Описание
Security update for apache2
This update for apache2 fixes the following issues:
- CVE-2021-44224: Fixed NULL dereference or SSRF in forward proxy configurations (bsc#1193943)
- CVE-2021-44790: Fixed a buffer overflow when parsing multipart content in mod_lua (bsc#1193942)
This update also enables TLS 1.3 support, by building against openssl 1.1 [jsc#SLE-18664]
Список пакетов
SUSE Linux Enterprise Server 12 SP5
SUSE Linux Enterprise Server for SAP Applications 12 SP5
SUSE Linux Enterprise Software Development Kit 12 SP5
Ссылки
- Link for SUSE-SU-2022:0440-1
- E-Mail link for SUSE-SU-2022:0440-1
- SUSE Security Ratings
- SUSE Bug 1193942
- SUSE Bug 1193943
- SUSE CVE CVE-2021-44224 page
- SUSE CVE CVE-2021-44790 page
Описание
A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).
Затронутые продукты
Ссылки
- CVE-2021-44224
- SUSE Bug 1193943
Описание
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
Затронутые продукты
Ссылки
- CVE-2021-44790
- SUSE Bug 1193942
- SUSE Bug 1204730