Apache httpd before versions 2.2.32 and 2.4.25 are vulnerable to possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value.
The recent release of Red Hat JBoss Core Services Apache HTTP Server 2.4.29 contained the fix for CVE-2016-4975.
https://svn.apache.org/viewvc?view=revision&revision=1777405 (This contains commits for some other non-security issues as well)
Is this CVE not going to be security backported to Apache HTTP Server 2.2.15? It is getting flagged in security scans for RHEL6/Centos6 deployments as they use HTTP 2.2.
In reply to comment #14:
> Is this CVE not going to be security backported to Apache HTTP Server
> 2.2.15? It is getting flagged in security scans for RHEL6/Centos6
> deployments as they use HTTP 2.2.
RHEL 6 is currently in Maintenance Support Phase 2:
> During the Maintenance Support 2 Phase, Critical impact Security Advisories (RHSAs) and
> selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.
> Other errata advisories may be delivered as appropriate.
As this flaw has been rated Moderate, it is unlikely to receive a fix in RHEL 6. Please direct further support related queries to <email@example.com>.
It is public and was mitigated in 2.4.25,