Candidate: CVE-2016-1000108
PublicDate: 2019-12-10 15:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000108
 https://marc.info/?l=oss-security&m=146885145004975&w=2
Description:
 yaws before 2.0.4 does not attempt to address RFC 3875 section 4.1.18
 namespace conflicts and therefore does not protect CGI applications from
 the presence of untrusted client data in the HTTP_PROXY environment
 variable, which might allow remote attackers to redirect a CGI
 application's outbound HTTP traffic to an arbitrary proxy server via a
 crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
Ubuntu-Description:
Notes:
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1 MEDIUM]

Patches_yaws:
upstream_yaws: needed
precise_yaws: ignored (reached end-of-life)
precise/esm_yaws: DNE (precise was needed)
trusty_yaws: ignored (reached end-of-life)
trusty/esm_yaws: DNE (trusty was needed)
vivid/stable-phone-overlay_yaws: DNE
vivid/ubuntu-core_yaws: DNE
wily_yaws: ignored (reached end-of-life)
xenial_yaws: ignored (end of standard support, was needed)
yakkety_yaws: ignored (reached end-of-life)
zesty_yaws: ignored (reached end-of-life)
artful_yaws: ignored (reached end-of-life)
bionic_yaws: not-affected (2.0.3-2)
cosmic_yaws: not-affected (2.0.3-2)
disco_yaws: not-affected (2.0.3-2)
eoan_yaws: not-affected (2.0.3-2)
focal_yaws: not-affected (2.0.3-2)
groovy_yaws: not-affected (2.0.3-2)
hirsute_yaws: not-affected (2.0.3-2)
impish_yaws: not-affected (2.0.3-2)
jammy_yaws: not-affected (2.0.3-2)
devel_yaws: not-affected (2.0.3-2)