perfSONAR Announcements

[Andrew Lake <>]

All,

An important CVE has been announced regarding the Apache web server package and we recommend users update as soon as possible. Details from RedHat, Debian, and Ubuntu can be found below:

https://access.redhat.com/security/vulnerabilities/httpoxy

https://security-tracker.debian.org/tracker/CVE-2016-5387

http://www.ubuntu.com/usn/usn-3038-1/

It does NOT appear that perfSONAR is directly affected by this issue. The vulnerability affects apache web servers running CGI scripts in certain languages. Perl (which is the language perfSONAR uses in its CGI scripts) does not appear to be affected, but in order to exercise maximum caution we wanted to make people aware of the issue and suggest they update. For languages that are affected, the attacker can set a proxy in the HTTP header of a request and force the host to forward information to remote server of the attackers choosing. 

If you are running auto-updates, you likely already have the fix. Otherwise running “yum update httpd” on CentOS/RedHat or "apt-get update && apt-get upgrade apache2" on Debian/Ubuntu should resolve the issue (no restarts required). Please let us know if you have any questions.

Thank you,

The perfSONAR Development Team