Security update for apache2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:3949-1 Final 1 1 2024-11-08T07:57:11Z current 2024-11-08T07:57:11Z 2024-11-08T07:57:11Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache2 This update for apache2 fixes the following issues: - CVE-2023-45802: HTTP/2 stream memory not reclaimed right away on RST (bsc#1216423). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-3949,SUSE-SLE-SERVER-12-SP5-LTSS-2024-3949,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2024-3949 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20243949-1/ Link for SUSE-SU-2024:3949-1 https://lists.suse.com/pipermail/sle-security-updates/2024-November/019796.html E-Mail link for SUSE-SU-2024:3949-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1216423 SUSE Bug 1216423 https://www.suse.com/security/cve/CVE-2023-45802/ SUSE CVE CVE-2023-45802 page SUSE Linux Enterprise Server 12 SP5-LTSS SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 apache2-2.4.51-35.66.1 apache2-devel-2.4.51-35.66.1 apache2-doc-2.4.51-35.66.1 apache2-event-2.4.51-35.66.1 apache2-example-pages-2.4.51-35.66.1 apache2-prefork-2.4.51-35.66.1 apache2-tls13-2.4.51-35.66.1 apache2-tls13-devel-2.4.51-35.66.1 apache2-tls13-doc-2.4.51-35.66.1 apache2-tls13-event-2.4.51-35.66.1 apache2-tls13-example-pages-2.4.51-35.66.1 apache2-tls13-prefork-2.4.51-35.66.1 apache2-tls13-utils-2.4.51-35.66.1 apache2-tls13-worker-2.4.51-35.66.1 apache2-utils-2.4.51-35.66.1 apache2-worker-2.4.51-35.66.1 apache2-2.4.51-35.66.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS apache2-doc-2.4.51-35.66.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS apache2-example-pages-2.4.51-35.66.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS apache2-prefork-2.4.51-35.66.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS apache2-tls13-2.4.51-35.66.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS apache2-tls13-doc-2.4.51-35.66.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS apache2-tls13-example-pages-2.4.51-35.66.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS apache2-tls13-prefork-2.4.51-35.66.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS apache2-tls13-utils-2.4.51-35.66.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS apache2-tls13-worker-2.4.51-35.66.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS apache2-utils-2.4.51-35.66.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS apache2-worker-2.4.51-35.66.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS apache2-2.4.51-35.66.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 apache2-doc-2.4.51-35.66.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 apache2-example-pages-2.4.51-35.66.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 apache2-prefork-2.4.51-35.66.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 apache2-tls13-2.4.51-35.66.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 apache2-tls13-doc-2.4.51-35.66.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 apache2-tls13-example-pages-2.4.51-35.66.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 apache2-tls13-prefork-2.4.51-35.66.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 apache2-tls13-utils-2.4.51-35.66.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 apache2-tls13-worker-2.4.51-35.66.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 apache2-utils-2.4.51-35.66.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 apache2-worker-2.4.51-35.66.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue. CVE-2023-45802 SUSE Linux Enterprise Server 12 SP5-LTSS:apache2-2.4.51-35.66.1 SUSE Linux Enterprise Server 12 SP5-LTSS:apache2-doc-2.4.51-35.66.1 SUSE Linux Enterprise Server 12 SP5-LTSS:apache2-example-pages-2.4.51-35.66.1 SUSE Linux Enterprise Server 12 SP5-LTSS:apache2-prefork-2.4.51-35.66.1 SUSE Linux Enterprise Server 12 SP5-LTSS:apache2-tls13-2.4.51-35.66.1 SUSE Linux Enterprise Server 12 SP5-LTSS:apache2-tls13-doc-2.4.51-35.66.1 SUSE Linux Enterprise Server 12 SP5-LTSS:apache2-tls13-example-pages-2.4.51-35.66.1 SUSE Linux Enterprise Server 12 SP5-LTSS:apache2-tls13-prefork-2.4.51-35.66.1 SUSE Linux Enterprise Server 12 SP5-LTSS:apache2-tls13-utils-2.4.51-35.66.1 SUSE Linux Enterprise Server 12 SP5-LTSS:apache2-tls13-worker-2.4.51-35.66.1 SUSE Linux Enterprise Server 12 SP5-LTSS:apache2-utils-2.4.51-35.66.1 SUSE Linux Enterprise Server 12 SP5-LTSS:apache2-worker-2.4.51-35.66.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:apache2-2.4.51-35.66.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:apache2-doc-2.4.51-35.66.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:apache2-example-pages-2.4.51-35.66.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:apache2-prefork-2.4.51-35.66.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:apache2-tls13-2.4.51-35.66.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:apache2-tls13-doc-2.4.51-35.66.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:apache2-tls13-example-pages-2.4.51-35.66.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:apache2-tls13-prefork-2.4.51-35.66.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:apache2-tls13-utils-2.4.51-35.66.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:apache2-tls13-worker-2.4.51-35.66.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:apache2-utils-2.4.51-35.66.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:apache2-worker-2.4.51-35.66.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243949-1/ https://www.suse.com/security/cve/CVE-2023-45802.html CVE-2023-45802 https://bugzilla.suse.com/1216423 SUSE Bug 1216423