Security update for Apache

SUSE Security Update: Security update for Apache
Announcement ID: SUSE-SU-2013:0389-1
Rating: low
References: #722545 #757710 #774045 #777260 #782956 #788121 #793004 #798733
Affected Products:
  • SUSE Linux Enterprise Software Development Kit 11 SP2
  • SUSE Linux Enterprise Server 11 SP2 for VMware
  • SUSE Linux Enterprise Server 11 SP2

  • An update that solves four vulnerabilities and has four fixes is now available.

    Description:


    This update fixes the following issues:

    * CVE-2012-4557: Denial of Service via special requests
    in mod_proxy_ajp
    * CVE-2012-0883: improper LD_LIBRARY_PATH handling
    * CVE-2012-2687: filename escaping problem

    Additionally, some non-security bugs have been fixed:

    * ignore case when checking against SNI server names.
    [bnc#798733]
    *
    httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff
    reworked to reflect the upstream changes. This will prevent
    the "Invalid URI in request OPTIONS *" messages in the
    error log. [bnc#722545]
    * new sysconfig variable
    APACHE_DISABLE_SSL_COMPRESSION; if set to on,
    OPENSSL_NO_DEFAULT_ZLIB will be inherited to the apache
    process; openssl will then transparently disable
    compression. This change affects start script and sysconfig
    fillup template. Default is on, SSL compression disabled.
    Please see mod_deflate for compressed transfer at http
    layer. [bnc#782956]

    Security Issue references:

    * CVE-2012-4557
    >
    * CVE-2012-2687
    >
    * CVE-2012-0883
    >
    * CVE-2012-0021
    >

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Software Development Kit 11 SP2:
      zypper in -t patch sdksp2-apache2-7409
    • SUSE Linux Enterprise Server 11 SP2 for VMware:
      zypper in -t patch slessp2-apache2-7409
    • SUSE Linux Enterprise Server 11 SP2:
      zypper in -t patch slessp2-apache2-7409

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64):
    • apache2-devel-2.2.12-1.36.1
    • SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64):
    • apache2-2.2.12-1.36.1
    • apache2-doc-2.2.12-1.36.1
    • apache2-example-pages-2.2.12-1.36.1
    • apache2-prefork-2.2.12-1.36.1
    • apache2-utils-2.2.12-1.36.1
    • apache2-worker-2.2.12-1.36.1
    • SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64):
    • apache2-2.2.12-1.36.1
    • apache2-doc-2.2.12-1.36.1
    • apache2-example-pages-2.2.12-1.36.1
    • apache2-prefork-2.2.12-1.36.1
    • apache2-utils-2.2.12-1.36.1
    • apache2-worker-2.2.12-1.36.1
    • SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64):
    • apache2-2.2.12-1.36.1
    • apache2-doc-2.2.12-1.36.1
    • apache2-example-pages-2.2.12-1.36.1
    • apache2-prefork-2.2.12-1.36.1
    • apache2-utils-2.2.12-1.36.1
    • apache2-worker-2.2.12-1.36.1

    References:

    • http://support.novell.com/security/cve/CVE-2012-0021.html
    • http://support.novell.com/security/cve/CVE-2012-0883.html
    • http://support.novell.com/security/cve/CVE-2012-2687.html
    • http://support.novell.com/security/cve/CVE-2012-4557.html
    • https://bugzilla.novell.com/722545
    • https://bugzilla.novell.com/757710
    • https://bugzilla.novell.com/774045
    • https://bugzilla.novell.com/777260
    • https://bugzilla.novell.com/782956
    • https://bugzilla.novell.com/788121
    • https://bugzilla.novell.com/793004
    • https://bugzilla.novell.com/798733
    • http://download.suse.com/patch/finder/?keywords=faf6f499f41597d750ce0aecd251ed2e