MGASA-2015-0281

Advisory lineage Upstream: 2 Downstream: 0
Published: 27 Jul 2015, 09:53
Last modified:16 Apr 2026, 06:24

Vulnerability Summary

Overall Risk (default)
minimal
0/100
CVSS Score
No data
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

27 Jul 2015, 09:53
Published
Vulnerability first disclosed
16 Apr 2026, 06:24
Last Modified
Vulnerability information updated

Description

Updated apache package fixes security vulnerabilities The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c (CVE-2015-3183). The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior (CVE-2015-3185).

Affected Systems

  • mageiaapache

    < 2.4.7-5.7.mga4

  • mageiaapache

    < 2.4.10-16.3.mga5

References (3)