Описание
Security update for apache2
This update for apache2 fixes the following security issue:
- CVE-2017-9798: Prevent use-after-free use of memory that allowed for an information leak via OPTIONS (bsc#1058058).
Список пакетов
SUSE Linux Enterprise Server 12 SP2
apache2-2.4.23-29.6.1
apache2-doc-2.4.23-29.6.1
apache2-example-pages-2.4.23-29.6.1
apache2-prefork-2.4.23-29.6.1
apache2-utils-2.4.23-29.6.1
apache2-worker-2.4.23-29.6.1
SUSE Linux Enterprise Server 12 SP3
apache2-2.4.23-29.6.1
apache2-doc-2.4.23-29.6.1
apache2-example-pages-2.4.23-29.6.1
apache2-prefork-2.4.23-29.6.1
apache2-utils-2.4.23-29.6.1
apache2-worker-2.4.23-29.6.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
apache2-2.4.23-29.6.1
apache2-doc-2.4.23-29.6.1
apache2-example-pages-2.4.23-29.6.1
apache2-prefork-2.4.23-29.6.1
apache2-utils-2.4.23-29.6.1
apache2-worker-2.4.23-29.6.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2
apache2-2.4.23-29.6.1
apache2-doc-2.4.23-29.6.1
apache2-example-pages-2.4.23-29.6.1
apache2-prefork-2.4.23-29.6.1
apache2-utils-2.4.23-29.6.1
apache2-worker-2.4.23-29.6.1
SUSE Linux Enterprise Server for SAP Applications 12 SP3
apache2-2.4.23-29.6.1
apache2-doc-2.4.23-29.6.1
apache2-example-pages-2.4.23-29.6.1
apache2-prefork-2.4.23-29.6.1
apache2-utils-2.4.23-29.6.1
apache2-worker-2.4.23-29.6.1
SUSE Linux Enterprise Software Development Kit 12 SP2
apache2-devel-2.4.23-29.6.1
SUSE Linux Enterprise Software Development Kit 12 SP3
apache2-devel-2.4.23-29.6.1
Ссылки
- Link for SUSE-SU-2017:2542-1
- E-Mail link for SUSE-SU-2017:2542-1
- SUSE Security Ratings
- SUSE Bug 1058058
- SUSE CVE CVE-2017-9798 page
Описание
Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.
Затронутые продукты
SUSE Linux Enterprise Server 12 SP2:apache2-2.4.23-29.6.1
SUSE Linux Enterprise Server 12 SP2:apache2-doc-2.4.23-29.6.1
SUSE Linux Enterprise Server 12 SP2:apache2-example-pages-2.4.23-29.6.1
SUSE Linux Enterprise Server 12 SP2:apache2-prefork-2.4.23-29.6.1
Ссылки
- CVE-2017-9798
- SUSE Bug 1058058
- SUSE Bug 1060757
- SUSE Bug 1077582
- SUSE Bug 1078450
- SUSE Bug 1089997