1. Gentoo Linux Security Advisory
| Advisory Reference | GLSA 200606-05 / pound |
| Release Date | June 07, 2006 |
| Latest Revision | November 24, 2006: 03 |
| Impact | low |
| Exploitable | remote |
| Package | Vulnerable versions | Unaffected versions | Architecture(s) |
| www-servers/pound | < 2.0.5 | >= 2.0.5, revision >= 1.10, revision >= 1.9.4 | All supported architectures |
Related bugreports: #118541
Pound is vulnerable to HTTP request smuggling, which could be exploited to bypass security restrictions or poison web caches.
Pound is a reverse proxy, load balancer and HTTPS front-end. It allows to distribute the load on several web servers and offers a SSL wrapper for web servers that do not support SSL directly.
Pound fails to handle HTTP requests with conflicting "Content-Length" and "Transfer-Encoding" headers correctly.
An attacker could exploit this vulnerability by sending HTTP requests with specially crafted "Content-Length" and "Transfer-Encoding" headers to bypass certain security restrictions or to poison the web proxy cache.
There is no known workaround at this time.
All Pound users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync # emerge --ask --oneshot --verbose www-servers/pound |