Name | CVE-2016-10711 |
Description | Apsis Pound before 2.8a allows request smuggling via crafted headers, a different vulnerability than CVE-2005-3751. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-1280-1, DLA-2196-1 |
Debian Bugs | 888786 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
pound (PTS) | bullseye | 3.0-2 | fixed |
| sid, trixie | 4.15-1 | fixed |
The information below is based on the following data on fixed versions.
Notes
http://www.apsis.ch/pound/pound_list/archive/2016/2016-10/1477235279000
https://www.suse.com/de-de/security/cve/CVE-2016-10711/
Fixed by https://build.opensuse.org/request/show/571084
Confirmed that the SUSE patch is the security relevant diff between
version 2.7 and 2.8a
an additional fix of the fix is needed to avoid that pound uses 100% CPU
https://github.com/graygnuorg/pound/commit/c5a95780e2233a05ab3fb8b4eb8a9550f0c3b53c