Univention Bugzilla – Bug 39066
apache2: Multiple issues (4.0)
Last modified: 2016-03-30 13:06:26 CEST
* HTTP request smuggling attack against chunked request parser, allowing cache poisoning or credential hijacking if an intermediary proxy is in use (CVE-2015-3183)
Fixed upstream in Debian package version 2.2.22-13+deb7u5.
We should note that the restriction to 1024 bit DH parameters has been removed and that custom DH parameters can be configured, apparently by catting them to the end of the SSLCertificateFile.
discussed in forum http://forum.univention.de/viewtopic.php?f=48&t=5628
The package has been rebuilt with the additional Debian patches from deb7u6.
OK: automated tests: "ucs-test -s apache -E dangerous"
(Fails only on 21_ssl-ciphers, because LOW and EXPORT seem to habe been removed from openssl binary.)