SUSE-SU-2013:0469-1: Security update for apache2

sle-security-updates at sle-security-updates at
Fri Mar 15 10:04:28 MDT 2013

   SUSE Security Update: Security update for apache2

Announcement ID:    SUSE-SU-2013:0469-1
Rating:             low
References:         #688472 #719236 #722545 #727071 #727993 #729181 
                    #736706 #738855 #741243 #743743 #757710 #777260 
Cross-References:   CVE-2012-0021 CVE-2012-0883 CVE-2012-2687
Affected Products:
                    SUSE Linux Enterprise Server 10 SP3 LTSS

   An update that solves four vulnerabilities and has 8 fixes
   is now available.


   This Apache2 LTSS roll-up update for SUSE Linux Enterprise
   10 SP3 LTSS  fixes the following security issues and bugs:

   * CVE-2012-4557: Denial of Service via special requests
   in mod_proxy_ajp
   * CVE-2012-0883: improper LD_LIBRARY_PATH handling
   * CVE-2012-2687: filename escaping problem
   * CVE-2012-0031: Fixed a scoreboard corruption (shared
   mem segment) by child causes crash of privileged parent
   (invalid free()) during shutdown.
   * CVE-2012-0053: Fixed an issue in error responses that
   could expose "httpOnly" cookies when no custom
   ErrorDocument is specified for status code 400".
   * The SSL configuration template has been adjusted not
   to suggested weak ciphers

   CVE-2007-6750: The "mod_reqtimeout" module was
   backported from Apache 2.2.21 to help mitigate the
   "Slowloris" Denial of Service attack.

   You need to enable the "mod_reqtimeout" module in
   your existing apache configuration to make it effective,
   e.g. in the APACHE_MODULES line in /etc/sysconfig/apache2.

   * CVE-2011-3639, CVE-2011-3368, CVE-2011-4317: This
   update also includes several fixes for a mod_proxy reverse
   exposure via RewriteRule or ProxyPassMatch directives.
   * CVE-2011-1473: Fixed the SSL renegotiation DoS by
   disabling renegotiation by default.
   * CVE-2011-3607: Integer overflow in ap_pregsub
   function resulting in a heap based buffer overflow could
   potentially allow local attackers to gain privileges

   Additionally, some non-security bugs have been fixed which
   are listed in  the changelog file.

   Security Issue references:

   * CVE-2012-4557
   * CVE-2012-2687
   * CVE-2012-0883
   * CVE-2012-0021

Package List:

   - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64):



More information about the sle-security-updates mailing list