Security update for apache2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:2997-1 Final 1 1 2024-08-21T15:33:21Z current 2024-08-21T15:33:21Z 2024-08-21T15:33:21Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache2 This update for apache2 fixes the following issues: - CVE-2024-38474: Fixed substitution encoding issue in mod_rewrite (bsc#1227278) - CVE-2024-38473: Fixed encoding problem in mod_proxy (bsc#1227276) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES15-SP3-SAPCAL-Azure-2024-2997,Image SLES15-SP3-SAPCAL-EC2-HVM-2024-2997,Image SLES15-SP3-SAPCAL-GCE-2024-2997,SUSE-2024-2997,SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-2997,SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-2997,SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-2997,SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-2997,SUSE-SLE-Product-SLES_SAP-15-SP2-2024-2997,SUSE-SLE-Product-SLES_SAP-15-SP3-2024-2997,SUSE-Storage-7.1-2024-2997 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20242997-1/ Link for SUSE-SU-2024:2997-1 https://lists.suse.com/pipermail/sle-security-updates/2024-August/019299.html E-Mail link for SUSE-SU-2024:2997-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1227276 SUSE Bug 1227276 https://bugzilla.suse.com/1227278 SUSE Bug 1227278 https://www.suse.com/security/cve/CVE-2024-38473/ SUSE CVE CVE-2024-38473 page https://www.suse.com/security/cve/CVE-2024-38474/ SUSE CVE CVE-2024-38474 page Image SLES15-SP3-SAPCAL-Azure Image SLES15-SP3-SAPCAL-EC2-HVM Image SLES15-SP3-SAPCAL-GCE SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS SUSE Linux Enterprise Server 15 SP2-LTSS SUSE Linux Enterprise Server 15 SP3-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 apache2-2.4.51-150200.3.73.1 apache2-prefork-2.4.51-150200.3.73.1 apache2-utils-2.4.51-150200.3.73.1 apache2-devel-2.4.51-150200.3.73.1 apache2-doc-2.4.51-150200.3.73.1 apache2-event-2.4.51-150200.3.73.1 apache2-example-pages-2.4.51-150200.3.73.1 apache2-worker-2.4.51-150200.3.73.1 apache2-2.4.51-150200.3.73.1 as a component of Image SLES15-SP3-SAPCAL-Azure apache2-prefork-2.4.51-150200.3.73.1 as a component of Image SLES15-SP3-SAPCAL-Azure apache2-utils-2.4.51-150200.3.73.1 as a component of Image SLES15-SP3-SAPCAL-Azure apache2-2.4.51-150200.3.73.1 as a component of Image SLES15-SP3-SAPCAL-EC2-HVM apache2-prefork-2.4.51-150200.3.73.1 as a component of Image SLES15-SP3-SAPCAL-EC2-HVM apache2-utils-2.4.51-150200.3.73.1 as a component of Image SLES15-SP3-SAPCAL-EC2-HVM apache2-2.4.51-150200.3.73.1 as a component of Image SLES15-SP3-SAPCAL-GCE apache2-prefork-2.4.51-150200.3.73.1 as a component of Image SLES15-SP3-SAPCAL-GCE apache2-utils-2.4.51-150200.3.73.1 as a component of Image SLES15-SP3-SAPCAL-GCE apache2-2.4.51-150200.3.73.1 as a component of SUSE Enterprise Storage 7.1 apache2-devel-2.4.51-150200.3.73.1 as a component of SUSE Enterprise Storage 7.1 apache2-doc-2.4.51-150200.3.73.1 as a component of SUSE Enterprise Storage 7.1 apache2-prefork-2.4.51-150200.3.73.1 as a component of SUSE Enterprise Storage 7.1 apache2-utils-2.4.51-150200.3.73.1 as a component of SUSE Enterprise Storage 7.1 apache2-worker-2.4.51-150200.3.73.1 as a component of SUSE Enterprise Storage 7.1 apache2-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS apache2-devel-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS apache2-doc-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS apache2-prefork-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS apache2-utils-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS apache2-worker-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS apache2-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS apache2-devel-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS apache2-doc-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS apache2-prefork-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS apache2-utils-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS apache2-worker-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS apache2-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS apache2-devel-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS apache2-doc-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS apache2-prefork-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS apache2-utils-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS apache2-worker-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS apache2-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS apache2-devel-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS apache2-doc-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS apache2-prefork-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS apache2-utils-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS apache2-worker-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS apache2-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 apache2-devel-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 apache2-doc-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 apache2-prefork-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 apache2-utils-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 apache2-worker-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 apache2-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 apache2-devel-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 apache2-doc-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 apache2-prefork-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 apache2-utils-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 apache2-worker-2.4.51-150200.3.73.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue. CVE-2024-38473 Image SLES15-SP3-SAPCAL-Azure:apache2-2.4.51-150200.3.73.1 Image SLES15-SP3-SAPCAL-Azure:apache2-prefork-2.4.51-150200.3.73.1 Image SLES15-SP3-SAPCAL-Azure:apache2-utils-2.4.51-150200.3.73.1 Image SLES15-SP3-SAPCAL-EC2-HVM:apache2-2.4.51-150200.3.73.1 Image SLES15-SP3-SAPCAL-EC2-HVM:apache2-prefork-2.4.51-150200.3.73.1 Image SLES15-SP3-SAPCAL-EC2-HVM:apache2-utils-2.4.51-150200.3.73.1 Image SLES15-SP3-SAPCAL-GCE:apache2-2.4.51-150200.3.73.1 Image SLES15-SP3-SAPCAL-GCE:apache2-prefork-2.4.51-150200.3.73.1 Image SLES15-SP3-SAPCAL-GCE:apache2-utils-2.4.51-150200.3.73.1 SUSE Enterprise Storage 7.1:apache2-2.4.51-150200.3.73.1 SUSE Enterprise Storage 7.1:apache2-devel-2.4.51-150200.3.73.1 SUSE Enterprise Storage 7.1:apache2-doc-2.4.51-150200.3.73.1 SUSE Enterprise Storage 7.1:apache2-prefork-2.4.51-150200.3.73.1 SUSE Enterprise Storage 7.1:apache2-utils-2.4.51-150200.3.73.1 SUSE Enterprise Storage 7.1:apache2-worker-2.4.51-150200.3.73.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-2.4.51-150200.3.73.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-devel-2.4.51-150200.3.73.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-doc-2.4.51-150200.3.73.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-prefork-2.4.51-150200.3.73.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-utils-2.4.51-150200.3.73.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-worker-2.4.51-150200.3.73.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-2.4.51-150200.3.73.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-devel-2.4.51-150200.3.73.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-doc-2.4.51-150200.3.73.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-prefork-2.4.51-150200.3.73.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-utils-2.4.51-150200.3.73.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-worker-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-devel-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-doc-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-prefork-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-utils-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-worker-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-devel-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-doc-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-prefork-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-utils-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-worker-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-devel-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-doc-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-prefork-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-utils-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-worker-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-devel-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-doc-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-prefork-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-utils-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-worker-2.4.51-150200.3.73.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242997-1/ https://www.suse.com/security/cve/CVE-2024-38473.html CVE-2024-38473 https://bugzilla.suse.com/1227276 SUSE Bug 1227276 Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified. CVE-2024-38474 Image SLES15-SP3-SAPCAL-Azure:apache2-2.4.51-150200.3.73.1 Image SLES15-SP3-SAPCAL-Azure:apache2-prefork-2.4.51-150200.3.73.1 Image SLES15-SP3-SAPCAL-Azure:apache2-utils-2.4.51-150200.3.73.1 Image SLES15-SP3-SAPCAL-EC2-HVM:apache2-2.4.51-150200.3.73.1 Image SLES15-SP3-SAPCAL-EC2-HVM:apache2-prefork-2.4.51-150200.3.73.1 Image SLES15-SP3-SAPCAL-EC2-HVM:apache2-utils-2.4.51-150200.3.73.1 Image SLES15-SP3-SAPCAL-GCE:apache2-2.4.51-150200.3.73.1 Image SLES15-SP3-SAPCAL-GCE:apache2-prefork-2.4.51-150200.3.73.1 Image SLES15-SP3-SAPCAL-GCE:apache2-utils-2.4.51-150200.3.73.1 SUSE Enterprise Storage 7.1:apache2-2.4.51-150200.3.73.1 SUSE Enterprise Storage 7.1:apache2-devel-2.4.51-150200.3.73.1 SUSE Enterprise Storage 7.1:apache2-doc-2.4.51-150200.3.73.1 SUSE Enterprise Storage 7.1:apache2-prefork-2.4.51-150200.3.73.1 SUSE Enterprise Storage 7.1:apache2-utils-2.4.51-150200.3.73.1 SUSE Enterprise Storage 7.1:apache2-worker-2.4.51-150200.3.73.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-2.4.51-150200.3.73.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-devel-2.4.51-150200.3.73.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-doc-2.4.51-150200.3.73.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-prefork-2.4.51-150200.3.73.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-utils-2.4.51-150200.3.73.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-worker-2.4.51-150200.3.73.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-2.4.51-150200.3.73.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-devel-2.4.51-150200.3.73.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-doc-2.4.51-150200.3.73.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-prefork-2.4.51-150200.3.73.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-utils-2.4.51-150200.3.73.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-worker-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-devel-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-doc-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-prefork-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-utils-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-worker-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-devel-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-doc-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-prefork-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-utils-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-worker-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-devel-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-doc-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-prefork-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-utils-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-worker-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-devel-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-doc-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-prefork-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-utils-2.4.51-150200.3.73.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-worker-2.4.51-150200.3.73.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242997-1/ https://www.suse.com/security/cve/CVE-2024-38474.html CVE-2024-38474 https://bugzilla.suse.com/1227278 SUSE Bug 1227278