Important Information about HTTPoxy Vulnerability (CVE-2016-5387)
On July 18th, a vulnerability named “HTTPoxy” was announced. This vulnerability is affecting server-side web applications running CGI.
After the initial investigation, Synology has concluded that DSM itself is not affected by this vulnerability as the parameters HTTP_PROXY and HTTP_PROXY_* are not used.
Even though DSM itself is free from this vulnerability, some open source modules such as PHP and Python might be affected. In order to avoid potential MITM attacks, it is highly recommended you always use HTTPS for the connections established between the clients and DSM.
Synology will update the affected packages once the patches are released by their open source teams.