Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2019:0888-1

Опубликовано: 05 апр. 2019
Источник: suse-cvrf

Описание

Security update for apache2

This update for apache2 fixes the following issues:

  • CVE-2018-17199: A bug in Apache's 'mod_session_cookie' lead to an issue where the module did not respect a cookie's expiry time. [bsc#1122839]

  • CVE-2019-0220: The Apache HTTP server did not use a consistent strategy for URL normalization throughout all of its components. In particular, consecutive slashes were not always collapsed. Attackers could potentially abuse these inconsistencies to by-pass access control mechanisms and thus gain unauthorized access to protected parts of the service. [bsc#1131241]

  • CVE-2019-0217: A race condition in Apache's 'mod_auth_digest' when running in a threaded server could have allowed users with valid credentials to authenticate using another username, bypassing configured access control restrictions. [bsc#1131239]

Список пакетов

SUSE Linux Enterprise Server 12 SP1-LTSS
apache2-2.4.16-20.24.1
apache2-doc-2.4.16-20.24.1
apache2-example-pages-2.4.16-20.24.1
apache2-prefork-2.4.16-20.24.1
apache2-utils-2.4.16-20.24.1
apache2-worker-2.4.16-20.24.1

Ссылки

Описание

In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.

Затронутые продукты
SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-2.4.16-20.24.1
SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-doc-2.4.16-20.24.1
SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-example-pages-2.4.16-20.24.1
SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-prefork-2.4.16-20.24.1
Ссылки

Описание

In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.

Затронутые продукты
SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-2.4.16-20.24.1
SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-doc-2.4.16-20.24.1
SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-example-pages-2.4.16-20.24.1
SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-prefork-2.4.16-20.24.1
Ссылки

Описание

A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.

Затронутые продукты
SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-2.4.16-20.24.1
SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-doc-2.4.16-20.24.1
SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-example-pages-2.4.16-20.24.1
SUSE Linux Enterprise Server 12 SP1-LTSS:apache2-prefork-2.4.16-20.24.1
Ссылки