5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.074 Low
EPSS
Percentile
93.1%
The httpd packages provide the Apache HTTP Server, a powerful, efficient,
and extensible web server.
Multiple flaws were found in the way httpd parsed HTTP requests and
responses using chunked transfer encoding. A remote attacker could use
these flaws to create a specially crafted request, which httpd would decode
differently from an HTTP proxy software in front of it, possibly leading to
HTTP request smuggling attacks. (CVE-2015-3183)
It was discovered that in httpd 2.4, the internal API function
ap_some_auth_required() could incorrectly indicate that a request was
authenticated even when no authentication was used. An httpd module using
this API function could consequently allow access that should have been
denied. (CVE-2015-3185)
Note: This update introduces new a new API function,
ap_some_authn_required(), which correctly indicates if a request is
authenticated. External httpd modules using the old API function should be
modified to use the new one to completely resolve this issue.
A denial of service flaw was found in the way the mod_lua httpd module
processed certain WebSocket Ping requests. A remote attacker could send a
specially crafted WebSocket Ping packet that would cause the httpd child
process to crash. (CVE-2015-0228)
A NULL pointer dereference flaw was found in the way httpd generated
certain error responses. A remote attacker could possibly use this flaw to
crash the httpd child process using a request that triggers a certain HTTP
error. (CVE-2015-0253)
All httpd24-httpd users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues. After installing
the updated packages, the httpd24-httpd service will be restarted
automatically.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 6 | x86_64 | httpd24-httpd-devel | < 2.4.12-4.el6.2 | httpd24-httpd-devel-2.4.12-4.el6.2.x86_64.rpm |
RedHat | 6 | x86_64 | httpd24-httpd-tools | < 2.4.12-4.el6.2 | httpd24-httpd-tools-2.4.12-4.el6.2.x86_64.rpm |
RedHat | 6 | noarch | httpd24-httpd-manual | < 2.4.12-4.el6.2 | httpd24-httpd-manual-2.4.12-4.el6.2.noarch.rpm |
RedHat | 7 | src | httpd24-httpd | < 2.4.12-6.el7.1 | httpd24-httpd-2.4.12-6.el7.1.src.rpm |
RedHat | 6 | x86_64 | httpd24-mod_ldap | < 2.4.12-4.el6.2 | httpd24-mod_ldap-2.4.12-4.el6.2.x86_64.rpm |
RedHat | 7 | x86_64 | httpd24-mod_proxy_html | < 2.4.12-6.el7.1 | httpd24-mod_proxy_html-2.4.12-6.el7.1.x86_64.rpm |
RedHat | 6 | x86_64 | httpd24-mod_ssl | < 2.4.12-4.el6.2 | httpd24-mod_ssl-2.4.12-4.el6.2.x86_64.rpm |
RedHat | 6 | x86_64 | httpd24-httpd | < 2.4.12-4.el6.2 | httpd24-httpd-2.4.12-4.el6.2.x86_64.rpm |
RedHat | 7 | x86_64 | httpd24-mod_session | < 2.4.12-6.el7.1 | httpd24-mod_session-2.4.12-6.el7.1.x86_64.rpm |
RedHat | 6 | src | httpd24-httpd | < 2.4.12-4.el6.2 | httpd24-httpd-2.4.12-4.el6.2.src.rpm |