SUSE-SU-2013:0469-1: Security update for apache2

Fri Mar 15 10:04:28 MDT 2013

   SUSE Security Update: Security update for apache2
______________________________________________________________________________

Announcement ID:    SUSE-SU-2013:0469-1
Rating:             low
References:         #688472 #719236 #722545 #727071 #727993 #729181 
                    #736706 #738855 #741243 #743743 #757710 #777260 

Cross-References:   CVE-2012-0021 CVE-2012-0883 CVE-2012-2687
                    CVE-2012-4557
Affected Products:
                    SUSE Linux Enterprise Server 10 SP3 LTSS
______________________________________________________________________________

   An update that solves four vulnerabilities and has 8 fixes
   is now available.

Description:

   This Apache2 LTSS roll-up update for SUSE Linux Enterprise
   10 SP3 LTSS  fixes the following security issues and bugs:

   * CVE-2012-4557: Denial of Service via special requests
   in mod_proxy_ajp
   * CVE-2012-0883: improper LD_LIBRARY_PATH handling
   * CVE-2012-2687: filename escaping problem
   * CVE-2012-0031: Fixed a scoreboard corruption (shared
   mem segment) by child causes crash of privileged parent
   (invalid free()) during shutdown.
   * CVE-2012-0053: Fixed an issue in error responses that
   could expose "httpOnly" cookies when no custom
   ErrorDocument is specified for status code 400".
   * The SSL configuration template has been adjusted not
   to suggested weak ciphers
   *

   CVE-2007-6750: The "mod_reqtimeout" module was
   backported from Apache 2.2.21 to help mitigate the
   "Slowloris" Denial of Service attack.

   You need to enable the "mod_reqtimeout" module in
   your existing apache configuration to make it effective,
   e.g. in the APACHE_MODULES line in /etc/sysconfig/apache2.

   * CVE-2011-3639, CVE-2011-3368, CVE-2011-4317: This
   update also includes several fixes for a mod_proxy reverse
   exposure via RewriteRule or ProxyPassMatch directives.
   * CVE-2011-1473: Fixed the SSL renegotiation DoS by
   disabling renegotiation by default.
   * CVE-2011-3607: Integer overflow in ap_pregsub
   function resulting in a heap based buffer overflow could
   potentially allow local attackers to gain privileges

   Additionally, some non-security bugs have been fixed which
   are listed in  the changelog file.

   Security Issue references:

   * CVE-2012-4557
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4557
   >
   * CVE-2012-2687
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2687
   >
   * CVE-2012-0883
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0883
   >
   * CVE-2012-0021
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0021
   >

Package List:

   - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64):

      apache2-2.2.3-16.32.45.1
      apache2-devel-2.2.3-16.32.45.1
      apache2-doc-2.2.3-16.32.45.1
      apache2-example-pages-2.2.3-16.32.45.1
      apache2-prefork-2.2.3-16.32.45.1
      apache2-worker-2.2.3-16.32.45.1

References:

   http://support.novell.com/security/cve/CVE-2012-0021.html
   http://support.novell.com/security/cve/CVE-2012-0883.html
   http://support.novell.com/security/cve/CVE-2012-2687.html
   http://support.novell.com/security/cve/CVE-2012-4557.html
   https://bugzilla.novell.com/688472
   https://bugzilla.novell.com/719236
   https://bugzilla.novell.com/722545
   https://bugzilla.novell.com/727071
   https://bugzilla.novell.com/727993
   https://bugzilla.novell.com/729181
   https://bugzilla.novell.com/736706
   https://bugzilla.novell.com/738855
   https://bugzilla.novell.com/741243
   https://bugzilla.novell.com/743743
   https://bugzilla.novell.com/757710
   https://bugzilla.novell.com/777260
   http://download.novell.com/patch/finder/?keywords=25e42b7bd84d54954a51c9fe38e777e0