HTTPOXY - Nginx/FastCGI CVE-2016-5385: PHP


#1

https://httpoxy.org/

fastcgi_param HTTP_PROXY "";

Is EasyEngine vulnerable to the exploit above?


#2

@brianjking We have released an update to fix the same.

Please make sure you do sudo ee update in latest possible.


#3

@ssalil

I have executed ee update, however, now I’m shown this message:

Configuration file '/etc/nginx/fastcgi.conf'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.

When I execute D to show the changes I am shown the following:

--- /etc/nginx/fastcgi.conf     2016-07-20 08:45:31.435616495 -0400
+++ /etc/nginx/fastcgi.conf.dpkg-new    2016-07-19 07:30:19.000000000 -0400
@@ -24,4 +24,6 @@

 # PHP only, required if PHP was built with --enable-force-cgi-redirect
 fastcgi_param  REDIRECT_STATUS    200;
-fastcgi_param  HTTP_PROXY         "";
+
+# To fix CGI application vulnerability - https://httpoxy.org
+fastcgi_param  HTTP_PROXY      "";

#4

Choose Y, to use maintainer’s version.


#5

To add the patch for the mentioned vulnerability the default config file has to be changed and hence the message.


#6