CVE-2016-10711

NameCVE-2016-10711
DescriptionApsis Pound before 2.8a allows request smuggling via crafted headers, a different vulnerability than CVE-2005-3751.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1280-1
NVD severityhigh (attack range: remote)
Debian Bugs888786

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pound (PTS)wheezy2.6-2+deb7u1vulnerable
wheezy (security)2.6-2+deb7u2fixed
jessie (security), jessie2.6-6+deb8u1vulnerable
stretch2.7-1.3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
poundsource(unstable)(unfixed)high888786
poundsourcewheezy2.6-2+deb7u2highDLA-1280-1

Notes

[stretch] - pound <no-dsa> (Minor issue)
[jessie] - pound <no-dsa> (Minor issue)
http://www.apsis.ch/pound/pound_list/archive/2016/2016-10/1477235279000
https://www.suse.com/de-de/security/cve/CVE-2016-10711/
Fixed by https://build.opensuse.org/request/show/571084
Confirmed that the SUSE patch is the security relevant diff between
version 2.7 and 2.8a

Search for package or bug name: Reporting problems