Dominic Scheirlinck of VendHQ reports: Many software projects and vendors have implemented support for the “Proxy” request header in their respective CGI implementations and languages by creating the “HTTP_PROXY” environmental variable based on the header value. When this variable is used (in many cases automatically by various HTTP client libraries) any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy. This allows attackers to view potentially sensitive information, reply with malformed data, or to hold connections open causing a potential denial of service.
Acknowledgments: Name: Scott Geary (VendHQ)
Created python tracking bugs for this issue: Affects: fedora-all [bug 1359175]
Created python26 tracking bugs for this issue: Affects: epel-5 [bug 1359178]
Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1359177]
Created python34 tracking bugs for this issue: Affects: epel-7 [bug 1359179]
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Via RHSA-2016:1627 https://rhn.redhat.com/errata/RHSA-2016-1627.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2016:1626 https://rhn.redhat.com/errata/RHSA-2016-1626.html
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2016:1628 https://rhn.redhat.com/errata/RHSA-2016-1628.html
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2016:1630 https://rhn.redhat.com/errata/RHSA-2016-1630.html
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2016:1629 https://rhn.redhat.com/errata/RHSA-2016-1629.html