First Last Prev Next    This bug is not in your last search results.
Bug 39066 - apache2: Multiple issues (4.0)
apache2: Multiple issues (4.0)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.0
Other Linux
: P3 normal (vote)
: UCS 4.0-4-errata
Assigned To: Arvid Requate
Daniel Tröder
:
Depends on: 40929
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-03 12:41 CEST by Arvid Requate
Modified: 2016-03-30 13:06 CEST (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2015-08-03 12:41:40 CEST 
* HTTP request smuggling attack against chunked request parser, allowing cache poisoning or credential hijacking if an intermediary proxy is in use (CVE-2015-3183)

Fixed upstream in Debian package version 2.2.22-13+deb7u5.
Comment 1 Arvid Requate univentionstaff 2015-08-13 20:20:06 CEST 
We should note that the restriction to 1024 bit DH parameters has been removed and that custom DH parameters can be configured, apparently by catting them to the end of the SSLCertificateFile.
Comment 2 Tobias Birkefeld univentionstaff 2016-03-21 18:41:01 CET 
discussed in forum http://forum.univention.de/viewtopic.php?f=48&t=5628
Comment 3 Arvid Requate univentionstaff 2016-03-21 19:58:21 CET 
The package has been rebuilt with the additional Debian patches from deb7u6.

Advisory: apache2.yaml
Comment 4 Daniel Tröder univentionstaff 2016-03-30 10:25:15 CEST 
OK: advisory
OK: automated tests: "ucs-test -s apache -E dangerous"
(Fails only on 21_ssl-ciphers, because LOW and EXPORT seem to habe been removed from openssl binary.)
Comment 5 Janek Walkenhorst univentionstaff 2016-03-30 13:06:26 CEST 
<http://errata.software-univention.de/ucs/4.0/408.html>
First Last Prev Next    This bug is not in your last search results.