Bug 1353760 (CVE-2016-1000104)
Summary: | CVE-2016-1000104 mod_fcgid: mod_fcgid sets environmental variable based on user supplied Proxy request header | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | anemec, crrobins, jorton, sardella, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-07-15 01:29:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1353762 |
Description
Kurt Seifried
2016-07-07 23:04:30 UTC
Acknowledgments: Name: Scott Geary (VendHQ) Statement: This issue is addressed through the Apache HTTPD update for CVE-2016-5387 which prevent the Proxy header from automatically being converted into the HTTP_PROXY environmental variable. Unless the "FcgidPassHeader Proxy" is used mod_fcgid is not vulnerable to this attack when used with updated HTTPD. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. |