svn commit: r418834 - head/security/vuxml
Mark Felder
feld at FreeBSD.org
Wed Jul 20 12:25:53 UTC 2016
Author: feld
Date: Wed Jul 20 12:25:51 2016
New Revision: 418834
URL: https://svnweb.freebsd.org/changeset/ports/418834
Log:
Remove HTTPoxy entry in vuxml until a we know if upstream vendors will
patch this so things aren't marked vulnerable forever.
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Wed Jul 20 11:37:36 2016 (r418833)
+++ head/security/vuxml/vuln.xml Wed Jul 20 12:25:51 2016 (r418834)
@@ -96,109 +96,6 @@ Notes:
</dates>
</vuln>
- <vuln vid="cf0b5668-4d1b-11e6-b2ec-b499baebfeaf">
- <topic>Multiple ports -- Proxy HTTP header vulnerability (httpoxy)</topic>
- <affects>
- <package>
- <name>apache22</name>
- <name>apache22-event-mpm</name>
- <name>apache22-itk-mpm</name>
- <name>apache22-peruser-mpm</name>
- <name>apache22-worker-mpm</name>
- <range><lt>2.2.31_1</lt></range>
- </package>
- <package>
- <name>apache24</name>
- <range><lt>2.4.23_1</lt></range>
- </package>
- <package>
- <name>tomcat6</name>
- <range><ge>0</ge></range>
- </package>
- <package>
- <name>tomcat7</name>
- <range><ge>0</ge></range>
- </package>
- <package>
- <name>tomcat8</name>
- <range><ge>0</ge></range>
- </package>
- <package>
- <name>php55</name>
- <range><ge>0</ge></range>
- </package>
- <package>
- <name>php56</name>
- <range><ge>0</ge></range>
- </package>
- <package>
- <name>php70</name>
- <range><ge>0</ge></range>
- </package>
- <package>
- <name>nginx</name>
- <range><ge>0</ge></range>
- </package>
- <package>
- <name>go</name>
- <range><lt>1.6.3</lt></range>
- </package>
- <package>
- <name>go14</name>
- <range><ge>0</ge></range>
- </package>
- <package>
- <name>python27</name>
- <range><ge>0</ge></range>
- </package>
- <package>
- <name>python33</name>
- <range><ge>0</ge></range>
- </package>
- <package>
- <name>python34</name>
- <range><ge>0</ge></range>
- </package>
- <package>
- <name>python35</name>
- <range><ge>0</ge></range>
- </package>
- <package>
- <name>haproxy</name>
- <range><ge>0</ge></range>
- </package>
- </affects>
- <description>
- <body xmlns="http://www.w3.org/1999/xhtml">
- <p>httpoxy.org reports:</p>
- <blockquote cite="https://httpoxy.org/">
- <p>httpoxy is a set of vulnerabilities that affect application code
- running in CGI, or CGI-like environments. It comes down to a simple
- namespace conflict:.</p>
- <ul><li>RFC 3875 (CGI) puts the HTTP Proxy header from a request into
- the environment variables as HTTP_PROXY</li>
- <li>HTTP_PROXY is a popular environment variable used to configure
- an outgoing proxy</li></ul>
- <p>This leads to a remotely exploitable vulnerability.</p>
- </blockquote>
- </body>
- </description>
- <references>
- <url>https://httpoxy.org/</url>
- <url>https://www.kb.cert.org/vuls/id/797896</url>
- <url>CVE-2016-5385</url>
- <url>CVE-2016-5386</url>
- <url>CVE-2016-5387</url>
- <url>CVE-2016-5388</url>
- <url>CVE-2016-1000110</url>
- </references>
- <dates>
- <discovery>2016-07-18</discovery>
- <entry>2016-07-18</entry>
- <modified>2016-07-19</modified>
- </dates>
- </vuln>
-
<vuln vid="00cb1469-4afc-11e6-97ea-002590263bf5">
<topic>atutor -- multiple vulnerabilites</topic>
<affects>
More information about the svn-ports-head
mailing list