unsubscribe On Sat, Aug 1, 2015 at 5:04 PM, Stefan Fritsch <s...@debian.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > - ------------------------------------------------------------------------- > Debian Security Advisory DSA-3325-1 secur...@debian.org > https://www.debian.org/security/ Stefan Fritsch > August 01, 2015 https://www.debian.org/security/faq > - ------------------------------------------------------------------------- > > Package : apache2 > CVE ID : CVE-2015-3183 CVE-2015-3185 > > Several vulnerabilities have been found in the Apache HTTPD server. > > CVE-2015-3183 > > An HTTP request smuggling attack was possible due to a bug in > parsing of chunked requests. A malicious client could force the > server to misinterpret the request length, allowing cache poisoning > or credential hijacking if an intermediary proxy is in use. > > CVE-2015-3185 > > A design error in the "ap_some_auth_required" function renders the > API unusuable in apache2 2.4.x. This could lead to modules using > this API to allow access when they should otherwise not do so. > The fix backports the new "ap_some_authn_required" API from 2.4.16. > This issue does not affect the oldstable distribution (wheezy). > > > In addition, the updated package for the oldstable distribution (wheezy) > removes a limitation of the Diffie-Hellman (DH) parameters to 1024 bits. > This limitation may potentially allow an attacker with very large > computing resources, like a nation-state, to break DH key exchange by > precomputation. The updated apache2 package also allows to configure > custom DH parameters. More information is contained in the > changelog.Debian.gz file. > These improvements were already present in the stable, testing, and > unstable distributions. > > > For the oldstable distribution (wheezy), these problems have been fixed > in version 2.2.22-13+deb7u5. > > For the stable distribution (jessie), these problems have been fixed in > version 2.4.10-10+deb8u1. > > For the testing distribution (stretch), these problems will be fixed > soon. > > For the unstable distribution (sid), these problems will be fixed soon. > > We recommend that you upgrade your apache2 packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://www.debian.org/security/ > > Mailing list: debian-security-annou...@lists.debian.org > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQIVAwUBVb1Bf8aHXzVBzv3gAQg0zg/+OxODLD81nbTz2GANHz3apW0gDFxpXFt0 > hDmcn758Vie75D+tpS7DD7dvR9i/fOWZZFKRPZsX/2oo8dXWHA955E+XE0gv0Mzf > 6wm5lFBYs5qMAKufikCP/NGBxxyJeEFjlDaTQnYjBdpnZQrECBKUbLBFXkRz/Hvz > oafS8EFFDUJQH90HqRGFGYRovywTc1yI19o1VTBEjE+8KSLqRXtkFAaawK/tF8lF > arsiE2DxLdkUA1sliMeyl53Ci4p59xDMIr3LWy8CICleqGXfJ7r8onHQep+aeTSZ > cvEfvMjPjn9jJr9aO780jUmCvhmnIY8xp4mc3y/rOTw3sonqpmiXiiUHSwVD+FV/ > cGFK9VBCP5qGZEQYtWevmQS6eYfsqn71J4/gQ28egNdoYkeR63lYLhxfOce21lTo > yczybSpaYVAsqm55/JUCmlfcNP0+dh4wxd2njZZHSx868w+KyHt5W7dJWaZ1HvT1 > /rOel9l/dQJ9QiY/oQ5+FqKHbpA8yWI27JhBgiWNp4jnvUg6D0gVoRsT/0MtTx8D > R4ZERzZjaaMnG4W1Fq3Ciqt3DBoYdf2ny8t4hBNj/rtaprF1SIaNrfXOwNq0CAbk > RFzXNjuRNA5UAiBQ+9txHvHiuDZKQ4KyFQEZ/fjaAuAyn52ZrCaKG13TC3RpHwGt > 9lZnX0KfEMw= > =Gplo > -----END PGP SIGNATURE----- > > > -- > To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: https://lists.debian.org/e1zletd-00037k...@chopin.debian.org > >
