Mailinglist Archive: opensuse-updates (58 mails)

< Previous Next >
openSUSE-SU-2013:1336-1: moderate: update for apache2-mod_security2
openSUSE Security Update: update for apache2-mod_security2
______________________________________________________________________________

Announcement ID: openSUSE-SU-2013:1336-1
Rating: moderate
References: #768293 #789393 #813190 #822664
Cross-References: CVE-2009-5031 CVE-2012-2751 CVE-2012-4528
CVE-2013-1915 CVE-2013-2765
Affected Products:
openSUSE 12.2
______________________________________________________________________________

An update that fixes 5 vulnerabilities is now available.

Description:

- complete overhaul of this package, with update to 2.7.5.
- ruleset update to 2.2.8-0-g0f07cbb.
- new configuration framework private to mod_security2:
/etc/apache2/conf.d/mod_security2.conf loads
/usr/share/apache2-mod_security2/rules/modsecurity_crs_10_se
tup.conf, then /etc/apache2/mod_security2.d/*.conf , as
set up based on advice in
/etc/apache2/conf.d/mod_security2.conf Your configuration
starting point is /etc/apache2/conf.d/mod_security2.conf
- !!! Please note that mod_unique_id is needed for
mod_security2 to run!
- modsecurity-apache_2.7.5-build_fix_pcre.diff changes
erroneaous linker parameter, preventing rpath in shared
object.
- fixes contained for the following bugs:
* CVE-2009-5031, CVE-2012-2751 [bnc#768293] request
parameter handling
* [bnc#768293] multi-part bypass, minor threat
* CVE-2013-1915 [bnc#813190] XML external entity
vulnerability
* CVE-2012-4528 [bnc#789393] rule bypass
* CVE-2013-2765 [bnc#822664] null pointer dereference
crash
- new from 2.5.9 to 2.7.5, only major changes:
* GPLv2 replaced by Apache License v2
* rules are not part of the source tarball any longer,
but maintaned upstream externally, and included in this
package.
* documentation was externalized to a wiki. Package
contains the FAQ and the reference manual in html form.
* renamed the term "Encryption" in directives that
actually refer to hashes. See CHANGES file for more
details.
* new directive SecXmlExternalEntity, default off
* byte conversion issues on s390x when logging fixed.
* many small issues fixed that were discovered by a
Coverity scanner
* updated reference manual
* wrong time calculation when logging for some timezones
fixed.
* replaced time-measuring mechanism with finer
granularity for measured request/answer phases.
(Stopwatch remains for compat.)
* cookie parser memory leak fix
* parsing of quoted strings in multipart
Content-Disposition headers fixed.
* SDBM deadlock fix
* @rsub memory leak fix
* cookie separator code improvements
* build failure fixes
* compile time option --enable-htaccess-config (set)


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 12.2:

zypper in -t patch openSUSE-2013-640

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 12.2 (i586 x86_64):

apache2-mod_security2-2.7.5-14.4.1
apache2-mod_security2-debuginfo-2.7.5-14.4.1
apache2-mod_security2-debugsource-2.7.5-14.4.1


References:

http://support.novell.com/security/cve/CVE-2009-5031.html
http://support.novell.com/security/cve/CVE-2012-2751.html
http://support.novell.com/security/cve/CVE-2012-4528.html
http://support.novell.com/security/cve/CVE-2013-1915.html
http://support.novell.com/security/cve/CVE-2013-2765.html
https://bugzilla.novell.com/768293
https://bugzilla.novell.com/789393
https://bugzilla.novell.com/813190
https://bugzilla.novell.com/822664


< Previous Next >
This Thread
  • No further messages