Описание
Security update for apache2
This update for apache2 fixes the following issues:
Security issues fixed:
- CVE-2018-17189: Fixed a denial of service in mod_http2, via slow and unneeded request bodies (bsc#1122838)
- CVE-2018-17199: Fixed that mod_session_cookie did not respect expiry time (bsc#1122839)
Non-security issue fixed:
- sysconfig.d is not created anymore if it already exists (bsc#1121086)
This update was imported from the SUSE:SLE-12-SP2:Update update project.
Список пакетов
openSUSE Leap 42.3
apache2-2.4.23-37.1
apache2-devel-2.4.23-37.1
apache2-doc-2.4.23-37.1
apache2-event-2.4.23-37.1
apache2-example-pages-2.4.23-37.1
apache2-prefork-2.4.23-37.1
apache2-utils-2.4.23-37.1
apache2-worker-2.4.23-37.1
Ссылки
- E-Mail link for openSUSE-SU-2019:0305-1
- SUSE Security Ratings
Описание
In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections.
Затронутые продукты
openSUSE Leap 42.3:apache2-2.4.23-37.1
openSUSE Leap 42.3:apache2-devel-2.4.23-37.1
openSUSE Leap 42.3:apache2-doc-2.4.23-37.1
openSUSE Leap 42.3:apache2-event-2.4.23-37.1
Ссылки
- CVE-2018-17189
- SUSE Bug 1122838
- SUSE Bug 1125965
- SUSE Bug 1126894
Описание
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
Затронутые продукты
openSUSE Leap 42.3:apache2-2.4.23-37.1
openSUSE Leap 42.3:apache2-devel-2.4.23-37.1
openSUSE Leap 42.3:apache2-doc-2.4.23-37.1
openSUSE Leap 42.3:apache2-event-2.4.23-37.1
Ссылки
- CVE-2018-17199
- SUSE Bug 1122838
- SUSE Bug 1122839