apache2-mod_security2-2.9.0-5.6 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10034-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z apache2-mod_security2-2.9.0-5.6 on GA media These are all security issues fixed in the apache2-mod_security2-2.9.0-5.6 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10034 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2009-5031/ SUSE CVE CVE-2009-5031 page https://www.suse.com/security/cve/CVE-2012-2751/ SUSE CVE CVE-2012-2751 page https://www.suse.com/security/cve/CVE-2012-4528/ SUSE CVE CVE-2012-4528 page https://www.suse.com/security/cve/CVE-2013-1915/ SUSE CVE CVE-2013-1915 page https://www.suse.com/security/cve/CVE-2013-2765/ SUSE CVE CVE-2013-2765 page openSUSE Tumbleweed apache2-mod_security2-2.9.0-5.6 apache2-mod_security2-2.9.0-5.6 as a component of openSUSE Tumbleweed ModSecurity before 2.5.11 treats request parameter values containing single quotes as files, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks via a single quote in a request parameter in the Content-Disposition field of a request with a multipart/form-data Content-Type header. CVE-2009-5031 openSUSE Tumbleweed:apache2-mod_security2-2.9.0-5.6 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-5031.html CVE-2009-5031 https://bugzilla.suse.com/768293 SUSE Bug 768293 ModSecurity before 2.6.6, when used with PHP, does not properly handle single quotes not at the beginning of a request parameter value in the Content-Disposition field of a request with a multipart/form-data Content-Type header, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-5031. CVE-2012-2751 openSUSE Tumbleweed:apache2-mod_security2-2.9.0-5.6 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-2751.html CVE-2012-2751 https://bugzilla.suse.com/768293 SUSE Bug 768293 The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver arbitrary POST data to a PHP application, via a multipart request in which an invalid part precedes the crafted data. CVE-2012-4528 openSUSE Tumbleweed:apache2-mod_security2-2.9.0-5.6 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-4528.html CVE-2012-4528 https://bugzilla.suse.com/789393 SUSE Bug 789393 https://bugzilla.suse.com/813190 SUSE Bug 813190 ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability. CVE-2013-1915 openSUSE Tumbleweed:apache2-mod_security2-2.9.0-5.6 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-1915.html CVE-2013-1915 https://bugzilla.suse.com/813190 SUSE Bug 813190 The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote attackers to cause a denial of service (NULL pointer dereference, process crash, and disk consumption) via a POST request with a large body and a crafted Content-Type header. CVE-2013-2765 openSUSE Tumbleweed:apache2-mod_security2-2.9.0-5.6 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-2765.html CVE-2013-2765 https://bugzilla.suse.com/822664 SUSE Bug 822664