[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

httpoxy efforts?


Probably everyone has read the news about httpoxy[0] in the meantime.

It seems there's a patch from Apache for 2.2 and 2.4 which simply drops
the header, thereby working around software behind it (e.g. anything
CGI, mod_PHP) that would use the header/envvar in a insecure fashion.

Is this already known to the respective maintainers? Will there be a
fixed version for oldstable's 2.2?

What about PHP? I've read that a CVE was assigned to that as well, but
couldn't really find out what it is about or whether they've already
made some patches.

Should Debian users be suggested in a DSA to do the workarounds like
RequestHeader unset Proxy early
in Apache? Or will the patches come soon enough to make that useless?


[0] https://httpoxy.org/

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to: