Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2017:0797-1

Опубликовано: 22 мар. 2017
Источник: suse-cvrf

Описание

Security update for apache2

This update for apache2 fixes the following security issues:

Security issues fixed:

  • CVE-2016-0736: Protect mod_session_crypto data with a MAC to prevent padding oracle attacks (bsc#1016712).
  • CVE-2016-2161: Malicious input to mod_auth_digest could have caused the server to crash, resulting in DoS (bsc#1016714).
  • CVE-2016-8743: Added new directive 'HttpProtocolOptions Strict' to avoid proxy chain misinterpretation (bsc#1016715).

Bugfixes:

  • Add missing copy of hcuri and hcexpr from the worker to the health check worker (bsc#1019380).

Список пакетов

SUSE Linux Enterprise Server 12 SP2
apache2-2.4.23-21.1
apache2-doc-2.4.23-21.1
apache2-example-pages-2.4.23-21.1
apache2-prefork-2.4.23-21.1
apache2-utils-2.4.23-21.1
apache2-worker-2.4.23-21.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
apache2-2.4.23-21.1
apache2-doc-2.4.23-21.1
apache2-example-pages-2.4.23-21.1
apache2-prefork-2.4.23-21.1
apache2-utils-2.4.23-21.1
apache2-worker-2.4.23-21.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2
apache2-2.4.23-21.1
apache2-doc-2.4.23-21.1
apache2-example-pages-2.4.23-21.1
apache2-prefork-2.4.23-21.1
apache2-utils-2.4.23-21.1
apache2-worker-2.4.23-21.1
SUSE Linux Enterprise Software Development Kit 12 SP2
apache2-devel-2.4.23-21.1

Ссылки

Описание

In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.

Затронутые продукты
SUSE Linux Enterprise Server 12 SP2:apache2-2.4.23-21.1
SUSE Linux Enterprise Server 12 SP2:apache2-doc-2.4.23-21.1
SUSE Linux Enterprise Server 12 SP2:apache2-example-pages-2.4.23-21.1
SUSE Linux Enterprise Server 12 SP2:apache2-prefork-2.4.23-21.1
Ссылки

Описание

In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continues to crash even for subsequently valid requests.

Затронутые продукты
SUSE Linux Enterprise Server 12 SP2:apache2-2.4.23-21.1
SUSE Linux Enterprise Server 12 SP2:apache2-doc-2.4.23-21.1
SUSE Linux Enterprise Server 12 SP2:apache2-example-pages-2.4.23-21.1
SUSE Linux Enterprise Server 12 SP2:apache2-prefork-2.4.23-21.1
Ссылки

Описание

Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution.

Затронутые продукты
SUSE Linux Enterprise Server 12 SP2:apache2-2.4.23-21.1
SUSE Linux Enterprise Server 12 SP2:apache2-doc-2.4.23-21.1
SUSE Linux Enterprise Server 12 SP2:apache2-example-pages-2.4.23-21.1
SUSE Linux Enterprise Server 12 SP2:apache2-prefork-2.4.23-21.1
Ссылки