openSUSE Security Update: update for apache2-mod_security2 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:1331-1 Rating: moderate References: #768293 #789393 #813190 #822664 Cross-References: CVE-2009-5031 CVE-2012-2751 CVE-2012-4528 CVE-2013-1915 CVE-2013-2765 Affected Products: openSUSE 12.3 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: - complete overhaul of this package, with update to 2.7.5. - ruleset update to 2.2.8-0-g0f07cbb. - new configuration framework private to mod_security2: /etc/apache2/conf.d/mod_security2.conf loads /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_se tup.conf, then /etc/apache2/mod_security2.d/*.conf , as set up based on advice in /etc/apache2/conf.d/mod_security2.conf Your configuration starting point is /etc/apache2/conf.d/mod_security2.conf - !!! Please note that mod_unique_id is needed for mod_security2 to run! - modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous linker parameter, preventing rpath in shared object. - fixes contained for the following bugs: * CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling * [bnc#768293] multi-part bypass, minor threat * CVE-2013-1915 [bnc#813190] XML external entity vulnerability * CVE-2012-4528 [bnc#789393] rule bypass * CVE-2013-2765 [bnc#822664] null pointer dereference crash - new from 2.5.9 to 2.7.5, only major changes: * GPLv2 replaced by Apache License v2 * rules are not part of the source tarball any longer, but maintaned upstream externally, and included in this package. * documentation was externalized to a wiki. Package contains the FAQ and the reference manual in html form. * renamed the term "Encryption" in directives that actually refer to hashes. See CHANGES file for more details. * new directive SecXmlExternalEntity, default off * byte conversion issues on s390x when logging fixed. * many small issues fixed that were discovered by a Coverity scanner * updated reference manual * wrong time calculation when logging for some timezones fixed. * replaced time-measuring mechanism with finer granularity for measured request/answer phases. (Stopwatch remains for compat.) * cookie parser memory leak fix * parsing of quoted strings in multipart Content-Disposition headers fixed. * SDBM deadlock fix * @rsub memory leak fix * cookie separator code improvements * build failure fixes * compile time option --enable-htaccess-config (set) Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.3: zypper in -t patch openSUSE-2013-641 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.3 (i586 x86_64): apache2-mod_security2-2.7.5-2.4.1 apache2-mod_security2-debuginfo-2.7.5-2.4.1 apache2-mod_security2-debugsource-2.7.5-2.4.1 References: http://support.novell.com/security/cve/CVE-2009-5031.html http://support.novell.com/security/cve/CVE-2012-2751.html http://support.novell.com/security/cve/CVE-2012-4528.html http://support.novell.com/security/cve/CVE-2013-1915.html http://support.novell.com/security/cve/CVE-2013-2765.html https://bugzilla.novell.com/768293 https://bugzilla.novell.com/789393 https://bugzilla.novell.com/813190 https://bugzilla.novell.com/822664