Bug 40929 - apache2: Multiple issues (4.1)
apache2: Multiple issues (4.1)
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.1
Other Linux
: P3 normal (vote)
: UCS 4.1-1-errata
Assigned To: Arvid Requate
Daniel Tröder
Depends on:
Blocks: 39066
  Show dependency treegraph
Reported: 2016-03-21 20:00 CET by Arvid Requate
Modified: 2016-10-05 12:46 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
requate: Patch_Available+


Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-03-21 20:00:42 CET
The apache2 package in ucs_4.1-0 should also get fixed.

+++ This bug was initially created as a clone of Bug #39066 +++

* HTTP request smuggling attack against chunked request parser, allowing cache poisoning or credential hijacking if an intermediary proxy is in use (CVE-2015-3183)

Fixed upstream in Debian package version 2.2.22-13+deb7u5.
Comment 1 Arvid Requate univentionstaff 2016-03-21 20:13:14 CET
The package has been rebuilt with the additional Debian patches from deb7u6.

Advisory: apache2.yaml
Comment 2 Daniel Tröder univentionstaff 2016-03-30 14:11:11 CEST
OK: advisory
OK: automated tests: "ucs-test -s apache -E dangerous"
(except for 20_ssl-protocols and 21_ssl-ciphers which are not adapted to current openssl compile time settings)
Comment 3 Janek Walkenhorst univentionstaff 2016-04-06 13:15:13 CEST