openSUSE Security Update: update for apache2 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:1044-1 Rating: moderate References: #869105 #869106 #887765 #887767 #887768 #887771 Cross-References: CVE-2013-4352 CVE-2013-6438 CVE-2014-0098 CVE-2014-0117 CVE-2014-0226 CVE-2014-0231 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This apache2 update fixes the following security issues: - fix for crash in mod_proxy processing specially crafted requests with reverse proxy configurations that results in a crash and a DoS condition for the server. CVE-2014-0117 - new config option CGIDScriptTimeout set to 60s in new file conf.d/cgid-timeout.conf, preventing worker processes hanging forever if a cgi launched from them has stopped reading input from the server (DoS). CVE-2014-0231 - Fix for a NULL pointer dereference in mod_cache that causes a crash in caching forwarding configurations, resulting in a DoS condition. CVE-2013-4352 - fix for crash in parsing cookie content, resulting in a DoS against the server CVE-2014-0098 - fix for mod_status race condition in scoreboard handling and consecutive heap overflow and information disclosure if access to mod_status is granted to a potential attacker. CVE-2014-0226 - fix for improper handling of whitespace characters from CDATA sections to mod_dav, leading to a crash and a DoS condition of the apache server process CVE-2013-6438 Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-503 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): apache2-2.4.6-6.27.1 apache2-debuginfo-2.4.6-6.27.1 apache2-debugsource-2.4.6-6.27.1 apache2-devel-2.4.6-6.27.1 apache2-event-2.4.6-6.27.1 apache2-event-debuginfo-2.4.6-6.27.1 apache2-example-pages-2.4.6-6.27.1 apache2-prefork-2.4.6-6.27.1 apache2-prefork-debuginfo-2.4.6-6.27.1 apache2-utils-2.4.6-6.27.1 apache2-utils-debuginfo-2.4.6-6.27.1 apache2-worker-2.4.6-6.27.1 apache2-worker-debuginfo-2.4.6-6.27.1 - openSUSE 13.1 (noarch): apache2-doc-2.4.6-6.27.1 References: http://support.novell.com/security/cve/CVE-2013-4352.html http://support.novell.com/security/cve/CVE-2013-6438.html http://support.novell.com/security/cve/CVE-2014-0098.html http://support.novell.com/security/cve/CVE-2014-0117.html http://support.novell.com/security/cve/CVE-2014-0226.html http://support.novell.com/security/cve/CVE-2014-0231.html https://bugzilla.novell.com/869105 https://bugzilla.novell.com/869106 https://bugzilla.novell.com/887765 https://bugzilla.novell.com/887767 https://bugzilla.novell.com/887768 https://bugzilla.novell.com/887771