CVE-2005-3751

NameCVE-2005-3751
DescriptionHTTP request smuggling vulnerability in Pound before 1.9.4 allows remote attackers to poison web caches, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with conflicting Content-length and Transfer-encoding headers.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-934-1
NVD severitymedium (attack range: remote)
Debian/oldoldstablenot vulnerable.
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pound (PTS)squeeze2.5-1fixed
wheezy2.6-2fixed
wheezy (security)2.6-2+deb7u1fixed
jessie (security), jessie2.6-6+deb8u1fixed
stretch, sid2.6-6.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
poundsource(unstable)1.9.4-1low
poundsourcesarge1.8.2-1sarge1mediumDSA-934-1

Notes

see http://www.apsis.ch/pound/pound_list/archive/2005/2005-10/1129827166000/index_html?fullMode=1#1129827166000

Search for package or bug name: Reporting problems