Hide Forgot
Apache httpd before versions 2.2.32 and 2.4.25 are vulnerable to possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value.
External References: https://httpd.apache.org/security/vulnerabilities_22.html#CVE-2016-4975 https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-4975
The recent release of Red Hat JBoss Core Services Apache HTTP Server 2.4.29 contained the fix for CVE-2016-4975.
Upstream patch: https://svn.apache.org/viewvc?view=revision&revision=1777405 (This contains commits for some other non-security issues as well)
Is this CVE not going to be security backported to Apache HTTP Server 2.2.15? It is getting flagged in security scans for RHEL6/Centos6 deployments as they use HTTP 2.2.
In reply to comment #14: > Is this CVE not going to be security backported to Apache HTTP Server > 2.2.15? It is getting flagged in security scans for RHEL6/Centos6 > deployments as they use HTTP 2.2. RHEL 6 is currently in Maintenance Support Phase 2: > During the Maintenance Support 2 Phase, Critical impact Security Advisories (RHSAs) and > selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available. > Other errata advisories may be delivered as appropriate. As this flaw has been rated Moderate, it is unlikely to receive a fix in RHEL 6. Please direct further support related queries to <secalert>. https://access.redhat.com/support/policy/updates/errata/#Maintenance_Support_2_Phase
It is public and was mitigated in 2.4.25,
Joe, Does this mean that after the fix for CVE-2016-8743 is applied, this issue is resolved and we no longer this need this CVE?