Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200606-05 ] Pound: HTTP request smuggling
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Veteran
Veteran


Joined: 12 May 2004
Posts: 1563

PostPosted: Wed Jun 07, 2006 8:26 pm    Post subject: [ GLSA 200606-05 ] Pound: HTTP request smuggling Reply with quote

Gentoo Linux Security Advisory

Title: Pound: HTTP request smuggling (GLSA 200606-05)
Severity: low
Exploitable: remote
Date: June 07, 2006
Updated: November 24, 2006
Bug(s): #118541
ID: 200606-05

Synopsis

Pound is vulnerable to HTTP request smuggling, which could be exploited to bypass security restrictions or poison web caches.

Background

Pound is a reverse proxy, load balancer and HTTPS front-end. It allows to distribute the load on several web servers and offers a SSL wrapper for web servers that do not support SSL directly.

Affected Packages

Package: www-servers/pound
Vulnerable: < 2.0.5
Unaffected: >= 2.0.5
Unaffected: >= 1.10 < 1.11
Unaffected: >= 1.9.4 < 1.9.5
Architectures: All supported architectures


Description

Pound fails to handle HTTP requests with conflicting "Content-Length" and "Transfer-Encoding" headers correctly.

Impact

An attacker could exploit this vulnerability by sending HTTP requests with specially crafted "Content-Length" and "Transfer-Encoding" headers to bypass certain security restrictions or to poison the web proxy cache.

Workaround

There is no known workaround at this time.

Resolution

All Pound users should upgrade to the latest version:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose www-servers/pound


References

CVE-2005-3751


Last edited by GLSA on Sat Nov 25, 2006 4:17 am; edited 4 times in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum