Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

openSUSE-SU-2017:0897-1

Опубликовано: 31 мар. 2017
Источник: suse-cvrf

Описание

Security update for apache2

This update for apache2 fixes the following security issues:

Security issues fixed:

  • CVE-2016-0736: Protect mod_session_crypto data with a MAC to prevent padding oracle attacks (bsc#1016712).
  • CVE-2016-2161: Malicious input to mod_auth_digest could have caused the server to crash, resulting in DoS (bsc#1016714).
  • CVE-2016-8743: Added new directive 'HttpProtocolOptions Strict' to avoid proxy chain misinterpretation (bsc#1016715).

Bugfixes:

  • Add missing copy of hcuri and hcexpr from the worker to the health check worker (bsc#1019380).

This update was imported from the SUSE:SLE-12-SP2:Update update project.

Список пакетов

openSUSE Leap 42.2
apache2-2.4.23-8.3.1
apache2-devel-2.4.23-8.3.1
apache2-doc-2.4.23-8.3.1
apache2-event-2.4.23-8.3.1
apache2-example-pages-2.4.23-8.3.1
apache2-prefork-2.4.23-8.3.1
apache2-utils-2.4.23-8.3.1
apache2-worker-2.4.23-8.3.1

Ссылки

Описание

In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.

Затронутые продукты
openSUSE Leap 42.2:apache2-2.4.23-8.3.1
openSUSE Leap 42.2:apache2-devel-2.4.23-8.3.1
openSUSE Leap 42.2:apache2-doc-2.4.23-8.3.1
openSUSE Leap 42.2:apache2-event-2.4.23-8.3.1
Ссылки

Описание

In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continues to crash even for subsequently valid requests.

Затронутые продукты
openSUSE Leap 42.2:apache2-2.4.23-8.3.1
openSUSE Leap 42.2:apache2-devel-2.4.23-8.3.1
openSUSE Leap 42.2:apache2-doc-2.4.23-8.3.1
openSUSE Leap 42.2:apache2-event-2.4.23-8.3.1
Ссылки

Описание

Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution.

Затронутые продукты
openSUSE Leap 42.2:apache2-2.4.23-8.3.1
openSUSE Leap 42.2:apache2-devel-2.4.23-8.3.1
openSUSE Leap 42.2:apache2-doc-2.4.23-8.3.1
openSUSE Leap 42.2:apache2-event-2.4.23-8.3.1
Ссылки
Уязвимость openSUSE-SU-2017:0897-1