SUSE-SU-2013:1824-1: moderate: Security update for Apache2

sle-updates at lists.suse.com sle-updates at lists.suse.com
Wed Dec 4 13:04:12 MST 2013


   SUSE Security Update: Security update for Apache2
______________________________________________________________________________

Announcement ID:    SUSE-SU-2013:1824-1
Rating:             moderate
References:         #791794 #815621 #829056 #829057 
Cross-References:   CVE-2013-1862 CVE-2013-1896
Affected Products:
                    SUSE Linux Enterprise Server 11 SP1 for VMware LTSS
                    SUSE Linux Enterprise Server 11 SP1 LTSS
______________________________________________________________________________

   An update that solves two vulnerabilities and has two fixes
   is now available. It includes one version update.

Description:


   Apache2 received an LTSS rollup update which fixes various
   security issues  and bugs.

   Security issues fixed:

   * CVE-2013-1896: Sending a MERGE request against a URI
   handled by mod_dav_svn with the source href (sent as part
   of the request body as XML) pointing to a URI that is not
   configured for DAV will trigger a segfault. [bnc#829056]
   * CVE-2013-1862: client data written to the RewriteLog
   must have terminal escape sequences escaped. [bnc#829057]

   Bugs fixed:

   * make sure that input that has already arrived on the
   socket is not discarded during a non-blocking read (read(2)
   returns 0 and errno is set to -EAGAIN). [bnc#815621]
   * make ssl connection not behave as above (this is
   openssl BIO stuff). [bnc#815621]
   * close the connection just before an attempted
   re-negotiation if data has been read with pipelining. This
   is done by resetting the keepalive status. [bnc#815621]
   [L3:38943]
   * reset the renegotiation status of a client<->server
   connection to RENEG_INIT to prevent falsely assumed status.
   [bnc#791794]
   * "OPTIONS *" internal requests are intercepted by a
   dummy filter that kicks in for the OPTIONS method. Apple
   iPrint uses "OPTIONS *" to upgrade the connection to
   TLS/1.0 following rfc2817. For compatibility, check if an
   Upgrade request header is present and skip the filter if
   yes. [bnc#791794]

   Security Issue references:

   * CVE-2013-1896
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896
   >
   * CVE-2013-1862
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862
   >


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS:

      zypper in -t patch slessp1-apache2-8429

   - SUSE Linux Enterprise Server 11 SP1 LTSS:

      zypper in -t patch slessp1-apache2-8429

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS (i586 x86_64) [New Version: 2.2.12]:

      apache2-2.2.12-1.40.7
      apache2-doc-2.2.12-1.40.7
      apache2-example-pages-2.2.12-1.40.7
      apache2-prefork-2.2.12-1.40.7
      apache2-utils-2.2.12-1.40.7
      apache2-worker-2.2.12-1.40.7

   - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 2.2.12]:

      apache2-2.2.12-1.40.7
      apache2-doc-2.2.12-1.40.7
      apache2-example-pages-2.2.12-1.40.7
      apache2-prefork-2.2.12-1.40.7
      apache2-utils-2.2.12-1.40.7
      apache2-worker-2.2.12-1.40.7


References:

   http://support.novell.com/security/cve/CVE-2013-1862.html
   http://support.novell.com/security/cve/CVE-2013-1896.html
   https://bugzilla.novell.com/791794
   https://bugzilla.novell.com/815621
   https://bugzilla.novell.com/829056
   https://bugzilla.novell.com/829057
   http://download.novell.com/patch/finder/?keywords=1788cfd4ee089aa3e421b7f8f02766fc



More information about the sle-updates mailing list