https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5387 --- httpd-2.4.18/server/util_script.c.cve5387 +++ httpd-2.4.18/server/util_script.c @@ -195,6 +195,10 @@ } } #endif + else if (!strcasecmp(hdrs[i].key, "Proxy")) { + /* Don't pass through HTTP_PROXY */ + continue; + } else add_unless_null(e, http2env(r, hdrs[i].key), hdrs[i].val); }