openSUSE Security Update: update for apache2 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0248-1 Rating: moderate References: Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: - ignore case when checking against SNI server names. [bnc#798733] httpd-2.2.x-bnc798733-SNI_ignorecase.diff - better cleanup of busy count after recovering from failure [bnc#789828] httpd-2.2.x-bnc789828-mod_balancer.diff - httpd-2.2.x-bnc788121-CVE-2012-4557-mod_proxy_ajp_timeout.di ff: backend timeouts should not affect the entire worker. [bnc#788121] - httpd-2.2.x-envvars.diff obsoletes httpd-2.0.54-envvars.dif: Fix for low profile bug CVE-2012-0883 about improper LD_LIBRARY_PATH handling. [bnc#757710] - httpd-2.2.x-bnc777260-CVE-2012-2687-mod_negotiation_filename _xss.diff Escape filename for the case that uploads are allowed with untrusted user's control over filenames and mod_negotiation enabled on the same directory. CVE-2012-2687 [bnc#777260] - httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff reworked to reflect the upstream changes. This will prevent the "Invalid URI in request OPTIONS *" messages in the error log. [bnc#722545] - /etc/init.d/apache2: new argument "check-reload". Exits 1 if httpd2 runs on deleted binaries such as after package update, else 0. This is used by equally modified /etc/logrotate.d/apache2, which uses "/etc/init.d/apache2 check-reload" in its prerotate script. These changes prevent httpd2 from being (gracefully) reloaded by logrotate, executed by cron, if new binaries have been installed. Instead, a warning is printed on stdout and is being logged to the syslogs. If this happens, apache's logs are NOT rotated, and the running processes are left untouched. This limits the maximum damage of log rotation to unrotated logs. "/etc/init.d/apache2 restart" (or "rcapache2 restart") must be executed manually in such a case. [bnc#728876] Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch 2013-17 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): apache2-2.2.17-4.64.1 apache2-debuginfo-2.2.17-4.64.1 apache2-debugsource-2.2.17-4.64.1 apache2-devel-2.2.17-4.64.1 apache2-event-2.2.17-4.64.1 apache2-event-debuginfo-2.2.17-4.64.1 apache2-example-certificates-2.2.17-4.64.1 apache2-example-pages-2.2.17-4.64.1 apache2-itk-2.2.17-4.64.1 apache2-itk-debuginfo-2.2.17-4.64.1 apache2-prefork-2.2.17-4.64.1 apache2-prefork-debuginfo-2.2.17-4.64.1 apache2-utils-2.2.17-4.64.1 apache2-utils-debuginfo-2.2.17-4.64.1 apache2-worker-2.2.17-4.64.1 apache2-worker-debuginfo-2.2.17-4.64.1 - openSUSE 11.4 (noarch): apache2-doc-2.2.17-4.64.1 References: