Описание
Security update for apache2
This update for apache2 fixes the following issues:
-
CVE-2020-9490: Fixed a crash caused by a specially crafted value for the 'Cache-Digest' header in a HTTP/2 request (bsc#1175071).
-
CVE-2020-11984: Fixed an information disclosure bug in mod_proxy_uwsgi (bsc#1175074).
-
CVE-2020-11993: When trace/debug was enabled for the HTTP/2 module logging statements were made on the wrong connection (bsc#1175070).
-
Solve a crash in mod_proxy_uwsgi for empty values of environment variables. (bsc#1174052)
This update was imported from the SUSE:SLE-15-SP2:Update update project.
Список пакетов
openSUSE Leap 15.2
Ссылки
- E-Mail link for openSUSE-SU-2020:1285-1
- SUSE Security Ratings
- SUSE Bug 1174052
- SUSE Bug 1175070
- SUSE Bug 1175071
- SUSE Bug 1175074
- SUSE CVE CVE-2020-11984 page
- SUSE CVE CVE-2020-11993 page
- SUSE CVE CVE-2020-9490 page
Описание
Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
Затронутые продукты
Ссылки
- CVE-2020-11984
- SUSE Bug 1175074
Описание
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.
Затронутые продукты
Ссылки
- CVE-2020-11993
- SUSE Bug 1175070
- SUSE Bug 1178074
- SUSE Bug 1180830
Описание
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
Затронутые продукты
Ссылки
- CVE-2020-9490
- SUSE Bug 1175071
- SUSE Bug 1178074