Recommended update for apache2 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:0291-1 Final 1 1 2018-01-30T09:14:55Z current 2018-01-30T09:14:55Z 2018-01-30T09:14:55Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Recommended update for apache2 This update for apache2 fixes several issues. These security issues were fixed: - CVE-2017-9789: When under stress (closing many connections) the HTTP/2 handling code would sometimes access memory after it has been freed, resulting in potentially erratic behaviour (bsc#1048575). - CVE-2017-7659: A maliciously constructed HTTP/2 request could cause mod_http2 to dereference a NULL pointer and crash the server process (bsc#1045160). These non-security issues were fixed: - Use the full path to a2enmod and a2dismod in the apache-22-24-upgrade script (bsc#1042037) - Fall back to 'localhost' as hostname in gensslcert (bsc#1057406) This update was imported from the SUSE:SLE-12-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2018-01/msg00108.html E-Mail link for openSUSE-SU-2018:0291-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 apache2-2.4.23-19.1 apache2-devel-2.4.23-19.1 apache2-doc-2.4.23-19.1 apache2-event-2.4.23-19.1 apache2-example-pages-2.4.23-19.1 apache2-prefork-2.4.23-19.1 apache2-utils-2.4.23-19.1 apache2-worker-2.4.23-19.1 apache2-2.4.23-19.1 as a component of openSUSE Leap 42.3 apache2-devel-2.4.23-19.1 as a component of openSUSE Leap 42.3 apache2-doc-2.4.23-19.1 as a component of openSUSE Leap 42.3 apache2-event-2.4.23-19.1 as a component of openSUSE Leap 42.3 apache2-example-pages-2.4.23-19.1 as a component of openSUSE Leap 42.3 apache2-prefork-2.4.23-19.1 as a component of openSUSE Leap 42.3 apache2-utils-2.4.23-19.1 as a component of openSUSE Leap 42.3 apache2-worker-2.4.23-19.1 as a component of openSUSE Leap 42.3 A maliciously constructed HTTP/2 request could cause mod_http2 in Apache HTTP Server 2.4.24, 2.4.25 to dereference a NULL pointer and crash the server process. CVE-2017-7659 openSUSE Leap 42.3:apache2-2.4.23-19.1 openSUSE Leap 42.3:apache2-devel-2.4.23-19.1 openSUSE Leap 42.3:apache2-doc-2.4.23-19.1 openSUSE Leap 42.3:apache2-event-2.4.23-19.1 openSUSE Leap 42.3:apache2-example-pages-2.4.23-19.1 openSUSE Leap 42.3:apache2-prefork-2.4.23-19.1 openSUSE Leap 42.3:apache2-utils-2.4.23-19.1 openSUSE Leap 42.3:apache2-worker-2.4.23-19.1 low 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-01/msg00108.html https://www.suse.com/security/cve/CVE-2017-7659.html CVE-2017-7659 https://bugzilla.suse.com/1045160 SUSE Bug 1045160 When under stress, closing many connections, the HTTP/2 handling code in Apache httpd 2.4.26 would sometimes access memory after it has been freed, resulting in potentially erratic behaviour. CVE-2017-9789 openSUSE Leap 42.3:apache2-2.4.23-19.1 openSUSE Leap 42.3:apache2-devel-2.4.23-19.1 openSUSE Leap 42.3:apache2-doc-2.4.23-19.1 openSUSE Leap 42.3:apache2-event-2.4.23-19.1 openSUSE Leap 42.3:apache2-example-pages-2.4.23-19.1 openSUSE Leap 42.3:apache2-prefork-2.4.23-19.1 openSUSE Leap 42.3:apache2-utils-2.4.23-19.1 openSUSE Leap 42.3:apache2-worker-2.4.23-19.1 moderate 4 AV:N/AC:H/Au:N/C:P/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-01/msg00108.html https://www.suse.com/security/cve/CVE-2017-9789.html CVE-2017-9789 https://bugzilla.suse.com/1048575 SUSE Bug 1048575