Vulnerability & Exploit Database

Back to search

RHSA-2015:1667: httpd security update

Severity CVSS Published Added Modified
5 (AV:N/AC:L/Au:N/C:N/I:P/A:N) July 20, 2015 September 07, 2015 July 04, 2017

Description

The httpd packages provide the Apache HTTP Server, a powerful, efficient,and extensible web server.Multiple flaws were found in the way httpd parsed HTTP requests andresponses using chunked transfer encoding. A remote attacker could usethese flaws to create a specially crafted request, which httpd would decodedifferently from an HTTP proxy software in front of it, possibly leading toHTTP request smuggling attacks. (CVE-2015-3183)It was discovered that in httpd 2.4, the internal API functionap_some_auth_required() could incorrectly indicate that a request wasauthenticated even when no authentication was used. An httpd module usingthis API function could consequently allow access that should have beendenied. (CVE-2015-3185)All httpd users are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues. After installing theupdated packages, the httpd service will be restarted automatically.

Scan For This Vulnerability

Use our top-rated tool to discover, prioritize, and remediate your vulnerabilities

 Free InsightVM Trial

References

Solution

redhat-upgrade-httpd

Related Vulnerabilities