CVE-2015-3185

Publication date 20 July 2015

Last updated 24 July 2024

Ubuntu priority

The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
apache2	15.04 vivid	Fixed 2.4.10-9ubuntu1.1
	14.10 utopic	Ignored end of life
	14.04 LTS trusty	Fixed 2.4.7-1ubuntu4.5
	12.04 LTS precise	Not affected

Notes

mdeslaur

introduced by changes in 2.4, so doesn't affect 2.2

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
apache2	Upstream: http://svn.apache.org/viewvc?view=revision&revision=1684524 Upstream: http://svn.apache.org/viewvc?view=revision&revision=1684525

References

Related Ubuntu Security Notices (USN)