CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
EPSS
Percentile
93.6%
CentOS Errata and Security Advisory CESA-2015:1667
The httpd packages provide the Apache HTTP Server, a powerful, efficient,
and extensible web server.
Multiple flaws were found in the way httpd parsed HTTP requests and
responses using chunked transfer encoding. A remote attacker could use
these flaws to create a specially crafted request, which httpd would decode
differently from an HTTP proxy software in front of it, possibly leading to
HTTP request smuggling attacks. (CVE-2015-3183)
It was discovered that in httpd 2.4, the internal API function
ap_some_auth_required() could incorrectly indicate that a request was
authenticated even when no authentication was used. An httpd module using
this API function could consequently allow access that should have been
denied. (CVE-2015-3185)
All httpd users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing the
updated packages, the httpd service will be restarted automatically.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2015-August/083508.html
Affected packages:
httpd
httpd-devel
httpd-manual
httpd-tools
mod_ldap
mod_proxy_html
mod_session
mod_ssl
Upstream details at:
https://access.redhat.com/errata/RHSA-2015:1667
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
CentOS | 7 | x86_64 | httpd | < 2.4.6-31.el7.centos.1 | httpd-2.4.6-31.el7.centos.1.x86_64.rpm |
CentOS | 7 | x86_64 | httpd-devel | < 2.4.6-31.el7.centos.1 | httpd-devel-2.4.6-31.el7.centos.1.x86_64.rpm |
CentOS | 7 | noarch | httpd-manual | < 2.4.6-31.el7.centos.1 | httpd-manual-2.4.6-31.el7.centos.1.noarch.rpm |
CentOS | 7 | x86_64 | httpd-tools | < 2.4.6-31.el7.centos.1 | httpd-tools-2.4.6-31.el7.centos.1.x86_64.rpm |
CentOS | 7 | x86_64 | mod_ldap | < 2.4.6-31.el7.centos.1 | mod_ldap-2.4.6-31.el7.centos.1.x86_64.rpm |
CentOS | 7 | x86_64 | mod_proxy_html | < 2.4.6-31.el7.centos.1 | mod_proxy_html-2.4.6-31.el7.centos.1.x86_64.rpm |
CentOS | 7 | x86_64 | mod_session | < 2.4.6-31.el7.centos.1 | mod_session-2.4.6-31.el7.centos.1.x86_64.rpm |
CentOS | 7 | x86_64 | mod_ssl | < 2.4.6-31.el7.centos.1 | mod_ssl-2.4.6-31.el7.centos.1.x86_64.rpm |