Security update for apache2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:2591-1 Final 1 1 2024-07-22T12:41:41Z current 2024-07-22T12:41:41Z 2024-07-22T12:41:41Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache2 This update for apache2 fixes the following issues: - CVE-2024-38475: Fixed improper escaping of output in mod_rewrite (bsc#1227268) - CVE-2024-38476: Fixed server may use exploitable/malicious backend application output to run local handlers via internal redirect (bsc#1227269) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES15-SP3-SAPCAL-Azure-2024-2591,Image SLES15-SP3-SAPCAL-EC2-HVM-2024-2591,Image SLES15-SP3-SAPCAL-GCE-2024-2591,SUSE-2024-2591,SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-2591,SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-2591,SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-2591,SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-2591,SUSE-SLE-Product-SLES_SAP-15-SP2-2024-2591,SUSE-SLE-Product-SLES_SAP-15-SP3-2024-2591,SUSE-Storage-7.1-2024-2591 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20242591-1/ Link for SUSE-SU-2024:2591-1 https://lists.suse.com/pipermail/sle-security-updates/2024-July/019006.html E-Mail link for SUSE-SU-2024:2591-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1227268 SUSE Bug 1227268 https://bugzilla.suse.com/1227269 SUSE Bug 1227269 https://www.suse.com/security/cve/CVE-2024-38475/ SUSE CVE CVE-2024-38475 page https://www.suse.com/security/cve/CVE-2024-38476/ SUSE CVE CVE-2024-38476 page Image SLES15-SP3-SAPCAL-Azure Image SLES15-SP3-SAPCAL-EC2-HVM Image SLES15-SP3-SAPCAL-GCE SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS SUSE Linux Enterprise Server 15 SP2-LTSS SUSE Linux Enterprise Server 15 SP3-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 apache2-2.4.51-150200.3.70.1 apache2-prefork-2.4.51-150200.3.70.1 apache2-utils-2.4.51-150200.3.70.1 apache2-devel-2.4.51-150200.3.70.1 apache2-doc-2.4.51-150200.3.70.1 apache2-event-2.4.51-150200.3.70.1 apache2-example-pages-2.4.51-150200.3.70.1 apache2-worker-2.4.51-150200.3.70.1 apache2-2.4.51-150200.3.70.1 as a component of Image SLES15-SP3-SAPCAL-Azure apache2-prefork-2.4.51-150200.3.70.1 as a component of Image SLES15-SP3-SAPCAL-Azure apache2-utils-2.4.51-150200.3.70.1 as a component of Image SLES15-SP3-SAPCAL-Azure apache2-2.4.51-150200.3.70.1 as a component of Image SLES15-SP3-SAPCAL-EC2-HVM apache2-prefork-2.4.51-150200.3.70.1 as a component of Image SLES15-SP3-SAPCAL-EC2-HVM apache2-utils-2.4.51-150200.3.70.1 as a component of Image SLES15-SP3-SAPCAL-EC2-HVM apache2-2.4.51-150200.3.70.1 as a component of Image SLES15-SP3-SAPCAL-GCE apache2-prefork-2.4.51-150200.3.70.1 as a component of Image SLES15-SP3-SAPCAL-GCE apache2-utils-2.4.51-150200.3.70.1 as a component of Image SLES15-SP3-SAPCAL-GCE apache2-2.4.51-150200.3.70.1 as a component of SUSE Enterprise Storage 7.1 apache2-devel-2.4.51-150200.3.70.1 as a component of SUSE Enterprise Storage 7.1 apache2-doc-2.4.51-150200.3.70.1 as a component of SUSE Enterprise Storage 7.1 apache2-prefork-2.4.51-150200.3.70.1 as a component of SUSE Enterprise Storage 7.1 apache2-utils-2.4.51-150200.3.70.1 as a component of SUSE Enterprise Storage 7.1 apache2-worker-2.4.51-150200.3.70.1 as a component of SUSE Enterprise Storage 7.1 apache2-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS apache2-devel-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS apache2-doc-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS apache2-prefork-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS apache2-utils-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS apache2-worker-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS apache2-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS apache2-devel-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS apache2-doc-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS apache2-prefork-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS apache2-utils-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS apache2-worker-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS apache2-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS apache2-devel-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS apache2-doc-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS apache2-prefork-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS apache2-utils-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS apache2-worker-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS apache2-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS apache2-devel-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS apache2-doc-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS apache2-prefork-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS apache2-utils-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS apache2-worker-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS apache2-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 apache2-devel-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 apache2-doc-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 apache2-prefork-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 apache2-utils-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 apache2-worker-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 apache2-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 apache2-devel-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 apache2-doc-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 apache2-prefork-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 apache2-utils-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 apache2-worker-2.4.51-150200.3.70.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained. CVE-2024-38475 Image SLES15-SP3-SAPCAL-Azure:apache2-2.4.51-150200.3.70.1 Image SLES15-SP3-SAPCAL-Azure:apache2-prefork-2.4.51-150200.3.70.1 Image SLES15-SP3-SAPCAL-Azure:apache2-utils-2.4.51-150200.3.70.1 Image SLES15-SP3-SAPCAL-EC2-HVM:apache2-2.4.51-150200.3.70.1 Image SLES15-SP3-SAPCAL-EC2-HVM:apache2-prefork-2.4.51-150200.3.70.1 Image SLES15-SP3-SAPCAL-EC2-HVM:apache2-utils-2.4.51-150200.3.70.1 Image SLES15-SP3-SAPCAL-GCE:apache2-2.4.51-150200.3.70.1 Image SLES15-SP3-SAPCAL-GCE:apache2-prefork-2.4.51-150200.3.70.1 Image SLES15-SP3-SAPCAL-GCE:apache2-utils-2.4.51-150200.3.70.1 SUSE Enterprise Storage 7.1:apache2-2.4.51-150200.3.70.1 SUSE Enterprise Storage 7.1:apache2-devel-2.4.51-150200.3.70.1 SUSE Enterprise Storage 7.1:apache2-doc-2.4.51-150200.3.70.1 SUSE Enterprise Storage 7.1:apache2-prefork-2.4.51-150200.3.70.1 SUSE Enterprise Storage 7.1:apache2-utils-2.4.51-150200.3.70.1 SUSE Enterprise Storage 7.1:apache2-worker-2.4.51-150200.3.70.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-2.4.51-150200.3.70.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-devel-2.4.51-150200.3.70.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-doc-2.4.51-150200.3.70.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-prefork-2.4.51-150200.3.70.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-utils-2.4.51-150200.3.70.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-worker-2.4.51-150200.3.70.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-2.4.51-150200.3.70.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-devel-2.4.51-150200.3.70.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-doc-2.4.51-150200.3.70.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-prefork-2.4.51-150200.3.70.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-utils-2.4.51-150200.3.70.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-worker-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-devel-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-doc-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-prefork-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-utils-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-worker-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-devel-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-doc-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-prefork-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-utils-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-worker-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-devel-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-doc-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-prefork-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-utils-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-worker-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-devel-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-doc-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-prefork-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-utils-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-worker-2.4.51-150200.3.70.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242591-1/ https://www.suse.com/security/cve/CVE-2024-38475.html CVE-2024-38475 https://bugzilla.suse.com/1227268 SUSE Bug 1227268 Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue. CVE-2024-38476 Image SLES15-SP3-SAPCAL-Azure:apache2-2.4.51-150200.3.70.1 Image SLES15-SP3-SAPCAL-Azure:apache2-prefork-2.4.51-150200.3.70.1 Image SLES15-SP3-SAPCAL-Azure:apache2-utils-2.4.51-150200.3.70.1 Image SLES15-SP3-SAPCAL-EC2-HVM:apache2-2.4.51-150200.3.70.1 Image SLES15-SP3-SAPCAL-EC2-HVM:apache2-prefork-2.4.51-150200.3.70.1 Image SLES15-SP3-SAPCAL-EC2-HVM:apache2-utils-2.4.51-150200.3.70.1 Image SLES15-SP3-SAPCAL-GCE:apache2-2.4.51-150200.3.70.1 Image SLES15-SP3-SAPCAL-GCE:apache2-prefork-2.4.51-150200.3.70.1 Image SLES15-SP3-SAPCAL-GCE:apache2-utils-2.4.51-150200.3.70.1 SUSE Enterprise Storage 7.1:apache2-2.4.51-150200.3.70.1 SUSE Enterprise Storage 7.1:apache2-devel-2.4.51-150200.3.70.1 SUSE Enterprise Storage 7.1:apache2-doc-2.4.51-150200.3.70.1 SUSE Enterprise Storage 7.1:apache2-prefork-2.4.51-150200.3.70.1 SUSE Enterprise Storage 7.1:apache2-utils-2.4.51-150200.3.70.1 SUSE Enterprise Storage 7.1:apache2-worker-2.4.51-150200.3.70.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-2.4.51-150200.3.70.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-devel-2.4.51-150200.3.70.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-doc-2.4.51-150200.3.70.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-prefork-2.4.51-150200.3.70.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-utils-2.4.51-150200.3.70.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-worker-2.4.51-150200.3.70.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-2.4.51-150200.3.70.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-devel-2.4.51-150200.3.70.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-doc-2.4.51-150200.3.70.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-prefork-2.4.51-150200.3.70.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-utils-2.4.51-150200.3.70.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-worker-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-devel-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-doc-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-prefork-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-utils-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-worker-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-devel-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-doc-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-prefork-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-utils-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-worker-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-devel-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-doc-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-prefork-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-utils-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-worker-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-devel-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-doc-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-prefork-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-utils-2.4.51-150200.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-worker-2.4.51-150200.3.70.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242591-1/ https://www.suse.com/security/cve/CVE-2024-38476.html CVE-2024-38476 https://bugzilla.suse.com/1227269 SUSE Bug 1227269