CVE-2016-10711

NameCVE-2016-10711
DescriptionApsis Pound before 2.8a allows request smuggling via crafted headers, a different vulnerability than CVE-2005-3751.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1280-1, DLA-2196-1
Debian Bugs888786

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pound (PTS)jessie, jessie (lts)2.6-6+deb8u3fixed
stretch2.7-1.3+deb9u1fixed
bullseye3.0-2fixed
sid, trixie4.15-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
poundsourceexperimental2.8-1+patrodyne20190113
poundsourcewheezy2.6-2+deb7u2DLA-1280-1
poundsourcejessie2.6-6+deb8u2DLA-2196-1
poundsourcestretch2.7-1.3+deb9u1
poundsource(unstable)2.8-2888786

Notes

http://www.apsis.ch/pound/pound_list/archive/2016/2016-10/1477235279000
https://www.suse.com/de-de/security/cve/CVE-2016-10711/
Fixed by https://build.opensuse.org/request/show/571084
Confirmed that the SUSE patch is the security relevant diff between
version 2.7 and 2.8a
an additional fix of the fix is needed to avoid that pound uses 100% CPU
https://github.com/graygnuorg/pound/commit/c5a95780e2233a05ab3fb8b4eb8a9550f0c3b53c
Search for package or bug name: Reporting problems