Rapid7 Vulnerability & Exploit Database

RHSA-2015:1667: httpd security update

Back to Search

RHSA-2015:1667: httpd security update

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Published
07/20/2015
Created
07/25/2018
Added
09/07/2015
Modified
07/04/2017

Description

The httpd packages provide the Apache HTTP Server, a powerful, efficient,and extensible web server.Multiple flaws were found in the way httpd parsed HTTP requests andresponses using chunked transfer encoding. A remote attacker could usethese flaws to create a specially crafted request, which httpd would decodedifferently from an HTTP proxy software in front of it, possibly leading toHTTP request smuggling attacks. (CVE-2015-3183)It was discovered that in httpd 2.4, the internal API functionap_some_auth_required() could incorrectly indicate that a request wasauthenticated even when no authentication was used. An httpd module usingthis API function could consequently allow access that should have beendenied. (CVE-2015-3185)All httpd users are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues. After installing theupdated packages, the httpd service will be restarted automatically.

Solution(s)

  • redhat-upgrade-httpd
  • redhat-upgrade-httpd-debuginfo
  • redhat-upgrade-httpd-devel
  • redhat-upgrade-httpd-manual
  • redhat-upgrade-httpd-tools
  • redhat-upgrade-mod_ldap
  • redhat-upgrade-mod_proxy_html
  • redhat-upgrade-mod_session
  • redhat-upgrade-mod_ssl

References

  • redhat-upgrade-httpd
  • redhat-upgrade-httpd-debuginfo
  • redhat-upgrade-httpd-devel
  • redhat-upgrade-httpd-manual
  • redhat-upgrade-httpd-tools
  • redhat-upgrade-mod_ldap
  • redhat-upgrade-mod_proxy_html
  • redhat-upgrade-mod_session
  • redhat-upgrade-mod_ssl

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;