend that you upgrade your apache2 packages.

 

Further information about Debian LTS security advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJXj2AyAAoJEAVMuPMTQ89EYYAP/1hHD3pskvwDpPZVaRIcSDZD

5YrrAdr7bbtqBwH7NWdJfPVcFsJGfTHZU2sizWIpl0LdAY8+dusKAwzKUfT4W+BR

1zN/80gX4+Y3EsIJAXeg25tI7d6ZQLbQiuP7PGQF6IAJDo7z7nKJAIucxixVVT+K

MIbJPjNHIc9Atriu1/PbS2BYFk0KcNu7Yp/dDMdCqdhYzNQpYWkUkTSP0XDTv2+K

G0CEo3HEbjAA0ZcoSPfXBPoeoPh8BV8nGN27f1eJDBoT5tQWkGQMoMDGfAEgfHa3

dJcnArdh+ZX8u4hWNwjDTI2m91czKO7zNnhduhrNDT/fCEiDYjPdIpG11NLcRTaN

vUsQUIILld/gypfeUTgldrUj+Suov+GO9LH1DE1rvT7sM5Tr/32uyc9U1htrSxJn

OWU9gZYbJj/F3quiebY6kI54Nfbt4B+2rMPLClwVINaeimZ2GR7XHD1a54Nek085

Uuw+Lw36vrSwsKht9XCjIE1DfYcL+OVLrboQjeF8IyGfmKuIZysAHwPFuzQHzdjL

0t+48aAjHgILn+ojJCglC7wKSVhw8XRu4VakvxxFfgUBYQ/xPOsVqzmVR+XatASA

SPrgD8SC4egzcVDxeg0c9D8PhzPFAB6iz9zzUUfMucyN91pRhsjgPOpdgE3kICfH

e7tl3g6tEMMrDv41/8Ae

=h2ca

-----END PGP SIGNATURE-----