Security update for apache2

SUSE Security Update: Security update for apache2
Announcement ID: SUSE-SU-2013:0469-1
Rating: low
References: #688472 #719236 #722545 #727071 #727993 #729181 #736706 #738855 #741243 #743743 #757710 #777260
Affected Products:
  • SUSE Linux Enterprise Server 10 SP3 LTSS

  • An update that solves four vulnerabilities and has 8 fixes is now available.


    This Apache2 LTSS roll-up update for SUSE Linux Enterprise
    10 SP3 LTSS fixes the following security issues and bugs:

    * CVE-2012-4557: Denial of Service via special requests
    in mod_proxy_ajp
    * CVE-2012-0883: improper LD_LIBRARY_PATH handling
    * CVE-2012-2687: filename escaping problem
    * CVE-2012-0031: Fixed a scoreboard corruption (shared
    mem segment) by child causes crash of privileged parent
    (invalid free()) during shutdown.
    * CVE-2012-0053: Fixed an issue in error responses that
    could expose "httpOnly" cookies when no custom
    ErrorDocument is specified for status code 400".
    * The SSL configuration template has been adjusted not
    to suggested weak ciphers

    CVE-2007-6750: The "mod_reqtimeout" module was
    backported from Apache 2.2.21 to help mitigate the
    "Slowloris" Denial of Service attack.

    You need to enable the "mod_reqtimeout" module in
    your existing apache configuration to make it effective,
    e.g. in the APACHE_MODULES line in /etc/sysconfig/apache2.

    * CVE-2011-3639, CVE-2011-3368, CVE-2011-4317: This
    update also includes several fixes for a mod_proxy reverse
    exposure via RewriteRule or ProxyPassMatch directives.
    * CVE-2011-1473: Fixed the SSL renegotiation DoS by
    disabling renegotiation by default.
    * CVE-2011-3607: Integer overflow in ap_pregsub
    function resulting in a heap based buffer overflow could
    potentially allow local attackers to gain privileges

    Additionally, some non-security bugs have been fixed which
    are listed in the changelog file.

    Security Issue references:

    * CVE-2012-4557
    * CVE-2012-2687
    * CVE-2012-0883
    * CVE-2012-0021

    Package List:

    • SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64):
    • apache2-2.2.3-
    • apache2-devel-2.2.3-
    • apache2-doc-2.2.3-
    • apache2-example-pages-2.2.3-
    • apache2-prefork-2.2.3-
    • apache2-worker-2.2.3-