Описание
Security update for apache2
This update for apache2 fixes the following issues:
Security issues fixed:
- CVE-2018-17189: Fixed a denial of service in mod_http2, via slow and unneeded request bodies (bsc#1122838)
- CVE-2018-17199: Fixed that mod_session_cookie did not respect expiry time (bsc#1122839)
Non-security issue fixed:
- sysconfig.d is not created anymore if it already exists (bsc#1121086)
Список пакетов
Image SLES15-SP1-Manager-4-0-Azure-BYOS-Proxy
apache2-2.4.33-3.9.7
apache2-prefork-2.4.33-3.9.7
apache2-utils-2.4.33-3.9.7
Image SLES15-SP1-Manager-4-0-Azure-BYOS-Server
apache2-2.4.33-3.9.7
apache2-prefork-2.4.33-3.9.7
apache2-utils-2.4.33-3.9.7
Image SLES15-SP1-Manager-4-0-EC2-HVM-BYOS-Proxy
apache2-2.4.33-3.9.7
apache2-prefork-2.4.33-3.9.7
apache2-utils-2.4.33-3.9.7
Image SLES15-SP1-Manager-4-0-EC2-HVM-BYOS-Server
apache2-2.4.33-3.9.7
apache2-prefork-2.4.33-3.9.7
apache2-utils-2.4.33-3.9.7
Image SLES15-SP1-Manager-4-0-GCE-BYOS-Proxy
apache2-2.4.33-3.9.7
apache2-prefork-2.4.33-3.9.7
apache2-utils-2.4.33-3.9.7
Image SLES15-SP1-Manager-4-0-GCE-BYOS-Server
apache2-2.4.33-3.9.7
apache2-prefork-2.4.33-3.9.7
apache2-utils-2.4.33-3.9.7
Image SLES15-SP1-SAPCAL-Azure
apache2-2.4.33-3.9.7
apache2-prefork-2.4.33-3.9.7
apache2-utils-2.4.33-3.9.7
Image SLES15-SP1-SAPCAL-EC2-HVM
apache2-2.4.33-3.9.7
apache2-prefork-2.4.33-3.9.7
apache2-utils-2.4.33-3.9.7
Image SLES15-SP1-SAPCAL-GCE
apache2-2.4.33-3.9.7
apache2-prefork-2.4.33-3.9.7
apache2-utils-2.4.33-3.9.7
SUSE Linux Enterprise Module for Server Applications 15
apache2-2.4.33-3.9.7
apache2-devel-2.4.33-3.9.7
apache2-doc-2.4.33-3.9.7
apache2-prefork-2.4.33-3.9.7
apache2-utils-2.4.33-3.9.7
apache2-worker-2.4.33-3.9.7
Ссылки
- Link for SUSE-SU-2019:0504-1
- E-Mail link for SUSE-SU-2019:0504-1
- SUSE Security Ratings
- SUSE Bug 1121086
- SUSE Bug 1122838
- SUSE Bug 1122839
- SUSE CVE CVE-2018-17189 page
- SUSE CVE CVE-2018-17199 page
Описание
In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections.
Затронутые продукты
Image SLES15-SP1-Manager-4-0-Azure-BYOS-Proxy:apache2-2.4.33-3.9.7
Image SLES15-SP1-Manager-4-0-Azure-BYOS-Proxy:apache2-prefork-2.4.33-3.9.7
Image SLES15-SP1-Manager-4-0-Azure-BYOS-Proxy:apache2-utils-2.4.33-3.9.7
Image SLES15-SP1-Manager-4-0-Azure-BYOS-Server:apache2-2.4.33-3.9.7
Ссылки
- CVE-2018-17189
- SUSE Bug 1122838
- SUSE Bug 1125965
- SUSE Bug 1126894
Описание
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
Затронутые продукты
Image SLES15-SP1-Manager-4-0-Azure-BYOS-Proxy:apache2-2.4.33-3.9.7
Image SLES15-SP1-Manager-4-0-Azure-BYOS-Proxy:apache2-prefork-2.4.33-3.9.7
Image SLES15-SP1-Manager-4-0-Azure-BYOS-Proxy:apache2-utils-2.4.33-3.9.7
Image SLES15-SP1-Manager-4-0-Azure-BYOS-Server:apache2-2.4.33-3.9.7
Ссылки
- CVE-2018-17199
- SUSE Bug 1122838
- SUSE Bug 1122839