Bug 39066 - apache2: Multiple issues (4.0)
apache2: Multiple issues (4.0)
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.0
Other Linux
: P3 normal (vote)
: UCS 4.0-4-errata
Assigned To: Arvid Requate
Daniel Tröder
Depends on: 40929
  Show dependency treegraph
Reported: 2015-08-03 12:41 CEST by Arvid Requate
Modified: 2016-03-30 13:06 CEST (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted after Product Owner Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
requate: Patch_Available+


Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2015-08-03 12:41:40 CEST
* HTTP request smuggling attack against chunked request parser, allowing cache poisoning or credential hijacking if an intermediary proxy is in use (CVE-2015-3183)

Fixed upstream in Debian package version 2.2.22-13+deb7u5.
Comment 1 Arvid Requate univentionstaff 2015-08-13 20:20:06 CEST
We should note that the restriction to 1024 bit DH parameters has been removed and that custom DH parameters can be configured, apparently by catting them to the end of the SSLCertificateFile.
Comment 2 Tobias Birkefeld univentionstaff 2016-03-21 18:41:01 CET
discussed in forum http://forum.univention.de/viewtopic.php?f=48&t=5628
Comment 3 Arvid Requate univentionstaff 2016-03-21 19:58:21 CET
The package has been rebuilt with the additional Debian patches from deb7u6.

Advisory: apache2.yaml
Comment 4 Daniel Tröder univentionstaff 2016-03-30 10:25:15 CEST
OK: advisory
OK: automated tests: "ucs-test -s apache -E dangerous"
(Fails only on 21_ssl-ciphers, because LOW and EXPORT seem to habe been removed from openssl binary.)
Comment 5 Janek Walkenhorst univentionstaff 2016-03-30 13:06:26 CEST