SUSE-SU-2013:0469-1: Security update for apache2
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Fri Mar 15 10:04:28 MDT 2013
SUSE Security Update: Security update for apache2
______________________________________________________________________________
Announcement ID: SUSE-SU-2013:0469-1
Rating: low
References: #688472 #719236 #722545 #727071 #727993 #729181
#736706 #738855 #741243 #743743 #757710 #777260
Cross-References: CVE-2012-0021 CVE-2012-0883 CVE-2012-2687
CVE-2012-4557
Affected Products:
SUSE Linux Enterprise Server 10 SP3 LTSS
______________________________________________________________________________
An update that solves four vulnerabilities and has 8 fixes
is now available.
Description:
This Apache2 LTSS roll-up update for SUSE Linux Enterprise
10 SP3 LTSS fixes the following security issues and bugs:
* CVE-2012-4557: Denial of Service via special requests
in mod_proxy_ajp
* CVE-2012-0883: improper LD_LIBRARY_PATH handling
* CVE-2012-2687: filename escaping problem
* CVE-2012-0031: Fixed a scoreboard corruption (shared
mem segment) by child causes crash of privileged parent
(invalid free()) during shutdown.
* CVE-2012-0053: Fixed an issue in error responses that
could expose "httpOnly" cookies when no custom
ErrorDocument is specified for status code 400".
* The SSL configuration template has been adjusted not
to suggested weak ciphers
*
CVE-2007-6750: The "mod_reqtimeout" module was
backported from Apache 2.2.21 to help mitigate the
"Slowloris" Denial of Service attack.
You need to enable the "mod_reqtimeout" module in
your existing apache configuration to make it effective,
e.g. in the APACHE_MODULES line in /etc/sysconfig/apache2.
* CVE-2011-3639, CVE-2011-3368, CVE-2011-4317: This
update also includes several fixes for a mod_proxy reverse
exposure via RewriteRule or ProxyPassMatch directives.
* CVE-2011-1473: Fixed the SSL renegotiation DoS by
disabling renegotiation by default.
* CVE-2011-3607: Integer overflow in ap_pregsub
function resulting in a heap based buffer overflow could
potentially allow local attackers to gain privileges
Additionally, some non-security bugs have been fixed which
are listed in the changelog file.
Security Issue references:
* CVE-2012-4557
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4557
>
* CVE-2012-2687
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2687
>
* CVE-2012-0883
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0883
>
* CVE-2012-0021
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0021
>
Package List:
- SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64):
apache2-2.2.3-16.32.45.1
apache2-devel-2.2.3-16.32.45.1
apache2-doc-2.2.3-16.32.45.1
apache2-example-pages-2.2.3-16.32.45.1
apache2-prefork-2.2.3-16.32.45.1
apache2-worker-2.2.3-16.32.45.1
References:
http://support.novell.com/security/cve/CVE-2012-0021.html
http://support.novell.com/security/cve/CVE-2012-0883.html
http://support.novell.com/security/cve/CVE-2012-2687.html
http://support.novell.com/security/cve/CVE-2012-4557.html
https://bugzilla.novell.com/688472
https://bugzilla.novell.com/719236
https://bugzilla.novell.com/722545
https://bugzilla.novell.com/727071
https://bugzilla.novell.com/727993
https://bugzilla.novell.com/729181
https://bugzilla.novell.com/736706
https://bugzilla.novell.com/738855
https://bugzilla.novell.com/741243
https://bugzilla.novell.com/743743
https://bugzilla.novell.com/757710
https://bugzilla.novell.com/777260
http://download.novell.com/patch/finder/?keywords=25e42b7bd84d54954a51c9fe38e777e0
More information about the sle-security-updates
mailing list