Security update for apache2
SUSE Security Update: Security update for apache2
The Apache2 webserver was updated to fix various issues.
The following feature was added:
* Provide support for the tunneling of web socket connections to a
backend websockets server. (FATE#316880)
The following security issues have been fixed:
* CVE-2013-5704: The mod_headers module in the Apache HTTP Server
2.2.22 allowed remote attackers to bypass "RequestHeader unset"
directives by placing a header in the trailer portion of data sent
with chunked transfer coding. The fix also adds a "MergeTrailers"
directive to restore legacy behavior.
* CVE-2014-3581: The cache_merge_headers_out function in
modules/cache/cache_util.c in the mod_cache module in the Apache
HTTP Server allowed remote attackers to cause a denial of service
(NULL pointer dereference and application crash) via an empty HTTP
Content-Type header.
* CVE-2003-1418: Apache HTTP Server allowed remote attackers to obtain
sensitive information via (1) the ETag header, which reveals the
inode number, or (2) multipart MIME boundary, which reveals child
process IDs (PID). We so far assumed that this not useful to
attackers, the fix is basically just reducing potential information
leaks.
The following bugs have been fixed:
* Treat the "server unavailable" condition as a transient error with
all LDAP SDKs. (bsc#904427)
* Fixed a segmentation fault at startup if the certs are shared across
> 1 server_rec. (bsc#907339)
| Announcement ID: | SUSE-SU-2015:0689-1 |
| Rating: | moderate |
| References: | #713970 #871310 #899836 #904427 #907339 #907477 |
| Affected Products: |
An update that contains security fixes can now be installed.
Description:
The Apache2 webserver was updated to fix various issues.
The following feature was added:
* Provide support for the tunneling of web socket connections to a
backend websockets server. (FATE#316880)
The following security issues have been fixed:
* CVE-2013-5704: The mod_headers module in the Apache HTTP Server
2.2.22 allowed remote attackers to bypass "RequestHeader unset"
directives by placing a header in the trailer portion of data sent
with chunked transfer coding. The fix also adds a "MergeTrailers"
directive to restore legacy behavior.
* CVE-2014-3581: The cache_merge_headers_out function in
modules/cache/cache_util.c in the mod_cache module in the Apache
HTTP Server allowed remote attackers to cause a denial of service
(NULL pointer dereference and application crash) via an empty HTTP
Content-Type header.
* CVE-2003-1418: Apache HTTP Server allowed remote attackers to obtain
sensitive information via (1) the ETag header, which reveals the
inode number, or (2) multipart MIME boundary, which reveals child
process IDs (PID). We so far assumed that this not useful to
attackers, the fix is basically just reducing potential information
leaks.
The following bugs have been fixed:
* Treat the "server unavailable" condition as a transient error with
all LDAP SDKs. (bsc#904427)
* Fixed a segmentation fault at startup if the certs are shared across
> 1 server_rec. (bsc#907339)
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 11 SP3:
zypper in -t patch sdksp3-apache2=10533 - SUSE Linux Enterprise Server 11 SP3 for VMware:
zypper in -t patch slessp3-apache2=10533 - SUSE Linux Enterprise Server 11 SP3:
zypper in -t patch slessp3-apache2=10533
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 ia64 ppc64 s390x x86_64):
- apache2-devel-2.2.12-1.51.52.1
- SUSE Linux Enterprise Software Development Kit 11 SP3 (i586 x86_64):
- apache2-2.2.12-1.51.52.1
- apache2-doc-2.2.12-1.51.52.1
- apache2-example-pages-2.2.12-1.51.52.1
- apache2-prefork-2.2.12-1.51.52.1
- apache2-utils-2.2.12-1.51.52.1
- apache2-worker-2.2.12-1.51.52.1
- SUSE Linux Enterprise Server 11 SP3 for VMware (i586 x86_64):
- apache2-2.2.12-1.51.52.1
- apache2-doc-2.2.12-1.51.52.1
- apache2-example-pages-2.2.12-1.51.52.1
- apache2-prefork-2.2.12-1.51.52.1
- apache2-utils-2.2.12-1.51.52.1
- apache2-worker-2.2.12-1.51.52.1
- SUSE Linux Enterprise Server 11 SP3 (i586 ia64 ppc64 s390x x86_64):
- apache2-2.2.12-1.51.52.1
- apache2-doc-2.2.12-1.51.52.1
- apache2-example-pages-2.2.12-1.51.52.1
- apache2-prefork-2.2.12-1.51.52.1
- apache2-utils-2.2.12-1.51.52.1
- apache2-worker-2.2.12-1.51.52.1
References:
- https://bugzilla.suse.com/713970
- https://bugzilla.suse.com/871310
- https://bugzilla.suse.com/899836
- https://bugzilla.suse.com/904427
- https://bugzilla.suse.com/907339
- https://bugzilla.suse.com/907477
- https://download.suse.com/patch/finder/?keywords=aed66cdca5146f7cf6159ba1f3cd8dba