SUSE-SU-2013:0389-1: Security update for Apache
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Mon Mar 4 15:04:33 MST 2013
SUSE Security Update: Security update for Apache
______________________________________________________________________________
Announcement ID: SUSE-SU-2013:0389-1
Rating: low
References: #722545 #757710 #774045 #777260 #782956 #788121
#793004 #798733
Cross-References: CVE-2012-0021 CVE-2012-0883 CVE-2012-2687
CVE-2012-4557
Affected Products:
SUSE Linux Enterprise Software Development Kit 11 SP2
SUSE Linux Enterprise Server 11 SP2 for VMware
SUSE Linux Enterprise Server 11 SP2
______________________________________________________________________________
An update that solves four vulnerabilities and has four
fixes is now available.
Description:
This update fixes the following issues:
* CVE-2012-4557: Denial of Service via special requests
in mod_proxy_ajp
* CVE-2012-0883: improper LD_LIBRARY_PATH handling
* CVE-2012-2687: filename escaping problem
Additionally, some non-security bugs have been fixed:
* ignore case when checking against SNI server names.
[bnc#798733]
*
httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff
reworked to reflect the upstream changes. This will prevent
the "Invalid URI in request OPTIONS *" messages in the
error log. [bnc#722545]
* new sysconfig variable
APACHE_DISABLE_SSL_COMPRESSION; if set to on,
OPENSSL_NO_DEFAULT_ZLIB will be inherited to the apache
process; openssl will then transparently disable
compression. This change affects start script and sysconfig
fillup template. Default is on, SSL compression disabled.
Please see mod_deflate for compressed transfer at http
layer. [bnc#782956]
Security Issue references:
* CVE-2012-4557
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4557
>
* CVE-2012-2687
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2687
>
* CVE-2012-0883
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0883
>
* CVE-2012-0021
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0021
>
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 11 SP2:
zypper in -t patch sdksp2-apache2-7409
- SUSE Linux Enterprise Server 11 SP2 for VMware:
zypper in -t patch slessp2-apache2-7409
- SUSE Linux Enterprise Server 11 SP2:
zypper in -t patch slessp2-apache2-7409
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64):
apache2-devel-2.2.12-1.36.1
- SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64):
apache2-2.2.12-1.36.1
apache2-doc-2.2.12-1.36.1
apache2-example-pages-2.2.12-1.36.1
apache2-prefork-2.2.12-1.36.1
apache2-utils-2.2.12-1.36.1
apache2-worker-2.2.12-1.36.1
- SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64):
apache2-2.2.12-1.36.1
apache2-doc-2.2.12-1.36.1
apache2-example-pages-2.2.12-1.36.1
apache2-prefork-2.2.12-1.36.1
apache2-utils-2.2.12-1.36.1
apache2-worker-2.2.12-1.36.1
- SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64):
apache2-2.2.12-1.36.1
apache2-doc-2.2.12-1.36.1
apache2-example-pages-2.2.12-1.36.1
apache2-prefork-2.2.12-1.36.1
apache2-utils-2.2.12-1.36.1
apache2-worker-2.2.12-1.36.1
References:
http://support.novell.com/security/cve/CVE-2012-0021.html
http://support.novell.com/security/cve/CVE-2012-0883.html
http://support.novell.com/security/cve/CVE-2012-2687.html
http://support.novell.com/security/cve/CVE-2012-4557.html
https://bugzilla.novell.com/722545
https://bugzilla.novell.com/757710
https://bugzilla.novell.com/774045
https://bugzilla.novell.com/777260
https://bugzilla.novell.com/782956
https://bugzilla.novell.com/788121
https://bugzilla.novell.com/793004
https://bugzilla.novell.com/798733
http://download.novell.com/patch/finder/?keywords=faf6f499f41597d750ce0aecd251ed2e
More information about the sle-security-updates
mailing list