Amazon Linux AMI Security Advisory: ALAS-2016-746
Advisory Release Date: 2016-09-15 19:00 Pacific
Advisory Updated Date: 2016-09-15 19:00 Pacific
It was discovered that lighttpd class did not properly protect against the HTTP_PROXY variable name clash in a CGI context. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.
Run yum update lighttpd to update your system.