ACCESS

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Alcatel-Lucent

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Apache HTTP Server Project

Notified:  July 12, 2016 Updated: July 18, 2016

Statement Date:   July 14, 2016

Status

  Affected

Vendor Statement

The Apache Software Foundation has discovered no examples of condition 2 described in the [redacted] report, and has determined there is no "vulnerability" per se in ASF software, which conform to both RFC822 (circa 1982) and CGI/1.1 defacto standard (circa 1995, superseded by CGI/1.1 IANA spec RFC 3875). Several ASF projects participate in HTTP requests in the manners described under condition 1. The list of projects that will offer one or more mitigations include but are not limited to; Apache HTTP Server (httpd) (Tracked as CVE-2016-5387) Apache Tomcat Server (Tracked as CVE-2016-5388) Apache Traffic Server (ATS) (Tracking is not applicable) Projects and subprojects impacted by the Apache HTTP Server mitigations will include mod_fcgid (Apache HTTP Project) and mod_perl (Apache Perl Project), as well as external projects such as mod_wsgi, all hopefully under CVE-2016-5387. Note specifically that any CVE related to mod_fcgi[d] must be ignored, as it duplicates CVE-2016-5387. We have not reached a conclusion on separate tracking that might be unique to mod_perl itself (thus far, it also appears to duplicate -5387.)

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.apache.org/security/asf-httpoxy-response.txt

Apple

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Arista Networks, Inc.

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

ARRIS

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Aruba Networks

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

AT&T

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Avaya, Inc.

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Belkin, Inc.

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Blue Coat Systems

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CA Technologies

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CentOS

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Check Point Software Technologies

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Cisco

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CoreOS

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Debian GNU/Linux

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

DesktopBSD

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

D-Link Systems, Inc.

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

dnsmasq

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

DragonFly BSD Project

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

EfficientIP SAS

Notified:  July 12, 2016 Updated: July 12, 2016

Statement Date:   July 12, 2016

Status

  Not Affected

Vendor Statement

Please find the EfficientIP’s status about VU#797896: Vendor: EfficientIP Status: Not Affected Statement: No version of our software is affected by VU#797896

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EMC Corporation

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Enterasys Networks

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Ericsson

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Extreme Networks

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

F5 Networks, Inc.

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Fedora Project

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Force10 Networks

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

FreeBSD Project

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Gentoo Linux

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Google

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Go Programming Language

Updated:  July 18, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

CVE-2016-5386

HAProxy

Updated:  July 13, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hardened BSD

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Hewlett Packard Enterprise

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

HHVM

Updated:  July 18, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

CVE-2016-1000109

Hitachi

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Huawei Technologies

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

IBM Corporation

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Infoblox

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Intel Corporation

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Internet Systems Consortium

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Internet Systems Consortium - DHCP

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Juniper Networks

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Lenovo

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

lighttpd

Updated:  July 19, 2016

Statement Date:   July 19, 2016

Status

  Affected

Vendor Statement

Mitigation of httpoxy is available in lighttpd. Mitigation: lighttpd <= 1.4.40 (reject requests containing "Proxy" header) * Create "/path/to/deny-proxy.lua", read-only to lighttpd, with content: if (lighty.request["Proxy"] == nil) then return 0 else return 403 end * Modify lighttpd.conf to load mod_magnet and run lua code server.modules += ( "mod_magnet" ) magnet.attract-raw-url-to = ( "/path/to/deny-proxy.lua" ) lighttpd2 (development) (strip "Proxy" header from request) * Add to lighttpd.conf: req_header.remove "Proxy"; Reference: * lighttpd 1.4 repo contains fix on git master branch to strip "Proxy" header and the commit message below contains the above mitigation steps for lighttpd 1.4.x https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/779c133c16f9af168b004dce7a2a64f16c1cb3a4

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/779c133c16f9af168b004dce7a2a64f16c1cb3a4

m0n0wall

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

McAfee

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Microsoft Corporation

Notified:  July 12, 2016 Updated: July 13, 2016

Status

  Affected

Vendor Statement

If you have installed PHP or any other third party framework on top of IIS, we recommend applying mitigation steps to protect from malicious Redirection or MiM attacks. Mitigation: Update apphost.config with the following rule:

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

National Center for Supercomputing Applications

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

NEC Corporation

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

NetBSD

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

nginx

Updated:  July 13, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Nominum

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

OmniTI

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

OpenBSD

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

OpenDNS

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

openSUSE project

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Oracle Corporation

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Peplink

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Polycom

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Python

Updated:  July 18, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

CVE-2016-1000110

Q1 Labs

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

QNX Software Systems Inc.

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Red Hat, Inc.

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Ricoh Company Ltd.

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Rockwell Automation

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Ruby

Updated:  July 18, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SafeNet

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Secure64 Software Corporation

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Slackware Linux Inc.

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SmoothWall

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Snort

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Sony Corporation

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Sourcefire

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SUSE Linux

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Symantec

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

The PHP Group

Updated:  July 18, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

CVE-2016-5385

TippingPoint Technologies Inc.

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Turbolinux

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Ubuntu

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Unisys

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

VMware

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Wind River

Notified:  July 12, 2016 Updated: July 12, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.