Security
Headlines
HeadlinesLatestCVEs

Headline

Ubuntu Security Notice USN-5520-2

Ubuntu Security Notice 5520-2 - USN-5520-1 fixed a vulnerability in HTTP-Daemon. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. It was discovered that HTTP-Daemon incorrectly handled certain crafted requests. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.

Packet Storm
#vulnerability#ubuntu#perl

=========================================================================
Ubuntu Security Notice USN-5520-2
July 18, 2022

libhttp-daemon-perl vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 ESM
  • Ubuntu 14.04 ESM

Summary:

HTTP-Daemon could allow HTTP Request Smuggling attacks.

Software Description:

  • libhttp-daemon-perl: simple http server class

Details:

USN-5520-1 fixed a vulnerability in HTTP-Daemon. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.

Original advisory details:

It was discovered that HTTP-Daemon incorrectly handled certain crafted
requests. A remote attacker could possibly use this issue to perform an
HTTP Request Smuggling attack.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 ESM:
libhttp-daemon-perl 6.01-1ubuntu0.16.04~esm1

Ubuntu 14.04 ESM:
libhttp-daemon-perl 6.01-1ubuntu0.14.04~esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5520-2
https://ubuntu.com/security/notices/USN-5520-1
CVE-2022-31081

Related news

CVE-2023-21954: Oracle Critical Patch Update Advisory - April 2023

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...

Ubuntu Security Notice USN-5520-1

Ubuntu Security Notice 5520-1 - It was discovered that HTTP-Daemon incorrectly handled certain crafted requests. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.

CVE-2022-31081: Fix Content-Length ', '-separated string issues · libwww-perl/HTTP-Daemon@e84475d

HTTP::Daemon is a simple http server class written in perl. Versions prior to 6.15 are subject to a vulnerability which could potentially be exploited to gain privileged access to APIs or poison intermediate caches. It is uncertain how large the risks are, most Perl based applications are served on top of Nginx or Apache, not on the `HTTP::Daemon`. This library is commonly used for local development and tests. Users are advised to update to resolve this issue. Users unable to upgrade may add additional request handling logic as a mitigation. After calling `my $rqst = $conn->get_request()` one could inspect the returned `HTTP::Request` object. Querying the 'Content-Length' (`my $cl = $rqst->header('Content-Length')`) will show any abnormalities that should be dealt with by a `400` response. Expected strings of 'Content-Length' SHOULD consist of either a single non-negative integer, or, a comma separated repetition of that number. (that is `42` or `42, 42, 42`). Anything else MUST be rej...

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution