Summary: | <www-servers/apache-2.2.31: HTTP request smuggling attacks (CVE-2015-3183) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | devnull |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | polynomial-c |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.apache.org/dist/httpd/CHANGES_2.2.31 | ||
Whiteboard: | A3 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
devnull
2015-08-10 08:50:34 UTC
Arches please test and mark stable the following packages: =app-admin/apache-tools-2.2.31 =www-servers/apache-2.2.31 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd amd64 stable Stable on alpha. x86 stable Version - 2.2.31 not security problems Version - 2.2.30 CVE-2015-3183, CVE-2015-3183 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3183): The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c. Stable for HPPA. Stable for PPC64. ia64 stable arm stable ppc stable sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s). Maintainer(s), please drop the vulnerable version(s). Maintainer(s), Thank you for you for cleanup. This issue was resolved and addressed in GLSA 201610-02 at https://security.gentoo.org/glsa/201610-02 by GLSA coordinator Kristian Fiskerstrand (K_F). |