CVE-2015-3183

The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c.

• How can I get the fixes?
• What do statuses mean?
• Patch details

References

• MITRE
• NVD
• Launchpad
• Debian

Related Ubuntu Security Notices (USN)

• USN-2686-1
• Apache HTTP Server vulnerabilities
• 27 July 2015

Other references

• https://www.apache.org/dist/httpd/Announcement2.4.txt
• https://www.apache.org/dist/httpd/CHANGES_2.4.16
• https://www.cve.org/CVERecord?id=CVE-2015-3183