SB2015101506 - Input validation error in apache2 (Alpine package)
Published: October 15, 2015
Security Bulletin ID
SB2015101506
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2015-3183)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=db992fcd384a88b087cf614ea6085a7618361f3a
- https://git.alpinelinux.org/aports/commit/?id=7a5b508efbcc2243c09bd0b060136f78409d3ab7
- https://git.alpinelinux.org/aports/commit/?id=b1db34556bafee5506f78b45c1a6f88844d89508
- https://git.alpinelinux.org/aports/commit/?id=b785b5f3aa75162cd033fd8dc922f4e2a5fd770e