Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 18 Jul 2016 08:17:03 -0600
From: Kurt Seifried <>
To: oss-security <>
Subject: Re: A CGI application vulnerability for PHP, Go,
 Python and others

Also the current list of CVEs is:

CVE-2016-5385 PHP
CVE-2016-5386 Go
CVE-2016-5387 Apache HTTPD
CVE-2016-1000104 mod_fcgi
CVE-2016-1000105 Nginx cgi script
CVE-2016-5388 Tomcat
CVE-2016-1000107 Erlang HTTP Server
CVE-2016-1000108 YAWS
CVE-2016-1000109 HHVM FastCGI
CVE-2016-1000110 Python CGIHandler
CVE-2016-1000111 Python twisted

there will of course be more. From my Google doc:

CVE counting for httpoxy

This document essentially discusses the CVE counting strategy for the
httpoxy issue.

Essentially there are two main cases where a CVE is assigned for the
httpoxy issue:


   A web server, programming language or framework (and in some limited
   situations the application itself) sets the environmental variable
   HTTP_PROXY from the user supplied Proxy header in the web request, or sets
   a similarly used variable (essentially when the request header turns from
   harmless data into a potentially harmful environmental variable)

   A web application makes use of HTTP_PROXY or similar variable unsafely
   (e.g. fails to check the request type) resulting in an attacker controlled
   proxy being used (essentially when HTTP_PROXY is actually used unsafely)

Some  examples of situations where a web server, programming language or
framework would qualify for a CVE regarding httpoxy:


   PHP passes the proxy as HTTP_PROXY, as such applications commonly import
   and use HTTP_*

   mod_cgi/fast_cgi and related CGI programs set HTTP_PROXY based on the
   request header

   An application uses an HTTP request library that trusts HTTP_PROXY
   resulting in attacker control of requests

Some  examples of situations where a web server, programming language or
framework would NOT qualify for a CVE regarding httpoxy:


   A web server such as Apache passes the proxy header to a programming
   language or framework

   A library trusts HTTP_PROXY, the library does not earn a CVE, the
   application using it would qualify for a CVE, and generally speaking
   whatever set the HTTP_PROXY variable would also earn a CVE

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact:

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.