Debian Wheezy DSA-3325-2: Moderate Apache2 Regression Fix
debian
August 18, 2015
The security update from DSA-3325-1 caused a regression for the oldstable distribution (wheezy)
Topics Covered
Summary
Several vulnerabilities have been found in the Apache HTTPD server.
CVE-2015-3183
An HTTP request smuggling attack was possible due to a bug in
parsing of chunked requests. A malicious client could force the
server to misinterpret the request length, allowing cache poisoning
or credential hijacking if an intermediary proxy is in use.
CVE-2015-3185
A design error in the "ap_some_auth_required" function renders the
API unusuable in apache2 2.4.x. This could lead to modules using
this API to allow access when they should otherwise not do so.
The fix backports the new "ap_some_authn_required" API from 2.4.16.
This issue does not affect the oldstable distribution (wheezy).
In addition, the updated package for the oldstable distribution (wheezy)
removes a limitation of the Diffie-Hellman (DH) parameters to 1024 bits.
This limitation may potentially allow an attacker with very large
computing resources, like a nation-state, to break DH key exchange by
precomputation. Th...
PREVIOUS
NEXT
Package: apache2
CVE ID: CVE-2015-3183 CVE-2015-3185
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!