Security update for apache2
SUSE Security Update: Security update for apache2
This Apache2 LTSS roll-up update for SUSE Linux Enterprise
10 SP3 LTSS fixes the following security issues and bugs:
* CVE-2012-4557: Denial of Service via special requests
in mod_proxy_ajp
* CVE-2012-0883: improper LD_LIBRARY_PATH handling
* CVE-2012-2687: filename escaping problem
* CVE-2012-0031: Fixed a scoreboard corruption (shared
mem segment) by child causes crash of privileged parent
(invalid free()) during shutdown.
* CVE-2012-0053: Fixed an issue in error responses that
could expose "httpOnly" cookies when no custom
ErrorDocument is specified for status code 400".
* The SSL configuration template has been adjusted not
to suggested weak ciphers
*
CVE-2007-6750: The "mod_reqtimeout" module was
backported from Apache 2.2.21 to help mitigate the
"Slowloris" Denial of Service attack.
You need to enable the "mod_reqtimeout" module in
your existing apache configuration to make it effective,
e.g. in the APACHE_MODULES line in /etc/sysconfig/apache2.
* CVE-2011-3639, CVE-2011-3368, CVE-2011-4317: This
update also includes several fixes for a mod_proxy reverse
exposure via RewriteRule or ProxyPassMatch directives.
* CVE-2011-1473: Fixed the SSL renegotiation DoS by
disabling renegotiation by default.
* CVE-2011-3607: Integer overflow in ap_pregsub
function resulting in a heap based buffer overflow could
potentially allow local attackers to gain privileges
Additionally, some non-security bugs have been fixed which
are listed in the changelog file.
Security Issue references:
* CVE-2012-4557
>
* CVE-2012-2687
>
* CVE-2012-0883
>
* CVE-2012-0021
>
| Announcement ID: | SUSE-SU-2013:0469-1 |
| Rating: | low |
| References: | #688472 #719236 #722545 #727071 #727993 #729181 #736706 #738855 #741243 #743743 #757710 #777260 |
| Affected Products: |
An update that solves four vulnerabilities and has 8 fixes is now available.
Description:
This Apache2 LTSS roll-up update for SUSE Linux Enterprise
10 SP3 LTSS fixes the following security issues and bugs:
* CVE-2012-4557: Denial of Service via special requests
in mod_proxy_ajp
* CVE-2012-0883: improper LD_LIBRARY_PATH handling
* CVE-2012-2687: filename escaping problem
* CVE-2012-0031: Fixed a scoreboard corruption (shared
mem segment) by child causes crash of privileged parent
(invalid free()) during shutdown.
* CVE-2012-0053: Fixed an issue in error responses that
could expose "httpOnly" cookies when no custom
ErrorDocument is specified for status code 400".
* The SSL configuration template has been adjusted not
to suggested weak ciphers
*
CVE-2007-6750: The "mod_reqtimeout" module was
backported from Apache 2.2.21 to help mitigate the
"Slowloris" Denial of Service attack.
You need to enable the "mod_reqtimeout" module in
your existing apache configuration to make it effective,
e.g. in the APACHE_MODULES line in /etc/sysconfig/apache2.
* CVE-2011-3639, CVE-2011-3368, CVE-2011-4317: This
update also includes several fixes for a mod_proxy reverse
exposure via RewriteRule or ProxyPassMatch directives.
* CVE-2011-1473: Fixed the SSL renegotiation DoS by
disabling renegotiation by default.
* CVE-2011-3607: Integer overflow in ap_pregsub
function resulting in a heap based buffer overflow could
potentially allow local attackers to gain privileges
Additionally, some non-security bugs have been fixed which
are listed in the changelog file.
Security Issue references:
* CVE-2012-4557
* CVE-2012-2687
* CVE-2012-0883
* CVE-2012-0021
Package List:
- SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64):
- apache2-2.2.3-16.32.45.1
- apache2-devel-2.2.3-16.32.45.1
- apache2-doc-2.2.3-16.32.45.1
- apache2-example-pages-2.2.3-16.32.45.1
- apache2-prefork-2.2.3-16.32.45.1
- apache2-worker-2.2.3-16.32.45.1
References:
- http://support.novell.com/security/cve/CVE-2012-0021.html
- http://support.novell.com/security/cve/CVE-2012-0883.html
- http://support.novell.com/security/cve/CVE-2012-2687.html
- http://support.novell.com/security/cve/CVE-2012-4557.html
- https://bugzilla.novell.com/688472
- https://bugzilla.novell.com/719236
- https://bugzilla.novell.com/722545
- https://bugzilla.novell.com/727071
- https://bugzilla.novell.com/727993
- https://bugzilla.novell.com/729181
- https://bugzilla.novell.com/736706
- https://bugzilla.novell.com/738855
- https://bugzilla.novell.com/741243
- https://bugzilla.novell.com/743743
- https://bugzilla.novell.com/757710
- https://bugzilla.novell.com/777260
- http://download.suse.com/patch/finder/?keywords=25e42b7bd84d54954a51c9fe38e777e0