Mailinglist Archive: opensuse-updates (61 mails)

< Previous Next >
openSUSE-SU-2015:1684-1: moderate: Security update for apache2
openSUSE Security Update: Security update for apache2
______________________________________________________________________________

Announcement ID: openSUSE-SU-2015:1684-1
Rating: moderate
References: #931723 #938723 #938728
Cross-References: CVE-2015-3183 CVE-2015-3185 CVE-2015-4000

Affected Products:
openSUSE 13.2
openSUSE 13.1
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:


Apache2 was updated to fix security issues.

- CVE-2015-3185: The ap_some_auth_required function in server/request.c in
the Apache HTTP Server 2.4.x did not consider that a Require directive
may be associated with an authorization setting rather than an
authentication setting, which allows remote attackers to bypass intended
access restrictions in opportunistic circumstances by leveraging the
presence
of a module that relies on the 2.2 API behavior. [bnc#938723]

- CVE-2015-3183: The chunked transfer coding implementation in the Apache
HTTP Server did not properly parse chunk headers, which allows remote
attackers to conduct HTTP request smuggling attacks via a crafted
request, related to mishandling of large chunk-size values and invalid
chunk-extension characters in modules/http/http_filters.c. [bnc#938728]

On openSUSE 13.1:
- CVE-2015-4000: Fix Logjam vulnerability: change the default
SSLCipherSuite cipherstring to disable export cipher suites and deploy
Ephemeral Elliptic-Curve Diffie-Hellman (ECDHE) ciphers. Adjust
'gensslcert' script to generate a strong and unique Diffie Hellman Group
and append it to the server certificate file [bnc#931723].


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 13.2:

zypper in -t patch openSUSE-2015-635=1

- openSUSE 13.1:

zypper in -t patch openSUSE-2015-635=1

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 13.2 (i586 x86_64):

apache2-2.4.10-28.1
apache2-debuginfo-2.4.10-28.1
apache2-debugsource-2.4.10-28.1
apache2-devel-2.4.10-28.1
apache2-event-2.4.10-28.1
apache2-event-debuginfo-2.4.10-28.1
apache2-example-pages-2.4.10-28.1
apache2-prefork-2.4.10-28.1
apache2-prefork-debuginfo-2.4.10-28.1
apache2-utils-2.4.10-28.1
apache2-utils-debuginfo-2.4.10-28.1
apache2-worker-2.4.10-28.1
apache2-worker-debuginfo-2.4.10-28.1

- openSUSE 13.2 (noarch):

apache2-doc-2.4.10-28.1

- openSUSE 13.1 (i586 x86_64):

apache2-2.4.6-6.50.1
apache2-debuginfo-2.4.6-6.50.1
apache2-debugsource-2.4.6-6.50.1
apache2-devel-2.4.6-6.50.1
apache2-event-2.4.6-6.50.1
apache2-event-debuginfo-2.4.6-6.50.1
apache2-example-pages-2.4.6-6.50.1
apache2-prefork-2.4.6-6.50.1
apache2-prefork-debuginfo-2.4.6-6.50.1
apache2-utils-2.4.6-6.50.1
apache2-utils-debuginfo-2.4.6-6.50.1
apache2-worker-2.4.6-6.50.1
apache2-worker-debuginfo-2.4.6-6.50.1

- openSUSE 13.1 (noarch):

apache2-doc-2.4.6-6.50.1


References:

https://www.suse.com/security/cve/CVE-2015-3183.html
https://www.suse.com/security/cve/CVE-2015-3185.html
https://www.suse.com/security/cve/CVE-2015-4000.html
https://bugzilla.suse.com/931723
https://bugzilla.suse.com/938723
https://bugzilla.suse.com/938728


< Previous Next >
This Thread
  • No further messages