Описание
Recommended update for apache2
This update for apache2 provides the following fixes:
Security issues fixed:
- CVE-2017-9788: The value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service. (bsc#1048576)
- CVE-2017-7679: mod_mime could have read one byte past the end of a buffer when sending a malicious Content-Type response header leading to information leak or crash. (bsc#1045060)
- CVE-2017-3169: mod_ssl may have dereferenced a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port leading to crash. (bsc#1045062)
- CVE-2017-3167: Use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may have lead to authentication requirements being bypassed. (bsc#1045065)
Non-security issues fixed:
- Re-order cipher suites to keep exclusion list at the end. (bsc#1043484, bsc#1043607)
- Remove /usr/bin/http2 link only during apache2 package uninstall, not upgrade. (bsc#1041830)
- In gensslcert, use hostname when fqdn is too long. (bsc#1035829)
Список пакетов
SUSE Linux Enterprise Server 12 SP1-LTSS
SUSE Linux Enterprise Server for SAP Applications 12 SP1
SUSE OpenStack Cloud 6
Ссылки
- Link for SUSE-SU-2017:2449-1
- E-Mail link for SUSE-SU-2017:2449-1
- SUSE Security Ratings
- SUSE Bug 1035829
- SUSE Bug 1041830
- SUSE Bug 1043484
- SUSE Bug 1043607
- SUSE Bug 1045060
- SUSE Bug 1045062
- SUSE Bug 1045065
- SUSE Bug 1048576
- SUSE CVE CVE-2017-3167 page
- SUSE CVE CVE-2017-3169 page
- SUSE CVE CVE-2017-7679 page
- SUSE CVE CVE-2017-9788 page
Описание
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.
Затронутые продукты
Ссылки
- CVE-2017-3167
- SUSE Bug 1045065
- SUSE Bug 1078450
Описание
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port.
Затронутые продукты
Ссылки
- CVE-2017-3169
- SUSE Bug 1045062
- SUSE Bug 1078450
Описание
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header.
Затронутые продукты
Ссылки
- CVE-2017-7679
- SUSE Bug 1045060
- SUSE Bug 1057861
- SUSE Bug 1078450
Описание
In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service.
Затронутые продукты
Ссылки
- CVE-2017-9788
- SUSE Bug 1048576