Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

lighttpd: CVE-2016-1000212: HTTP Server sets environmental variable HTTP_PROXY based on user supplied Proxy request header (httpoxy)

Related Vulnerabilities: CVE-2016-1000212   CVE-2016-100021  

Source

Debian Bug report logs - #832571
lighttpd: CVE-2016-1000212: HTTP Server sets environmental variable HTTP_PROXY based on user supplied Proxy request header (httpoxy)

version graph

Package: src:lighttpd; Maintainer for src:lighttpd is Debian QA Group <packages@qa.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 27 Jul 2016 05:00:02 UTC

Severity: important

Tags: security, upstream

Found in version lighttpd/1.4.31-4

Fixed in versions lighttpd/1.4.35-4+deb8u1, lighttpd/1.4.31-4+deb7u5, lighttpd/1.4.43-1

Done: Michael Gilbert <mgilbert@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>:
Bug#832571; Package src:lighttpd. (Wed, 27 Jul 2016 05:00:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>. (Wed, 27 Jul 2016 05:00:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: lighttpd: CVE-2016-100021: HTTP Server sets environmental variable HTTP_PROXY based on user supplied Proxy request header (httpoxy)
Date: Wed, 27 Jul 2016 06:57:03 +0200
Source: lighttpd
Version: 1.4.31-4
Severity: important
Tags: security upstream

Hi,

lighttpd added a mitigation for the httpoxy issue, like done for the
Apache webserver.

CVE-2016-1000212[0]:
Mitigation for HTTPoxy vulnerability

If you fix the issue please also make sure to include the CVE (Common
Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-1000212

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Changed Bug title to 'lighttpd: CVE-2016-1000212: HTTP Server sets environmental variable HTTP_PROXY based on user supplied Proxy request header (httpoxy)' from 'lighttpd: CVE-2016-100021: HTTP Server sets environmental variable HTTP_PROXY based on user supplied Proxy request header (httpoxy)'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 02 Aug 2016 12:27:08 GMT) (full text, mbox, link).

Marked as fixed in versions lighttpd/1.4.31-4+deb7u5. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 02 Aug 2016 17:42:04 GMT) (full text, mbox, link).

Marked as fixed in versions lighttpd/1.4.35-4+deb8u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 02 Aug 2016 18:21:07 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 02 Aug 2016 18:21:08 GMT) (full text, mbox, link).

Reply sent to Michael Gilbert <mgilbert@debian.org>:
You have taken responsibility. (Sat, 26 Nov 2016 06:36:07 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 26 Nov 2016 06:36:07 GMT) (full text, mbox, link).

Message #18 received at 832571-close@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>
To: 832571-close@bugs.debian.org
Subject: Bug#832571: fixed in lighttpd 1.4.43-1
Date: Sat, 26 Nov 2016 06:33:27 +0000
Source: lighttpd
Source-Version: 1.4.43-1

We believe that the bug you reported is fixed in the latest version of
lighttpd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 832571@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated lighttpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 26 Nov 2016 05:09:35 +0000
Source: lighttpd
Binary: lighttpd lighttpd-doc lighttpd-mod-mysql-vhost lighttpd-mod-trigger-b4-dl lighttpd-mod-cml lighttpd-mod-magnet lighttpd-mod-webdav
Architecture: source
Version: 1.4.43-1
Distribution: unstable
Urgency: medium
Maintainer: Debian lighttpd maintainers <pkg-lighttpd-maintainers@lists.alioth.debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description:
 lighttpd   - fast webserver with minimal memory footprint
 lighttpd-doc - documentation for lighttpd
 lighttpd-mod-cml - cache meta language module for lighttpd
 lighttpd-mod-magnet - control the request handling module for lighttpd
 lighttpd-mod-mysql-vhost - MySQL-based virtual host configuration for lighttpd
 lighttpd-mod-trigger-b4-dl - anti-deep-linking module for lighttpd
 lighttpd-mod-webdav - WebDAV module for lighttpd
Closes: 774664 806523 828421 832571 841732
Changes:
 lighttpd (1.4.43-1) unstable; urgency=medium
 .
   * New upstream release (closes: #841732).
     - Fixes CVE-2016-1000212 (closes: #832571).
     - Adds support for openssl 1.1.0 (closes: #828421).
   * Update standards version.
   * Fix lsb-base lintian error.
   * Add Glenn Strauss signing key.
   * Use upstream's systemd service file.
   * Recommend php5-cgi (closes: #774664).
   * Suggest lighttpd-doc (closes: #806523).
   * Use default-libmysqlclient-dev build dependency.
Checksums-Sha1:
 0ef98efdebd43d9f996de39c52423f18ed803a81 3503 lighttpd_1.4.43-1.dsc
 015c6f91bac15fe71ae9ed08fde78cdcb582fcfd 984369 lighttpd_1.4.43.orig.tar.gz
 111deece9fc2d251f66f5ab89231f643da949c7b 45956 lighttpd_1.4.43-1.debian.tar.xz
Checksums-Sha256:
 22bb88191f62bf0887efc2e973efeb2456b63f401a9e04ce0ca67bd41d546c85 3503 lighttpd_1.4.43-1.dsc
 29cb2d58ba60edf5243ca76a3dcda2279470104cfc9a2e58409baefe47986fde 984369 lighttpd_1.4.43.orig.tar.gz
 eea6d38f47e9e0396dcc4d08a67ac3b02c72c5bb593f2083fb9da86f36e6108a 45956 lighttpd_1.4.43-1.debian.tar.xz
Files:
 bf6206f5148e62685c79c581414cd310 3503 httpd optional lighttpd_1.4.43-1.dsc
 8c2dd3d9f7933b0f05c9bb61c54666af 984369 httpd optional lighttpd_1.4.43.orig.tar.gz
 6974acee07806db729b52308ffe1d2e8 45956 httpd optional lighttpd_1.4.43-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQQzBAEBCgAdFiEEluhy7ASCBulP9FUWuNayzQLW9HMFAlg5KacACgkQuNayzQLW
9HNadiAAxAr0PJwpFhbikVSxNsCofiLhse+PzBWSTEpTifMGQJkimpSqty8Hk13e
Cz+afPlDd/nOdzb4JRBVdt09enUzolKv/cyM1lRewRXhqbVgQe72ryauxz8jWgq6
Z4b6F+wjlx8mYOSA2NDA2p1P+u7UZdq2Quh0GKN56AaQWYLEuD3oqx/R+D3zq/h+
tx/Gg9KY+owIUGG1lvnAqsO56J90Vn3Zp5Unp5U1z9C+ObKXveQHjfJHHB5uS45M
ahI/Zd8W5nCVU/dWyJiPH6oLaS8wIchlbvybFXRcIswUM3hKUAtxtknxz3lx2Z4M
2xmThINJQucddqDt9mnsKFHb1aui9ZCJw+QfTn04x7W21j/R3Na+ijieAUxSDAxI
xuflVxVFrC2srI2oGXHnpHhmHgsnw+d3qzkeCErvSS1s98PDq7+UjsorAvpkGTEf
74CUrmiCL74rThXSpeVTUT3/RpmdWMWTx22ESPDUr1iPP0PUEHdrHPapRsH3vn5V
9IXQWMGDTZpBnStiRpL0lLHB9jfec0gCsQ8uUyacDX+6Jcnq+Sy1a5POtkR0nGQk
T7aM0Nh4EQHxvWj74TUb3n8BUaPCI4/F4eNWq6eaUw5Fxc18dN9dJBiQ9Px6QP8c
HyvyK2ae35CU+W+Qdvfx0yf3jAuzBpBwgbA4YRPc9v8FEz3vt1svzCIbC3DST9oU
3aMGzkceyWe8Nq7zMa4uLp1pErdHjMUhleks93hfI7NtpbMl+4F9ewX8WquqBugz
XCW7zFDsxbEp+bS3k8Xd3zKe4U/OE4i/u8aOK7cLwUyyzm3iL4O/4N6RBMYTJEYO
M8Ol8uFJQ9Gz0fR3T7svO1N+zEgwi8g+aM+UMAuhS66KQQSq17gfsNScq+zGXXBx
MVjzWFwILCBOctVAHdJJHJtCU2QyjKgyvHXAOpDxtxDNoFfbfEV3T+8ldhHD18GW
lNu8OJYbni76GA9/GDDYlTTKEjrPbQO5JCxtmsMOmnNNv+CSo2t8mFPRZAWknlFl
8HkhlN0hl5Sp5tA5k33jlU5Aek+apGcjVV6d7ROcJuVrMWulXMaWxUEl9W6gIYt5
lZzvrt0Dvtjc0vfjS5ARPCw6lEgdUIS/lYGaS2v5Z/zGwCi6UqyXNup7TOfYce0K
DDxo0+/8CgYSnjPurv1i5NS7XmGiR4MHrffqeOgjRsvdQIGMyVPVCBXYOMc/dHAr
KqTR5WgpCKbRrwiROTPpJS9tcDtKfALC7v6nd4ld9ycPH/ZZ9j7NfmXE0jy3vwsd
7i7S+nIGnByhfWOYhWwSLgQ8qj4TDAhbrG4GcJLh+41mKOaOfDakORQczZhbePiv
gEgxV/tROJYNhOZ1ZuAppwImCzBcZg==
=/oRA
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 29 Dec 2016 09:14:34 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 19:20:54 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started