Mailinglist Archive: opensuse-updates (48 mails)

< Previous Next >
openSUSE-SU-2014:1044-1: moderate: update for apache2
openSUSE Security Update: update for apache2
______________________________________________________________________________

Announcement ID: openSUSE-SU-2014:1044-1
Rating: moderate
References: #869105 #869106 #887765 #887767 #887768 #887771

Cross-References: CVE-2013-4352 CVE-2013-6438 CVE-2014-0098
CVE-2014-0117 CVE-2014-0226 CVE-2014-0231

Affected Products:
openSUSE 13.1
______________________________________________________________________________

An update that fixes 6 vulnerabilities is now available.

Description:

This apache2 update fixes the following security issues:

- fix for crash in mod_proxy processing specially crafted requests with
reverse proxy configurations that results in a crash and a DoS condition
for the server. CVE-2014-0117
- new config option CGIDScriptTimeout set to 60s in new file
conf.d/cgid-timeout.conf, preventing worker processes hanging forever if
a cgi launched from them has stopped reading input from the server
(DoS). CVE-2014-0231
- Fix for a NULL pointer dereference in mod_cache that causes a crash in
caching forwarding configurations, resulting in a DoS condition.
CVE-2013-4352
- fix for crash in parsing cookie content, resulting in a DoS against the
server CVE-2014-0098
- fix for mod_status race condition in scoreboard handling and consecutive
heap overflow and information disclosure if access to mod_status is
granted to a potential attacker. CVE-2014-0226
- fix for improper handling of whitespace characters from CDATA sections
to mod_dav, leading to a crash and a DoS condition of the apache server
process CVE-2013-6438


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 13.1:

zypper in -t patch openSUSE-2014-503

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 13.1 (i586 x86_64):

apache2-2.4.6-6.27.1
apache2-debuginfo-2.4.6-6.27.1
apache2-debugsource-2.4.6-6.27.1
apache2-devel-2.4.6-6.27.1
apache2-event-2.4.6-6.27.1
apache2-event-debuginfo-2.4.6-6.27.1
apache2-example-pages-2.4.6-6.27.1
apache2-prefork-2.4.6-6.27.1
apache2-prefork-debuginfo-2.4.6-6.27.1
apache2-utils-2.4.6-6.27.1
apache2-utils-debuginfo-2.4.6-6.27.1
apache2-worker-2.4.6-6.27.1
apache2-worker-debuginfo-2.4.6-6.27.1

- openSUSE 13.1 (noarch):

apache2-doc-2.4.6-6.27.1


References:

http://support.novell.com/security/cve/CVE-2013-4352.html
http://support.novell.com/security/cve/CVE-2013-6438.html
http://support.novell.com/security/cve/CVE-2014-0098.html
http://support.novell.com/security/cve/CVE-2014-0117.html
http://support.novell.com/security/cve/CVE-2014-0226.html
http://support.novell.com/security/cve/CVE-2014-0231.html
https://bugzilla.novell.com/869105
https://bugzilla.novell.com/869106
https://bugzilla.novell.com/887765
https://bugzilla.novell.com/887767
https://bugzilla.novell.com/887768
https://bugzilla.novell.com/887771


< Previous Next >
This Thread
  • No further messages