Security update for Apache
SUSE Security Update: Security update for Apache
Apache2 has been updated to fix multiple security issues:
*
CVE-2012-4557: Denial of Service via special requests
in mod_proxy_ajp
*
CVE-2012-0883: improper LD_LIBRARY_PATH handling
*
CVE-2012-2687: filename escaping problem
*
CVE-2012-4558: Multiple cross-site scripting (XSS)
vulnerabilities in the balancer_handler function in the
manager interface in mod_proxy_balancer.c in the
mod_proxy_balancer module in the Apache HTTP Server
potentially allowed remote attackers to inject arbitrary
web script or HTML via a crafted string.
*
CVE-2012-3499: Multiple cross-site scripting (XSS)
vulnerabilities in the Apache HTTP Server allowed remote
attackers to inject arbitrary web script or HTML via
vectors involving hostnames and URIs in the (1)
mod_imagemap, (2) mod_info, (3) mod_ldap, (4)
mod_proxy_ftp, and (5) mod_status modules.
Additionally, some non-security bugs have been fixed:
*
ignore case when checking against SNI server names.
[bnc#798733]
*
httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff rewor
ked to reflect the upstream changes. This will prevent the
"Invalid URI in request OPTIONS *" messages in the error
log. [bnc#722545]
*
new sysconfig variable
APACHE_DISABLE_SSL_COMPRESSION; if set to on,
OPENSSL_NO_DEFAULT_ZLIB will be inherited to the apache
process; openssl will then transparently disable
compression. This change affects start script and sysconfig
fillup template. Default is on, SSL compression disabled.
Please see mod_deflate for compressed transfer at http
layer. [bnc#782956]
Security Issue references:
* CVE-2012-3499
>
* CVE-2012-4558
>
* CVE-2012-4557
>
* CVE-2012-2687
>
* CVE-2012-0883
>
* CVE-2012-0021
>
Announcement ID: | SUSE-SU-2013:0830-1 |
Rating: | moderate |
References: | #722545 #757710 #774045 #777260 #782956 #788121 #793004 #798733 #806458 #807152 |
Affected Products: |
An update that solves 6 vulnerabilities and has four fixes is now available. It includes one version update.
Description:
Apache2 has been updated to fix multiple security issues:
*
CVE-2012-4557: Denial of Service via special requests
in mod_proxy_ajp
*
CVE-2012-0883: improper LD_LIBRARY_PATH handling
*
CVE-2012-2687: filename escaping problem
*
CVE-2012-4558: Multiple cross-site scripting (XSS)
vulnerabilities in the balancer_handler function in the
manager interface in mod_proxy_balancer.c in the
mod_proxy_balancer module in the Apache HTTP Server
potentially allowed remote attackers to inject arbitrary
web script or HTML via a crafted string.
*
CVE-2012-3499: Multiple cross-site scripting (XSS)
vulnerabilities in the Apache HTTP Server allowed remote
attackers to inject arbitrary web script or HTML via
vectors involving hostnames and URIs in the (1)
mod_imagemap, (2) mod_info, (3) mod_ldap, (4)
mod_proxy_ftp, and (5) mod_status modules.
Additionally, some non-security bugs have been fixed:
*
ignore case when checking against SNI server names.
[bnc#798733]
*
httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff rewor
ked to reflect the upstream changes. This will prevent the
"Invalid URI in request OPTIONS *" messages in the error
log. [bnc#722545]
*
new sysconfig variable
APACHE_DISABLE_SSL_COMPRESSION; if set to on,
OPENSSL_NO_DEFAULT_ZLIB will be inherited to the apache
process; openssl will then transparently disable
compression. This change affects start script and sysconfig
fillup template. Default is on, SSL compression disabled.
Please see mod_deflate for compressed transfer at http
layer. [bnc#782956]
Security Issue references:
* CVE-2012-3499
* CVE-2012-4558
* CVE-2012-4557
* CVE-2012-2687
* CVE-2012-0883
* CVE-2012-0021
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server 11 SP1 for VMware LTSS:
zypper in -t patch slessp1-apache2-7674
- SUSE Linux Enterprise Server 11 SP1 LTSS:
zypper in -t patch slessp1-apache2-7674
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Server 11 SP1 for VMware LTSS (i586 x86_64) [New Version: 2.2.12]:
- apache2-2.2.12-1.38.2
- apache2-doc-2.2.12-1.38.2
- apache2-example-pages-2.2.12-1.38.2
- apache2-prefork-2.2.12-1.38.2
- apache2-utils-2.2.12-1.38.2
- apache2-worker-2.2.12-1.38.2
- SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64) [New Version: 2.2.12]:
- apache2-2.2.12-1.38.2
- apache2-doc-2.2.12-1.38.2
- apache2-example-pages-2.2.12-1.38.2
- apache2-prefork-2.2.12-1.38.2
- apache2-utils-2.2.12-1.38.2
- apache2-worker-2.2.12-1.38.2
References:
- http://support.novell.com/security/cve/CVE-2012-0021.html
- http://support.novell.com/security/cve/CVE-2012-0883.html
- http://support.novell.com/security/cve/CVE-2012-2687.html
- http://support.novell.com/security/cve/CVE-2012-3499.html
- http://support.novell.com/security/cve/CVE-2012-4557.html
- http://support.novell.com/security/cve/CVE-2012-4558.html
- https://bugzilla.novell.com/722545
- https://bugzilla.novell.com/757710
- https://bugzilla.novell.com/774045
- https://bugzilla.novell.com/777260
- https://bugzilla.novell.com/782956
- https://bugzilla.novell.com/788121
- https://bugzilla.novell.com/793004
- https://bugzilla.novell.com/798733
- https://bugzilla.novell.com/806458
- https://bugzilla.novell.com/807152
- http://download.suse.com/patch/finder/?keywords=efd52c274921f5432920f00796e7dbd7