MGASA-2015-0281

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2015-0281.html

Import Source

https://advisories.mageia.org/MGASA-2015-0281.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2015-0281

Related

Published

2015-07-27T09:53:07Z

Modified

2015-07-27T09:41:08Z

Summary

Updated apache package fixes security vulnerabilities

Details

The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c (CVE-2015-3183).

The apsomeauth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior (CVE-2015-3185).

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:4 / apache

Package

Name: apache
Purl: pkg:rpm/mageia/apache?distro=mageia-4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.7-5.7.mga4

Ecosystem specific

{
    "section": "core"
}

Mageia:5 / apache

Package

Name: apache
Purl: pkg:rpm/mageia/apache?distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.10-16.3.mga5

Ecosystem specific

{
    "section": "core"
}