Security update for apache2
SUSE Patch
security@suse.de
SUSE Security Team
SUSE-SU-2017:2756-1
Final
1
1
2017-10-18T11:46:36Z
current
2017-10-18T11:46:36Z
2017-10-18T11:46:36Z
cve-database/bin/generate-cvrf.pl
2017-02-24T01:00:00Z
Security update for apache2
This update for apache2 fixes several issues.
These security issues were fixed:
- CVE-2017-9798: Prevent use-after-free use of memory that allowed for an
information leak via OPTIONS (bsc#1058058)
- CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest could have
lead to leakage of potentially confidential information, and a segfault in
other cases resulting in DoS (bsc#1048576).
- CVE-2017-7679: mod_mime could have read one byte past the end of a buffer
when sending a malicious Content-Type response header (bsc#1045060).
- CVE-2017-3169: mod_ssl may dereferenced a NULL pointer when third-party
modules call ap_hook_process_connection() during an HTTP request to an HTTPS
port allowing for DoS (bsc#1045062).
- CVE-2017-3167: Use of the ap_get_basic_auth_pw() by third-party modules
outside of the authentication phase may have lead to authentication
requirements being bypassed (bsc#1045065).
These non-security issues were fixed:
- remove /usr/bin/http2 symlink only during apache2 package
uninstall, not upgrade (bsc#1041830)
- gensslcert: use hostname when fqdn is too long (bsc#1035829)
- add NotifyAccess=all to service file (bsc#980663)
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
SUSE-SLE-SERVER-12-2017-1709
Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0)
https://www.suse.com/support/update/announcement/2017/suse-su-20172756-1/
Link for SUSE-SU-2017:2756-1
https://lists.suse.com/pipermail/sle-security-updates/2017-October/003305.html
E-Mail link for SUSE-SU-2017:2756-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1035829
SUSE Bug 1035829
https://bugzilla.suse.com/1041830
SUSE Bug 1041830
https://bugzilla.suse.com/1045060
SUSE Bug 1045060
https://bugzilla.suse.com/1045062
SUSE Bug 1045062
https://bugzilla.suse.com/1045065
SUSE Bug 1045065
https://bugzilla.suse.com/1048576
SUSE Bug 1048576
https://bugzilla.suse.com/1058058
SUSE Bug 1058058
https://bugzilla.suse.com/980663
SUSE Bug 980663
https://www.suse.com/security/cve/CVE-2017-3167/
SUSE CVE CVE-2017-3167 page
https://www.suse.com/security/cve/CVE-2017-3169/
SUSE CVE CVE-2017-3169 page
https://www.suse.com/security/cve/CVE-2017-7679/
SUSE CVE CVE-2017-7679 page
https://www.suse.com/security/cve/CVE-2017-9788/
SUSE CVE CVE-2017-9788 page
https://www.suse.com/security/cve/CVE-2017-9798/
SUSE CVE CVE-2017-9798 page
SUSE Linux Enterprise Server 12-LTSS
apache2-2.4.10-14.28.1
apache2-doc-2.4.10-14.28.1
apache2-example-pages-2.4.10-14.28.1
apache2-prefork-2.4.10-14.28.1
apache2-utils-2.4.10-14.28.1
apache2-worker-2.4.10-14.28.1
apache2-2.4.10-14.28.1 as a component of SUSE Linux Enterprise Server 12-LTSS
apache2-doc-2.4.10-14.28.1 as a component of SUSE Linux Enterprise Server 12-LTSS
apache2-example-pages-2.4.10-14.28.1 as a component of SUSE Linux Enterprise Server 12-LTSS
apache2-prefork-2.4.10-14.28.1 as a component of SUSE Linux Enterprise Server 12-LTSS
apache2-utils-2.4.10-14.28.1 as a component of SUSE Linux Enterprise Server 12-LTSS
apache2-worker-2.4.10-14.28.1 as a component of SUSE Linux Enterprise Server 12-LTSS
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.
CVE-2017-3167
SUSE Linux Enterprise Server 12-LTSS:apache2-2.4.10-14.28.1
SUSE Linux Enterprise Server 12-LTSS:apache2-doc-2.4.10-14.28.1
SUSE Linux Enterprise Server 12-LTSS:apache2-example-pages-2.4.10-14.28.1
SUSE Linux Enterprise Server 12-LTSS:apache2-prefork-2.4.10-14.28.1
SUSE Linux Enterprise Server 12-LTSS:apache2-utils-2.4.10-14.28.1
SUSE Linux Enterprise Server 12-LTSS:apache2-worker-2.4.10-14.28.1
important
5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2017/suse-su-20172756-1/
https://www.suse.com/security/cve/CVE-2017-3167.html
CVE-2017-3167
https://bugzilla.suse.com/1045065
SUSE Bug 1045065
https://bugzilla.suse.com/1078450
SUSE Bug 1078450
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port.
CVE-2017-3169
SUSE Linux Enterprise Server 12-LTSS:apache2-2.4.10-14.28.1
SUSE Linux Enterprise Server 12-LTSS:apache2-doc-2.4.10-14.28.1
SUSE Linux Enterprise Server 12-LTSS:apache2-example-pages-2.4.10-14.28.1
SUSE Linux Enterprise Server 12-LTSS:apache2-prefork-2.4.10-14.28.1
SUSE Linux Enterprise Server 12-LTSS:apache2-utils-2.4.10-14.28.1
SUSE Linux Enterprise Server 12-LTSS:apache2-worker-2.4.10-14.28.1
moderate
4.3
AV:N/AC:M/Au:N/C:N/I:N/A:P
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2017/suse-su-20172756-1/
https://www.suse.com/security/cve/CVE-2017-3169.html
CVE-2017-3169
https://bugzilla.suse.com/1045062
SUSE Bug 1045062
https://bugzilla.suse.com/1078450
SUSE Bug 1078450
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header.
CVE-2017-7679
SUSE Linux Enterprise Server 12-LTSS:apache2-2.4.10-14.28.1
SUSE Linux Enterprise Server 12-LTSS:apache2-doc-2.4.10-14.28.1
SUSE Linux Enterprise Server 12-LTSS:apache2-example-pages-2.4.10-14.28.1
SUSE Linux Enterprise Server 12-LTSS:apache2-prefork-2.4.10-14.28.1
SUSE Linux Enterprise Server 12-LTSS:apache2-utils-2.4.10-14.28.1
SUSE Linux Enterprise Server 12-LTSS:apache2-worker-2.4.10-14.28.1
moderate
4
AV:N/AC:H/Au:N/C:P/I:N/A:P
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2017/suse-su-20172756-1/
https://www.suse.com/security/cve/CVE-2017-7679.html
CVE-2017-7679
https://bugzilla.suse.com/1045060
SUSE Bug 1045060
https://bugzilla.suse.com/1057861
SUSE Bug 1057861
https://bugzilla.suse.com/1078450
SUSE Bug 1078450
In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service.
CVE-2017-9788
SUSE Linux Enterprise Server 12-LTSS:apache2-2.4.10-14.28.1
SUSE Linux Enterprise Server 12-LTSS:apache2-doc-2.4.10-14.28.1
SUSE Linux Enterprise Server 12-LTSS:apache2-example-pages-2.4.10-14.28.1
SUSE Linux Enterprise Server 12-LTSS:apache2-prefork-2.4.10-14.28.1
SUSE Linux Enterprise Server 12-LTSS:apache2-utils-2.4.10-14.28.1
SUSE Linux Enterprise Server 12-LTSS:apache2-worker-2.4.10-14.28.1
moderate
4
AV:N/AC:H/Au:N/C:P/I:N/A:P
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2017/suse-su-20172756-1/
https://www.suse.com/security/cve/CVE-2017-9788.html
CVE-2017-9788
https://bugzilla.suse.com/1048576
SUSE Bug 1048576
Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.
CVE-2017-9798
SUSE Linux Enterprise Server 12-LTSS:apache2-2.4.10-14.28.1
SUSE Linux Enterprise Server 12-LTSS:apache2-doc-2.4.10-14.28.1
SUSE Linux Enterprise Server 12-LTSS:apache2-example-pages-2.4.10-14.28.1
SUSE Linux Enterprise Server 12-LTSS:apache2-prefork-2.4.10-14.28.1
SUSE Linux Enterprise Server 12-LTSS:apache2-utils-2.4.10-14.28.1
SUSE Linux Enterprise Server 12-LTSS:apache2-worker-2.4.10-14.28.1
moderate
5
AV:N/AC:L/Au:N/C:P/I:N/A:N
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2017/suse-su-20172756-1/
https://www.suse.com/security/cve/CVE-2017-9798.html
CVE-2017-9798
https://bugzilla.suse.com/1058058
SUSE Bug 1058058
https://bugzilla.suse.com/1060757
SUSE Bug 1060757
https://bugzilla.suse.com/1077582
SUSE Bug 1077582
https://bugzilla.suse.com/1078450
SUSE Bug 1078450
https://bugzilla.suse.com/1089997
SUSE Bug 1089997