Mailinglist Archive: opensuse-security-announce (34 mails)

< Previous Next >
[security-announce] openSUSE-SU-2011:1217-1: important: apache2: Fixed several security issues
openSUSE Security Update: apache2: Fixed several security issues
______________________________________________________________________________

Announcement ID: openSUSE-SU-2011:1217-1
Rating: important
References: #713966 #719236 #722545
Cross-References: CVE-2011-3192
Affected Products:
openSUSE 11.4
openSUSE 11.3
______________________________________________________________________________

An update that solves one vulnerability and has two fixes
is now available.

Description:

This update fixes several security issues in the Apache
webserver.

The patch for the ByteRange remote denial of service attack
(CVE-2011-3192) was refined and the configuration options
used by upstream were added. Introduce new config option:
Allow MaxRanges Number of ranges requested, if exceeded,
the complete content is served. default: 200 0|unlimited:
unlimited none: Range headers are ignored. This option is a
backport from 2.2.21.

Also fixed: CVE-2011-3348: Denial of service in proxy_ajp
when using a undefined method.

CVE-2011-3368: Exposure of internal servers via reverse
proxy methods with mod_proxy enabled and incorrect Rewrite
or Proxy Rules.


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 11.4:

zypper in -t patch apache2-5347

- openSUSE 11.3:

zypper in -t patch apache2-5347

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 11.4 (i586 x86_64):

apache2-2.2.17-4.9.1
apache2-devel-2.2.17-4.9.1
apache2-example-certificates-2.2.17-4.9.1
apache2-example-pages-2.2.17-4.9.1
apache2-itk-2.2.17-4.9.1
apache2-prefork-2.2.17-4.9.1
apache2-utils-2.2.17-4.9.1
apache2-worker-2.2.17-4.9.1

- openSUSE 11.4 (noarch):

apache2-doc-2.2.17-4.9.1

- openSUSE 11.3 (i586 x86_64):

apache2-2.2.15-4.7.1
apache2-devel-2.2.15-4.7.1
apache2-example-certificates-2.2.15-4.7.1
apache2-example-pages-2.2.15-4.7.1
apache2-itk-2.2.15-4.7.1
apache2-prefork-2.2.15-4.7.1
apache2-utils-2.2.15-4.7.1
apache2-worker-2.2.15-4.7.1

- openSUSE 11.3 (noarch):

apache2-doc-2.2.15-4.7.1


References:

http://support.novell.com/security/cve/CVE-2011-3192.html
https://bugzilla.novell.com/713966
https://bugzilla.novell.com/719236
https://bugzilla.novell.com/722545

--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security-announce+help@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages