SUSE-SU-2013:0830-1: moderate: Security update for Apache

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Mon May 27 09:04:27 MDT 2013 

   SUSE Security Update: Security update for Apache
______________________________________________________________________________

Announcement ID:    SUSE-SU-2013:0830-1
Rating:             moderate
References:         #722545 #757710 #774045 #777260 #782956 #788121 
                    #793004 #798733 #806458 #807152 
Cross-References:   CVE-2012-0021 CVE-2012-0883 CVE-2012-2687
                    CVE-2012-3499 CVE-2012-4557 CVE-2012-4558
                   
Affected Products:
                    SUSE Linux Enterprise Server 11 SP1 for VMware LTSS
                    SUSE Linux Enterprise Server 11 SP1 LTSS
______________________________________________________________________________

   An update that solves 6 vulnerabilities and has four fixes
   is now available. It includes one version update.

Description:


   Apache2 has been updated to fix multiple security issues:

   *

   CVE-2012-4557: Denial of Service via special requests
   in mod_proxy_ajp

   *

   CVE-2012-0883: improper LD_LIBRARY_PATH handling

   *

   CVE-2012-2687: filename escaping problem

   *

   CVE-2012-4558: Multiple cross-site scripting (XSS)
   vulnerabilities in the balancer_handler function in the
   manager interface in mod_proxy_balancer.c in the
   mod_proxy_balancer module in the Apache HTTP Server
   potentially allowed remote attackers to inject arbitrary
   web script or HTML via a crafted string.

   *

   CVE-2012-3499: Multiple cross-site scripting (XSS)
   vulnerabilities in the Apache HTTP Server allowed remote
   attackers to inject arbitrary web script or HTML via
   vectors involving hostnames and URIs in the (1)
   mod_imagemap, (2) mod_info, (3) mod_ldap, (4)
   mod_proxy_ftp, and (5) mod_status modules.

   Additionally, some non-security bugs have been fixed:

   *

   ignore case when checking against SNI server names.
   [bnc#798733]

   *

   httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff rewor
   ked to reflect the upstream changes. This will prevent the
   "Invalid URI in request OPTIONS *" messages in the error
   log. [bnc#722545]

   *

   new sysconfig variable
   APACHE_DISABLE_SSL_COMPRESSION; if set to on,
   OPENSSL_NO_DEFAULT_ZLIB will be inherited to the apache
   process; openssl will then transparently disable
   compression. This change affects start script and sysconfig
   fillup template. Default is on, SSL compression disabled.
   Please see mod_deflate for compressed transfer at http
   layer. [bnc#782956]

   Security Issue references:

   * CVE-2012-3499
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499
   >
   * CVE-2012-4558
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558
   >
   * CVE-2012-4557
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4557
   >
   * CVE-2012-2687
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2687
   >
   * CVE-2012-0883
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0883
   >
   * CVE-2012-0021
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0021
   >


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS:

      zypper in -t patch slessp1-apache2-7674

   - SUSE Linux Enterprise Server 11 SP1 LTSS:

      zypper in -t patch slessp1-apache2-7674

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Server 11 SP1 for VMware LTSS (i586 x86_64) [New Version: 2.2.12]:

      apache2-2.2.12-1.38.2
      apache2-doc-2.2.12-1.38.2
      apache2-example-pages-2.2.12-1.38.2
      apache2-prefork-2.2.12-1.38.2
      apache2-utils-2.2.12-1.38.2
      apache2-worker-2.2.12-1.38.2

   - SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 2.2.12]:

      apache2-2.2.12-1.38.2
      apache2-doc-2.2.12-1.38.2
      apache2-example-pages-2.2.12-1.38.2
      apache2-prefork-2.2.12-1.38.2
      apache2-utils-2.2.12-1.38.2
      apache2-worker-2.2.12-1.38.2


References:

   http://support.novell.com/security/cve/CVE-2012-0021.html
   http://support.novell.com/security/cve/CVE-2012-0883.html
   http://support.novell.com/security/cve/CVE-2012-2687.html
   http://support.novell.com/security/cve/CVE-2012-3499.html
   http://support.novell.com/security/cve/CVE-2012-4557.html
   http://support.novell.com/security/cve/CVE-2012-4558.html
   https://bugzilla.novell.com/722545
   https://bugzilla.novell.com/757710
   https://bugzilla.novell.com/774045
   https://bugzilla.novell.com/777260
   https://bugzilla.novell.com/782956
   https://bugzilla.novell.com/788121
   https://bugzilla.novell.com/793004
   https://bugzilla.novell.com/798733
   https://bugzilla.novell.com/806458
   https://bugzilla.novell.com/807152
   http://download.novell.com/patch/finder/?keywords=efd52c274921f5432920f00796e7dbd7

More information about the sle-security-updates mailing list