CVE-2016-10711

NameCVE-2016-10711
DescriptionApsis Pound before 2.8a allows request smuggling via crafted headers, a different vulnerability than CVE-2005-3751.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1280-1
NVD severityhigh
Debian Bugs888786

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pound (PTS)jessie (security), jessie2.6-6+deb8u1vulnerable
stretch2.7-1.3+deb9u1fixed
sid2.8-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
poundsource(unstable)2.8-2888786
poundsourceexperimental2.8-1+patrodyne20190113
poundsourcestretch2.7-1.3+deb9u1
poundsourcewheezy2.6-2+deb7u2DLA-1280-1

Notes

[jessie] - pound <no-dsa> (Minor issue)
http://www.apsis.ch/pound/pound_list/archive/2016/2016-10/1477235279000
https://www.suse.com/de-de/security/cve/CVE-2016-10711/
Fixed by https://build.opensuse.org/request/show/571084
Confirmed that the SUSE patch is the security relevant diff between
version 2.7 and 2.8a

Search for package or bug name: Reporting problems