apache2-2.4.49-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10623 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z apache2-2.4.49-1.1 on GA media These are all security issues fixed in the apache2-2.4.49-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10623 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10623 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2005-3352/ SUSE CVE CVE-2005-3352 page https://www.suse.com/security/cve/CVE-2005-3357/ SUSE CVE CVE-2005-3357 page https://www.suse.com/security/cve/CVE-2006-3747/ SUSE CVE CVE-2006-3747 page https://www.suse.com/security/cve/CVE-2006-5752/ SUSE CVE CVE-2006-5752 page https://www.suse.com/security/cve/CVE-2007-1862/ SUSE CVE CVE-2007-1862 page https://www.suse.com/security/cve/CVE-2007-1863/ SUSE CVE CVE-2007-1863 page https://www.suse.com/security/cve/CVE-2007-3304/ SUSE CVE CVE-2007-3304 page https://www.suse.com/security/cve/CVE-2007-3847/ SUSE CVE CVE-2007-3847 page https://www.suse.com/security/cve/CVE-2007-4465/ SUSE CVE CVE-2007-4465 page https://www.suse.com/security/cve/CVE-2007-5000/ SUSE CVE CVE-2007-5000 page https://www.suse.com/security/cve/CVE-2007-6388/ SUSE CVE CVE-2007-6388 page https://www.suse.com/security/cve/CVE-2007-6420/ SUSE CVE CVE-2007-6420 page https://www.suse.com/security/cve/CVE-2007-6421/ SUSE CVE CVE-2007-6421 page https://www.suse.com/security/cve/CVE-2007-6422/ SUSE CVE CVE-2007-6422 page https://www.suse.com/security/cve/CVE-2008-0005/ SUSE CVE CVE-2008-0005 page https://www.suse.com/security/cve/CVE-2008-1678/ SUSE CVE CVE-2008-1678 page https://www.suse.com/security/cve/CVE-2008-2364/ SUSE CVE CVE-2008-2364 page https://www.suse.com/security/cve/CVE-2008-2939/ SUSE CVE CVE-2008-2939 page https://www.suse.com/security/cve/CVE-2016-5387/ SUSE CVE CVE-2016-5387 page https://www.suse.com/security/cve/CVE-2016-8740/ SUSE CVE CVE-2016-8740 page https://www.suse.com/security/cve/CVE-2017-9798/ SUSE CVE CVE-2017-9798 page https://www.suse.com/security/cve/CVE-2019-10081/ SUSE CVE CVE-2019-10081 page https://www.suse.com/security/cve/CVE-2019-10082/ SUSE CVE CVE-2019-10082 page https://www.suse.com/security/cve/CVE-2019-10092/ SUSE CVE CVE-2019-10092 page https://www.suse.com/security/cve/CVE-2019-10097/ SUSE CVE CVE-2019-10097 page https://www.suse.com/security/cve/CVE-2019-10098/ SUSE CVE CVE-2019-10098 page https://www.suse.com/security/cve/CVE-2019-9517/ SUSE CVE CVE-2019-9517 page openSUSE Tumbleweed apache2-2.4.49-1.1 apache2-2.4.49-1.1 as a component of openSUSE Tumbleweed Cross-site scripting (XSS) vulnerability in the mod_imap module of Apache httpd before 1.3.35-dev and Apache httpd 2.0.x before 2.0.56-dev allows remote attackers to inject arbitrary web script or HTML via the Referer when using image maps. CVE-2005-3352 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2005-3352.html CVE-2005-3352 https://bugzilla.suse.com/138083 SUSE Bug 138083 https://bugzilla.suse.com/142507 SUSE Bug 142507 mod_ssl in Apache 2.0 up to 2.0.55, when configured with an SSL vhost with access control and a custom error 400 error page, allows remote attackers to cause a denial of service (application crash) via a non-SSL request to an SSL port, which triggers a NULL pointer dereference. CVE-2005-3357 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2005-3357.html CVE-2005-3357 https://bugzilla.suse.com/138083 SUSE Bug 138083 https://bugzilla.suse.com/142338 SUSE Bug 142338 https://bugzilla.suse.com/186167 SUSE Bug 186167 Off-by-one error in the ldap scheme handling in the Rewrite module (mod_rewrite) in Apache 1.3 from 1.3.28, 2.0.46 and other versions before 2.0.59, and 2.2, when RewriteEngine is enabled, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted URLs that are not properly handled using certain rewrite rules. CVE-2006-3747 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2006-3747.html CVE-2006-3747 https://bugzilla.suse.com/194675 SUSE Bug 194675 Cross-site scripting (XSS) vulnerability in mod_status.c in the mod_status module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a public server-status page is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving charsets with browsers that perform "charset detection" when the content-type is not specified. CVE-2006-5752 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2006-5752.html CVE-2006-5752 https://bugzilla.suse.com/289996 SUSE Bug 289996 https://bugzilla.suse.com/308637 SUSE Bug 308637 The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously used data, which could be used by remote attackers to obtain potentially sensitive information. CVE-2007-1862 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-1862.html CVE-2007-1862 https://bugzilla.suse.com/280414 SUSE Bug 280414 https://bugzilla.suse.com/308637 SUSE Bug 308637 cache_util.c in the mod_cache module in Apache HTTP Server (httpd), when caching is enabled and a threaded Multi-Processing Module (MPM) is used, allows remote attackers to cause a denial of service (child processing handler crash) via a request with the (1) s-maxage, (2) max-age, (3) min-fresh, or (4) max-stale Cache-Control headers without a value. CVE-2007-1863 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-1863.html CVE-2007-1863 https://bugzilla.suse.com/289997 SUSE Bug 289997 https://bugzilla.suse.com/308637 SUSE Bug 308637 Apache httpd 1.3.37, 2.0.59, and 2.2.4 with the Prefork MPM module, allows local users to cause a denial of service by modifying the worker_score and process_score arrays to reference an arbitrary process ID, which is sent a SIGUSR1 signal from the master process, aka "SIGUSR1 killer." CVE-2007-3304 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-3304.html CVE-2007-3304 https://bugzilla.suse.com/286685 SUSE Bug 286685 https://bugzilla.suse.com/308637 SUSE Bug 308637 https://bugzilla.suse.com/422464 SUSE Bug 422464 The date handling code in modules/proxy/proxy_util.c (mod_proxy) in Apache 2.3.0, when using a threaded MPM, allows remote origin servers to cause a denial of service (caching forward proxy process crash) via crafted date headers that trigger a buffer over-read. CVE-2007-3847 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-3847.html CVE-2007-3847 https://bugzilla.suse.com/308637 SUSE Bug 308637 Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitrary web script or HTML via the P parameter using the UTF-7 charset. NOTE: it could be argued that this issue is due to a design limitation of browsers that attempt to perform automatic content type detection. CVE-2007-4465 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-4465.html CVE-2007-4465 https://bugzilla.suse.com/308637 SUSE Bug 308637 https://bugzilla.suse.com/310161 SUSE Bug 310161 https://bugzilla.suse.com/325655 SUSE Bug 325655 Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the Apache HTTP Server 1.3.0 through 1.3.39 and 2.0.35 through 2.0.61 and the (2) mod_imagemap module in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. CVE-2007-5000 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-5000.html CVE-2007-5000 https://bugzilla.suse.com/353859 SUSE Bug 353859 https://bugzilla.suse.com/355888 SUSE Bug 355888 Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39, when the server-status page is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. CVE-2007-6388 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-6388.html CVE-2007-6388 https://bugzilla.suse.com/352235 SUSE Bug 352235 https://bugzilla.suse.com/355888 SUSE Bug 355888 Cross-site request forgery (CSRF) vulnerability in the balancer-manager in mod_proxy_balancer for Apache HTTP Server 2.2.x allows remote attackers to gain privileges via unspecified vectors. CVE-2007-6420 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-6420.html CVE-2007-6420 https://bugzilla.suse.com/353261 SUSE Bug 353261 https://bugzilla.suse.com/373903 SUSE Bug 373903 https://bugzilla.suse.com/422464 SUSE Bug 422464 Cross-site scripting (XSS) vulnerability in balancer-manager in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) ss, (2) wr, or (3) rr parameters, or (4) the URL. CVE-2007-6421 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-6421.html CVE-2007-6421 https://bugzilla.suse.com/353261 SUSE Bug 353261 https://bugzilla.suse.com/355888 SUSE Bug 355888 The balancer_handler function in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6, when a threaded Multi-Processing Module is used, allows remote authenticated users to cause a denial of service (child process crash) via an invalid bb variable. CVE-2007-6422 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-6422.html CVE-2007-6422 https://bugzilla.suse.com/353261 SUSE Bug 353261 https://bugzilla.suse.com/355888 SUSE Bug 355888 mod_proxy_ftp in Apache 2.2.x before 2.2.7-dev, 2.0.x before 2.0.62-dev, and 1.3.x before 1.3.40-dev does not define a charset, which allows remote attackers to conduct cross-site scripting (XSS) attacks using UTF-7 encoding. CVE-2008-0005 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-0005.html CVE-2008-0005 https://bugzilla.suse.com/353262 SUSE Bug 353262 https://bugzilla.suse.com/355888 SUSE Bug 355888 Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm. CVE-2008-1678 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-1678.html CVE-2008-1678 https://bugzilla.suse.com/392096 SUSE Bug 392096 https://bugzilla.suse.com/422464 SUSE Bug 422464 https://bugzilla.suse.com/566238 SUSE Bug 566238 The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses. CVE-2008-2364 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-2364.html CVE-2008-2364 https://bugzilla.suse.com/408832 SUSE Bug 408832 https://bugzilla.suse.com/422464 SUSE Bug 422464 https://bugzilla.suse.com/443824 SUSE Bug 443824 Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI. CVE-2008-2939 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-2939.html CVE-2008-2939 https://bugzilla.suse.com/210904 SUSE Bug 210904 https://bugzilla.suse.com/415061 SUSE Bug 415061 https://bugzilla.suse.com/422464 SUSE Bug 422464 The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability. CVE-2016-5387 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5387.html CVE-2016-5387 https://bugzilla.suse.com/988484 SUSE Bug 988484 https://bugzilla.suse.com/988486 SUSE Bug 988486 https://bugzilla.suse.com/988487 SUSE Bug 988487 https://bugzilla.suse.com/988488 SUSE Bug 988488 https://bugzilla.suse.com/988489 SUSE Bug 988489 https://bugzilla.suse.com/988491 SUSE Bug 988491 https://bugzilla.suse.com/988492 SUSE Bug 988492 https://bugzilla.suse.com/989125 SUSE Bug 989125 https://bugzilla.suse.com/989174 SUSE Bug 989174 https://bugzilla.suse.com/989684 SUSE Bug 989684 The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request. CVE-2016-8740 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-8740.html CVE-2016-8740 https://bugzilla.suse.com/1013648 SUSE Bug 1013648 Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c. CVE-2017-9798 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-9798.html CVE-2017-9798 https://bugzilla.suse.com/1058058 SUSE Bug 1058058 https://bugzilla.suse.com/1060757 SUSE Bug 1060757 https://bugzilla.suse.com/1077582 SUSE Bug 1077582 https://bugzilla.suse.com/1078450 SUSE Bug 1078450 https://bugzilla.suse.com/1089997 SUSE Bug 1089997 HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client. CVE-2019-10081 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-10081.html CVE-2019-10081 https://bugzilla.suse.com/1145742 SUSE Bug 1145742 In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown. CVE-2019-10082 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-10082.html CVE-2019-10082 https://bugzilla.suse.com/1145741 SUSE Bug 1145741 In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed. CVE-2019-10092 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-10092.html CVE-2019-10092 https://bugzilla.suse.com/1145740 SUSE Bug 1145740 https://bugzilla.suse.com/1182703 SUSE Bug 1182703 In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients. CVE-2019-10097 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-10097.html CVE-2019-10097 https://bugzilla.suse.com/1145739 SUSE Bug 1145739 In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL. CVE-2019-10098 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-10098.html CVE-2019-10098 https://bugzilla.suse.com/1145738 SUSE Bug 1145738 https://bugzilla.suse.com/1168407 SUSE Bug 1168407 Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both. CVE-2019-9517 openSUSE Tumbleweed:apache2-2.4.49-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-9517.html CVE-2019-9517 https://bugzilla.suse.com/1145575 SUSE Bug 1145575 https://bugzilla.suse.com/1146097 SUSE Bug 1146097