Описание
Security update for apache2
This update for apache2 fixes the following issues:
Apache2 was updated to the current stable version 2.4.51 (jsc#SLE-22733 jsc#SLE-22849)
It fixes all CVEs and selected bugs represented by patches found between 2.4.23 and 2.4.51.
See https://downloads.apache.org/httpd/CHANGES_2.4 for a complete change log.
Also fixed:
- CVE-2021-44224: Fixed NULL dereference or SSRF in forward proxy configurations (bsc#1193943)
- CVE-2021-44790: Fixed buffer overflow when parsing multipart content in mod_lua (bsc#1193942)
Список пакетов
SUSE Package Hub 15 SP3
openSUSE Leap 15.3
Ссылки
- E-Mail link for openSUSE-SU-2022:0091-1
- SUSE Security Ratings
- SUSE Bug 1193942
- SUSE Bug 1193943
- SUSE CVE CVE-2021-44224 page
- SUSE CVE CVE-2021-44790 page
Описание
A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).
Затронутые продукты
Ссылки
- CVE-2021-44224
- SUSE Bug 1193943
Описание
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
Затронутые продукты
Ссылки
- CVE-2021-44790
- SUSE Bug 1193942
- SUSE Bug 1204730