Hey. Probably everyone has read the news about httpoxy[0] in the meantime. It seems there's a patch from Apache for 2.2 and 2.4 which simply drops the header, thereby working around software behind it (e.g. anything CGI, mod_PHP) that would use the header/envvar in a insecure fashion. Is this already known to the respective maintainers? Will there be a fixed version for oldstable's 2.2? What about PHP? I've read that a CVE was assigned to that as well, but couldn't really find out what it is about or whether they've already made some patches. Should Debian users be suggested in a DSA to do the workarounds like e.g.: RequestHeader unset Proxy early in Apache? Or will the patches come soon enough to make that useless? Thanks, Chris. [0] https://httpoxy.org/
Attachment:
smime.p7s
Description: S/MIME cryptographic signature