SUSE-SU-2015:0974-1: moderate: Security update for apache2

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Mon Jun 1 01:05:03 MDT 2015


   SUSE Security Update: Security update for apache2
______________________________________________________________________________

Announcement ID:    SUSE-SU-2015:0974-1
Rating:             moderate
References:         #792309 #871310 #899836 #909715 #918352 #923090 
                    
Cross-References:   CVE-2013-5704 CVE-2014-3581 CVE-2014-8109
                    CVE-2015-0228
Affected Products:
                    SUSE Linux Enterprise Software Development Kit 12
                    SUSE Linux Enterprise Server 12
______________________________________________________________________________

   An update that solves four vulnerabilities and has two
   fixes is now available.

Description:

   Apache2 updated to fix four security issues and one non-security bug.

   The following vulnerabilities have been fixed:

   - mod_headers rules could be bypassed via chunked requests. Adds
     "MergeTrailers" directive to restore legacy behavior. (bsc#871310,
     CVE-2013-5704)
   - An empty value in Content-Type could lead to a crash through a null
     pointer dereference and a denial of service. (bsc#899836, CVE-2014-3581)
   - Remote attackers could bypass intended access restrictions in mod_lua
     LuaAuthzProvider when multiple Require directives with different
     arguments are used. (bsc#909715, CVE-2014-8109)
   - Remote attackers could cause a denial of service (child-process crash)
     by sending a crafted WebSocket Ping frame after a Lua script has called
     the wsupgrade function. (bsc#918352, CVE-2015-0228)

   The following non-security issues have been fixed:

   - The Apache2 systemd service file was changed to fix situation where
     apache wouldn't start at boot when using an encrypted certificate
     because the user wasn't prompted for password during boot. (bsc#792309)

   Additionally, mod_imagemap is now included by default in the package.
   (bsc#923090)


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 12:

      zypper in -t patch SUSE-SLE-SDK-12-2015-226=1

   - SUSE Linux Enterprise Server 12:

      zypper in -t patch SUSE-SLE-SERVER-12-2015-226=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64):

      apache2-debuginfo-2.4.10-12.1
      apache2-debugsource-2.4.10-12.1
      apache2-devel-2.4.10-12.1

   - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):

      apache2-2.4.10-12.1
      apache2-debuginfo-2.4.10-12.1
      apache2-debugsource-2.4.10-12.1
      apache2-example-pages-2.4.10-12.1
      apache2-prefork-2.4.10-12.1
      apache2-prefork-debuginfo-2.4.10-12.1
      apache2-utils-2.4.10-12.1
      apache2-utils-debuginfo-2.4.10-12.1
      apache2-worker-2.4.10-12.1
      apache2-worker-debuginfo-2.4.10-12.1

   - SUSE Linux Enterprise Server 12 (noarch):

      apache2-doc-2.4.10-12.1


References:

   https://www.suse.com/security/cve/CVE-2013-5704.html
   https://www.suse.com/security/cve/CVE-2014-3581.html
   https://www.suse.com/security/cve/CVE-2014-8109.html
   https://www.suse.com/security/cve/CVE-2015-0228.html
   https://bugzilla.suse.com/792309
   https://bugzilla.suse.com/871310
   https://bugzilla.suse.com/899836
   https://bugzilla.suse.com/909715
   https://bugzilla.suse.com/918352
   https://bugzilla.suse.com/923090



More information about the sle-security-updates mailing list