Candidate: CVE-2016-1000109
PublicDate: 2020-02-19 13:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000109
 https://www.kb.cert.org/vuls/id/JLAD-ABYJS2
Description:
 HHVM does not attempt to address RFC 3875 section 4.1.18 namespace
 conflicts and therefore does not protect CGI applications from the presence
 of untrusted client data in the HTTP_PROXY environment variable, which
 might allow remote attackers to redirect a CGI application's outbound HTTP
 traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP
 request, aka an "httpoxy" issue. This issue affects HHVM versions prior to
 3.9.6, all versions between 3.10.0 and 3.12.4 (inclusive), and all versions
 between 3.13.0 and 3.14.2 (inclusive).
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N [5.3 MEDIUM]

Patches_hhvm:
 upstream: https://github.com/facebook/hhvm/commit/423b4b719afd5ef4e6e19d8447fbf7b6bc0d0a25
 upstream: https://github.com/facebook/hhvm/commit/5e689baa819c5018799beafc50868c80efd8d74e (tests)
upstream_hhvm: released (3.12.11+dfsg-1)
precise_hhvm: DNE
precise/esm_hhvm: DNE
trusty_hhvm: DNE
trusty/esm_hhvm: DNE
vivid/stable-phone-overlay_hhvm: DNE
vivid/ubuntu-core_hhvm: DNE
xenial_hhvm: ignored (end of standard support, was needed)
yakkety_hhvm: DNE
zesty_hhvm: not-affected (3.12.11+dfsg-1build1)
artful_hhvm: not-affected (3.12.11+dfsg-1build1)
bionic_hhvm: not-affected (3.12.11+dfsg-1build1)
cosmic_hhvm: DNE
disco_hhvm: DNE
eoan_hhvm: DNE
focal_hhvm: DNE
groovy_hhvm: DNE
hirsute_hhvm: DNE
impish_hhvm: DNE
jammy_hhvm: DNE
devel_hhvm: DNE