Security update for libmicrohttpd
SUSE Patch
security@suse.de
SUSE Security Team
SUSE-SU-2017:1576-1
Final
1
1
2017-06-16T06:46:51Z
current
2017-06-16T06:46:51Z
2017-06-16T06:46:51Z
cve-database/bin/generate-cvrf.pl
2017-02-24T01:00:00Z
Security update for libmicrohttpd
This update for libmicrohttpd fixes the following issues:
- CVE-2013-7038: The MHD_http_unescape function in libmicrohttpd might
have allowed remote attackers to obtain sensitive information or cause
a denial of service (crash) via unspecified vectors that trigger an
out-of-bounds read. (bsc#854443)
- CVE-2013-7039: Stack-based buffer overflow in the MHD_digest_auth_check
function in libmicrohttpd, when MHD_OPTION_CONNECTION_MEMORY_LIMIT is
set to a large value, allowed remote attackers to cause a denial of
service (crash) or possibly execute arbitrary code via a long URI in an
authentication header. (bsc#854443)
- Fixed various bugs found during a 2017 audit, which are more hardening
measures and not security issues. (bsc#1041216)
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
SUSE-SLE-RPI-12-SP2-2017-966,SUSE-SLE-SDK-12-SP2-2017-966,SUSE-SLE-SERVER-12-SP2-2017-966
Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0)
https://www.suse.com/support/update/announcement/2017/suse-su-20171576-1/
Link for SUSE-SU-2017:1576-1
https://lists.suse.com/pipermail/sle-security-updates/2017-June/002945.html
E-Mail link for SUSE-SU-2017:1576-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1041216
SUSE Bug 1041216
https://bugzilla.suse.com/854443
SUSE Bug 854443
https://www.suse.com/security/cve/CVE-2013-7038/
SUSE CVE CVE-2013-7038 page
https://www.suse.com/security/cve/CVE-2013-7039/
SUSE CVE CVE-2013-7039 page
SUSE Linux Enterprise Server 12 SP2
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
SUSE Linux Enterprise Server for SAP Applications 12 SP2
SUSE Linux Enterprise Software Development Kit 12 SP2
libmicrohttpd10-0.9.30-5.1
libmicrohttpd-devel-0.9.30-5.1
libmicrohttpd10-0.9.30-5.1 as a component of SUSE Linux Enterprise Server 12 SP2
libmicrohttpd10-0.9.30-5.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
libmicrohttpd10-0.9.30-5.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2
libmicrohttpd-devel-0.9.30-5.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2
The MHD_http_unescape function in libmicrohttpd before 0.9.32 might allow remote attackers to obtain sensitive information or cause a denial of service (crash) via unspecified vectors that trigger an out-of-bounds read.
CVE-2013-7038
SUSE Linux Enterprise Server 12 SP2:libmicrohttpd10-0.9.30-5.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libmicrohttpd10-0.9.30-5.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libmicrohttpd10-0.9.30-5.1
SUSE Linux Enterprise Software Development Kit 12 SP2:libmicrohttpd-devel-0.9.30-5.1
moderate
5.8
AV:N/AC:M/Au:N/C:P/I:N/A:P
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2017/suse-su-20171576-1/
https://www.suse.com/security/cve/CVE-2013-7038.html
CVE-2013-7038
https://bugzilla.suse.com/854443
SUSE Bug 854443
Stack-based buffer overflow in the MHD_digest_auth_check function in libmicrohttpd before 0.9.32, when MHD_OPTION_CONNECTION_MEMORY_LIMIT is set to a large value, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long URI in an authentication header.
CVE-2013-7039
SUSE Linux Enterprise Server 12 SP2:libmicrohttpd10-0.9.30-5.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libmicrohttpd10-0.9.30-5.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libmicrohttpd10-0.9.30-5.1
SUSE Linux Enterprise Software Development Kit 12 SP2:libmicrohttpd-devel-0.9.30-5.1
moderate
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2017/suse-su-20171576-1/
https://www.suse.com/security/cve/CVE-2013-7039.html
CVE-2013-7039
https://bugzilla.suse.com/854443
SUSE Bug 854443