Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 557198 (CVE-2015-3183) - <www-servers/apache-2.2.31: HTTP request smuggling attacks (CVE-2015-3183)
Summary: <www-servers/apache-2.2.31: HTTP request smuggling attacks (CVE-2015-3183)
Status: RESOLVED FIXED
Alias: CVE-2015-3183
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.apache.org/dist/httpd/CHAN...
Whiteboard: A3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-08-10 08:50 UTC by devnull
Modified: 2016-10-06 17:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description devnull 2015-08-10 08:50:34 UTC 
The ebuild is in the tree already since maybe three weeks or so, running it in production since 2 weeks.

Can we proceed with stabilisation?

Reproducible: Always
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-08-10 09:08:00 UTC 
Arches please test and mark stable the following packages:

=app-admin/apache-tools-2.2.31
=www-servers/apache-2.2.31

with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-10 11:37:57 UTC 
amd64 stable
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2015-08-10 17:57:15 UTC 
Stable on alpha.
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-11 12:27:46 UTC 
x86 stable
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2015-08-11 13:17:38 UTC 
Version - 2.2.31 not security problems

Version - 2.2.30 
CVE-2015-3183,
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2015-08-11 13:18:16 UTC 
CVE-2015-3183 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3183):
  The chunked transfer coding implementation in the Apache HTTP Server before
  2.4.14 does not properly parse chunk headers, which allows remote attackers
  to conduct HTTP request smuggling attacks via a crafted request, related to
  mishandling of large chunk-size values and invalid chunk-extension
  characters in modules/http/http_filters.c.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2015-08-15 20:09:51 UTC 
Stable for HPPA.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2015-08-15 20:52:40 UTC 
Stable for PPC64.
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-16 17:53:51 UTC 
ia64 stable
Comment 10 Markus Meier gentoo-dev 2015-08-19 17:06:39 UTC 
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-08-26 07:30:47 UTC 
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2015-09-06 08:34:14 UTC 
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-09-13 13:17:50 UTC 
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2015-10-10 02:53:23 UTC 
Maintainer(s), please drop the vulnerable version(s).
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2015-11-02 20:29:43 UTC 
Maintainer(s), Thank you for you for cleanup.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2016-10-06 17:26:15 UTC 
This issue was resolved and addressed in
 GLSA 201610-02 at https://security.gentoo.org/glsa/201610-02
by GLSA coordinator Kristian Fiskerstrand (K_F).