Vulnerability & Exploit Database

Back to search

RHSA-2015:1667: httpd security update

Severity CVSS Published Added Modified
5 (AV:N/AC:L/Au:N/C:N/I:P/A:N) July 19, 2015 September 06, 2015 July 03, 2017

Description

The httpd packages provide the Apache HTTP Server, a powerful, efficient,and extensible web server.Multiple flaws were found in the way httpd parsed HTTP requests andresponses using chunked transfer encoding. A remote attacker could usethese flaws to create a specially crafted request, which httpd would decodedifferently from an HTTP proxy software in front of it, possibly leading toHTTP request smuggling attacks. (CVE-2015-3183)It was discovered that in httpd 2.4, the internal API functionap_some_auth_required() could incorrectly indicate that a request wasauthenticated even when no authentication was used. An httpd module usingthis API function could consequently allow access that should have beendenied. (CVE-2015-3185)All httpd users are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues. After installing theupdated packages, the httpd service will be restarted automatically.

Free Nexpose Download

Discover, prioritize, and remediate security risks today!

 Download now

References

Solution

redhat-upgrade-mod_ldap

Related Vulnerabilities