CVE-2016-5387 (retired)

Priority
Description
The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and
therefore does not protect applications from the presence of untrusted
client data in the HTTP_PROXY environment variable, which might allow
remote attackers to redirect an application's outbound HTTP traffic to an
arbitrary proxy server via a crafted Proxy header in an HTTP request, aka
an "httpoxy" issue. NOTE: the vendor states "This mitigation has been
assigned the identifier CVE-2016-5387"; in other words, this is not a CVE
ID for a vulnerability.
Package
Upstream:needs-triage
Ubuntu 14.04 LTS (Trusty Tahr):released (2.4.7-1ubuntu4.13)
Ubuntu 16.04 LTS (Xenial Xerus):released (2.4.18-2ubuntu3.1)
More Information

Updated: 2019-03-26 12:22:09 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)