Security update for apache2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:3962-1 Final 1 1 2024-11-09T16:38:24Z current 2024-11-09T16:38:24Z 2024-11-09T16:38:24Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache2 This update for apache2 fixes the following issues: - CVE-2023-45802: HTTP/2 stream memory not reclaimed right away on RST (bsc#1216423). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES15-SP3-SAPCAL-Azure-2024-3962,Image SLES15-SP3-SAPCAL-EC2-HVM-2024-3962,Image SLES15-SP3-SAPCAL-GCE-2024-3962,SUSE-2024-3962,SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-3962,SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-3962,SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-3962,SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-3962,SUSE-SLE-Product-SLES_SAP-15-SP2-2024-3962,SUSE-SLE-Product-SLES_SAP-15-SP3-2024-3962,SUSE-Storage-7.1-2024-3962 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20243962-1/ Link for SUSE-SU-2024:3962-1 https://lists.suse.com/pipermail/sle-security-updates/2024-November/019805.html E-Mail link for SUSE-SU-2024:3962-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1216423 SUSE Bug 1216423 https://www.suse.com/security/cve/CVE-2023-45802/ SUSE CVE CVE-2023-45802 page Image SLES15-SP3-SAPCAL-Azure Image SLES15-SP3-SAPCAL-EC2-HVM Image SLES15-SP3-SAPCAL-GCE SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS SUSE Linux Enterprise Server 15 SP2-LTSS SUSE Linux Enterprise Server 15 SP3-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 apache2-2.4.51-150200.3.76.1 apache2-prefork-2.4.51-150200.3.76.1 apache2-utils-2.4.51-150200.3.76.1 apache2-devel-2.4.51-150200.3.76.1 apache2-doc-2.4.51-150200.3.76.1 apache2-event-2.4.51-150200.3.76.1 apache2-example-pages-2.4.51-150200.3.76.1 apache2-worker-2.4.51-150200.3.76.1 apache2-2.4.51-150200.3.76.1 as a component of Image SLES15-SP3-SAPCAL-Azure apache2-prefork-2.4.51-150200.3.76.1 as a component of Image SLES15-SP3-SAPCAL-Azure apache2-utils-2.4.51-150200.3.76.1 as a component of Image SLES15-SP3-SAPCAL-Azure apache2-2.4.51-150200.3.76.1 as a component of Image SLES15-SP3-SAPCAL-EC2-HVM apache2-prefork-2.4.51-150200.3.76.1 as a component of Image SLES15-SP3-SAPCAL-EC2-HVM apache2-utils-2.4.51-150200.3.76.1 as a component of Image SLES15-SP3-SAPCAL-EC2-HVM apache2-2.4.51-150200.3.76.1 as a component of Image SLES15-SP3-SAPCAL-GCE apache2-prefork-2.4.51-150200.3.76.1 as a component of Image SLES15-SP3-SAPCAL-GCE apache2-utils-2.4.51-150200.3.76.1 as a component of Image SLES15-SP3-SAPCAL-GCE apache2-2.4.51-150200.3.76.1 as a component of SUSE Enterprise Storage 7.1 apache2-devel-2.4.51-150200.3.76.1 as a component of SUSE Enterprise Storage 7.1 apache2-doc-2.4.51-150200.3.76.1 as a component of SUSE Enterprise Storage 7.1 apache2-prefork-2.4.51-150200.3.76.1 as a component of SUSE Enterprise Storage 7.1 apache2-utils-2.4.51-150200.3.76.1 as a component of SUSE Enterprise Storage 7.1 apache2-worker-2.4.51-150200.3.76.1 as a component of SUSE Enterprise Storage 7.1 apache2-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS apache2-devel-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS apache2-doc-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS apache2-prefork-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS apache2-utils-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS apache2-worker-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS apache2-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS apache2-devel-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS apache2-doc-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS apache2-prefork-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS apache2-utils-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS apache2-worker-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS apache2-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS apache2-devel-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS apache2-doc-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS apache2-prefork-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS apache2-utils-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS apache2-worker-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS apache2-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS apache2-devel-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS apache2-doc-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS apache2-prefork-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS apache2-utils-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS apache2-worker-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS apache2-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 apache2-devel-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 apache2-doc-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 apache2-prefork-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 apache2-utils-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 apache2-worker-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 apache2-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 apache2-devel-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 apache2-doc-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 apache2-prefork-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 apache2-utils-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 apache2-worker-2.4.51-150200.3.76.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue. CVE-2023-45802 Image SLES15-SP3-SAPCAL-Azure:apache2-2.4.51-150200.3.76.1 Image SLES15-SP3-SAPCAL-Azure:apache2-prefork-2.4.51-150200.3.76.1 Image SLES15-SP3-SAPCAL-Azure:apache2-utils-2.4.51-150200.3.76.1 Image SLES15-SP3-SAPCAL-EC2-HVM:apache2-2.4.51-150200.3.76.1 Image SLES15-SP3-SAPCAL-EC2-HVM:apache2-prefork-2.4.51-150200.3.76.1 Image SLES15-SP3-SAPCAL-EC2-HVM:apache2-utils-2.4.51-150200.3.76.1 Image SLES15-SP3-SAPCAL-GCE:apache2-2.4.51-150200.3.76.1 Image SLES15-SP3-SAPCAL-GCE:apache2-prefork-2.4.51-150200.3.76.1 Image SLES15-SP3-SAPCAL-GCE:apache2-utils-2.4.51-150200.3.76.1 SUSE Enterprise Storage 7.1:apache2-2.4.51-150200.3.76.1 SUSE Enterprise Storage 7.1:apache2-devel-2.4.51-150200.3.76.1 SUSE Enterprise Storage 7.1:apache2-doc-2.4.51-150200.3.76.1 SUSE Enterprise Storage 7.1:apache2-prefork-2.4.51-150200.3.76.1 SUSE Enterprise Storage 7.1:apache2-utils-2.4.51-150200.3.76.1 SUSE Enterprise Storage 7.1:apache2-worker-2.4.51-150200.3.76.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-2.4.51-150200.3.76.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-devel-2.4.51-150200.3.76.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-doc-2.4.51-150200.3.76.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-prefork-2.4.51-150200.3.76.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-utils-2.4.51-150200.3.76.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache2-worker-2.4.51-150200.3.76.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-2.4.51-150200.3.76.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-devel-2.4.51-150200.3.76.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-doc-2.4.51-150200.3.76.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-prefork-2.4.51-150200.3.76.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-utils-2.4.51-150200.3.76.1 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache2-worker-2.4.51-150200.3.76.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-2.4.51-150200.3.76.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-devel-2.4.51-150200.3.76.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-doc-2.4.51-150200.3.76.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-prefork-2.4.51-150200.3.76.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-utils-2.4.51-150200.3.76.1 SUSE Linux Enterprise Server 15 SP2-LTSS:apache2-worker-2.4.51-150200.3.76.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-2.4.51-150200.3.76.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-devel-2.4.51-150200.3.76.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-doc-2.4.51-150200.3.76.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-prefork-2.4.51-150200.3.76.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-utils-2.4.51-150200.3.76.1 SUSE Linux Enterprise Server 15 SP3-LTSS:apache2-worker-2.4.51-150200.3.76.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-2.4.51-150200.3.76.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-devel-2.4.51-150200.3.76.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-doc-2.4.51-150200.3.76.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-prefork-2.4.51-150200.3.76.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-utils-2.4.51-150200.3.76.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache2-worker-2.4.51-150200.3.76.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-2.4.51-150200.3.76.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-devel-2.4.51-150200.3.76.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-doc-2.4.51-150200.3.76.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-prefork-2.4.51-150200.3.76.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-utils-2.4.51-150200.3.76.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache2-worker-2.4.51-150200.3.76.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243962-1/ https://www.suse.com/security/cve/CVE-2023-45802.html CVE-2023-45802 https://bugzilla.suse.com/1216423 SUSE Bug 1216423