openSUSE Security Update: Recommended update for apache2
Announcement ID: openSUSE-SU-2018:0291-1
References: #1042037 #1045160 #1048575 #1057406
Cross-References: CVE-2017-7659 CVE-2017-9789
openSUSE Leap 42.3
An update that solves two vulnerabilities and has two fixes
is now available.
This update for apache2 fixes several issues.
These security issues were fixed:
- CVE-2017-9789: When under stress (closing many connections) the HTTP/2
handling code would sometimes access memory after it has been freed,
resulting in potentially erratic behaviour (bsc#1048575).
- CVE-2017-7659: A maliciously constructed HTTP/2 request could cause
mod_http2 to dereference a NULL pointer and crash the server process
These non-security issues were fixed:
- Use the full path to a2enmod and a2dismod in the apache-22-24-upgrade
- Fall back to 'localhost' as hostname in gensslcert (bsc#1057406)
This update was imported from the SUSE:SLE-12-SP2:Update update project.
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2018-104=1
To bring your system up-to-date, use "zypper patch".
- openSUSE Leap 42.3 (i586 x86_64):
- openSUSE Leap 42.3 (noarch):