On Wed, Jun 29, 2005 at 12:49:31AM +0200, Moritz Muehlenhoff wrote: > Package: apache2 > Severity: grave > Tags: security > Justification: user security hole > > Latest 2.1.6-alpha fixes a security in the proxy HTTP code: > > | The 2.1.6-alpha release addresses a security vulnerability present > | in all previous 2.x versions. This fault did not affect Apache 1.3.x > | (which did not proxy keepalives or chunked transfer encoding); > > | Proxy HTTP: If a response contains both Transfer-Encoding > | and a Content-Length, remove the Content-Length to eliminate > | an HTTP Request Smuggling vulnerability and don't reuse the > | connection, stopping some HTTP Request Spoofing attacks. >
Can I be the first to say that I don't understand the nature of this issue? Is this also present in 2.0.54 which is the latest stable release? There's no mention of it in the changelog there.. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
