Описание
Security update for apache2
This update for apache2 fixes the following issues:
Security issues fixed:
- CVE-2018-17189: Fixed a denial of service in mod_http2, via slow and unneeded request bodies (bsc#1122838)
- CVE-2018-17199: Fixed that mod_session_cookie did not respect expiry time (bsc#1122839)
Non-security issue fixed:
- sysconfig.d is not created anymore if it already exists (bsc#1121086)
Список пакетов
SUSE Linux Enterprise Server 12 SP3
apache2-2.4.23-29.34.4
apache2-doc-2.4.23-29.34.4
apache2-example-pages-2.4.23-29.34.4
apache2-prefork-2.4.23-29.34.4
apache2-utils-2.4.23-29.34.4
apache2-worker-2.4.23-29.34.4
SUSE Linux Enterprise Server 12 SP4
apache2-2.4.23-29.34.4
apache2-doc-2.4.23-29.34.4
apache2-example-pages-2.4.23-29.34.4
apache2-prefork-2.4.23-29.34.4
apache2-utils-2.4.23-29.34.4
apache2-worker-2.4.23-29.34.4
SUSE Linux Enterprise Server for SAP Applications 12 SP3
apache2-2.4.23-29.34.4
apache2-doc-2.4.23-29.34.4
apache2-example-pages-2.4.23-29.34.4
apache2-prefork-2.4.23-29.34.4
apache2-utils-2.4.23-29.34.4
apache2-worker-2.4.23-29.34.4
SUSE Linux Enterprise Server for SAP Applications 12 SP4
apache2-2.4.23-29.34.4
apache2-doc-2.4.23-29.34.4
apache2-example-pages-2.4.23-29.34.4
apache2-prefork-2.4.23-29.34.4
apache2-utils-2.4.23-29.34.4
apache2-worker-2.4.23-29.34.4
SUSE Linux Enterprise Software Development Kit 12 SP3
apache2-devel-2.4.23-29.34.4
SUSE Linux Enterprise Software Development Kit 12 SP4
apache2-devel-2.4.23-29.34.4
Ссылки
- Link for SUSE-SU-2019:0498-1
- E-Mail link for SUSE-SU-2019:0498-1
- SUSE Security Ratings
- SUSE Bug 1121086
- SUSE Bug 1122838
- SUSE Bug 1122839
- SUSE CVE CVE-2018-17189 page
- SUSE CVE CVE-2018-17199 page
Описание
In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections.
Затронутые продукты
SUSE Linux Enterprise Server 12 SP3:apache2-2.4.23-29.34.4
SUSE Linux Enterprise Server 12 SP3:apache2-doc-2.4.23-29.34.4
SUSE Linux Enterprise Server 12 SP3:apache2-example-pages-2.4.23-29.34.4
SUSE Linux Enterprise Server 12 SP3:apache2-prefork-2.4.23-29.34.4
Ссылки
- CVE-2018-17189
- SUSE Bug 1122838
- SUSE Bug 1125965
- SUSE Bug 1126894
Описание
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
Затронутые продукты
SUSE Linux Enterprise Server 12 SP3:apache2-2.4.23-29.34.4
SUSE Linux Enterprise Server 12 SP3:apache2-doc-2.4.23-29.34.4
SUSE Linux Enterprise Server 12 SP3:apache2-example-pages-2.4.23-29.34.4
SUSE Linux Enterprise Server 12 SP3:apache2-prefork-2.4.23-29.34.4
Ссылки
- CVE-2018-17199
- SUSE Bug 1122838
- SUSE Bug 1122839