Security update for apache2 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:1285-1 Final 1 1 2020-08-29T10:24:11Z current 2020-08-29T10:24:11Z 2020-08-29T10:24:11Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache2 This update for apache2 fixes the following issues: - CVE-2020-9490: Fixed a crash caused by a specially crafted value for the 'Cache-Digest' header in a HTTP/2 request (bsc#1175071). - CVE-2020-11984: Fixed an information disclosure bug in mod_proxy_uwsgi (bsc#1175074). - CVE-2020-11993: When trace/debug was enabled for the HTTP/2 module logging statements were made on the wrong connection (bsc#1175070). - Solve a crash in mod_proxy_uwsgi for empty values of environment variables. (bsc#1174052) This update was imported from the SUSE:SLE-15-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-1285 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DNHWQK37E6OEGDE4U5AXBOE5FAJDEVKS/ E-Mail link for openSUSE-SU-2020:1285-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1174052 SUSE Bug 1174052 https://bugzilla.suse.com/1175070 SUSE Bug 1175070 https://bugzilla.suse.com/1175071 SUSE Bug 1175071 https://bugzilla.suse.com/1175074 SUSE Bug 1175074 https://www.suse.com/security/cve/CVE-2020-11984/ SUSE CVE CVE-2020-11984 page https://www.suse.com/security/cve/CVE-2020-11993/ SUSE CVE CVE-2020-11993 page https://www.suse.com/security/cve/CVE-2020-9490/ SUSE CVE CVE-2020-9490 page openSUSE Leap 15.2 apache2-2.4.43-lp152.2.3.1 apache2-devel-2.4.43-lp152.2.3.1 apache2-doc-2.4.43-lp152.2.3.1 apache2-event-2.4.43-lp152.2.3.1 apache2-example-pages-2.4.43-lp152.2.3.1 apache2-prefork-2.4.43-lp152.2.3.1 apache2-utils-2.4.43-lp152.2.3.1 apache2-worker-2.4.43-lp152.2.3.1 apache2-2.4.43-lp152.2.3.1 as a component of openSUSE Leap 15.2 apache2-devel-2.4.43-lp152.2.3.1 as a component of openSUSE Leap 15.2 apache2-doc-2.4.43-lp152.2.3.1 as a component of openSUSE Leap 15.2 apache2-event-2.4.43-lp152.2.3.1 as a component of openSUSE Leap 15.2 apache2-example-pages-2.4.43-lp152.2.3.1 as a component of openSUSE Leap 15.2 apache2-prefork-2.4.43-lp152.2.3.1 as a component of openSUSE Leap 15.2 apache2-utils-2.4.43-lp152.2.3.1 as a component of openSUSE Leap 15.2 apache2-worker-2.4.43-lp152.2.3.1 as a component of openSUSE Leap 15.2 Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE CVE-2020-11984 openSUSE Leap 15.2:apache2-2.4.43-lp152.2.3.1 openSUSE Leap 15.2:apache2-devel-2.4.43-lp152.2.3.1 openSUSE Leap 15.2:apache2-doc-2.4.43-lp152.2.3.1 openSUSE Leap 15.2:apache2-event-2.4.43-lp152.2.3.1 openSUSE Leap 15.2:apache2-example-pages-2.4.43-lp152.2.3.1 openSUSE Leap 15.2:apache2-prefork-2.4.43-lp152.2.3.1 openSUSE Leap 15.2:apache2-utils-2.4.43-lp152.2.3.1 openSUSE Leap 15.2:apache2-worker-2.4.43-lp152.2.3.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DNHWQK37E6OEGDE4U5AXBOE5FAJDEVKS/ https://www.suse.com/security/cve/CVE-2020-11984.html CVE-2020-11984 https://bugzilla.suse.com/1175074 SUSE Bug 1175074 Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers. CVE-2020-11993 openSUSE Leap 15.2:apache2-2.4.43-lp152.2.3.1 openSUSE Leap 15.2:apache2-devel-2.4.43-lp152.2.3.1 openSUSE Leap 15.2:apache2-doc-2.4.43-lp152.2.3.1 openSUSE Leap 15.2:apache2-event-2.4.43-lp152.2.3.1 openSUSE Leap 15.2:apache2-example-pages-2.4.43-lp152.2.3.1 openSUSE Leap 15.2:apache2-prefork-2.4.43-lp152.2.3.1 openSUSE Leap 15.2:apache2-utils-2.4.43-lp152.2.3.1 openSUSE Leap 15.2:apache2-worker-2.4.43-lp152.2.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DNHWQK37E6OEGDE4U5AXBOE5FAJDEVKS/ https://www.suse.com/security/cve/CVE-2020-11993.html CVE-2020-11993 https://bugzilla.suse.com/1175070 SUSE Bug 1175070 https://bugzilla.suse.com/1178074 SUSE Bug 1178074 https://bugzilla.suse.com/1180830 SUSE Bug 1180830 Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers. CVE-2020-9490 openSUSE Leap 15.2:apache2-2.4.43-lp152.2.3.1 openSUSE Leap 15.2:apache2-devel-2.4.43-lp152.2.3.1 openSUSE Leap 15.2:apache2-doc-2.4.43-lp152.2.3.1 openSUSE Leap 15.2:apache2-event-2.4.43-lp152.2.3.1 openSUSE Leap 15.2:apache2-example-pages-2.4.43-lp152.2.3.1 openSUSE Leap 15.2:apache2-prefork-2.4.43-lp152.2.3.1 openSUSE Leap 15.2:apache2-utils-2.4.43-lp152.2.3.1 openSUSE Leap 15.2:apache2-worker-2.4.43-lp152.2.3.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DNHWQK37E6OEGDE4U5AXBOE5FAJDEVKS/ https://www.suse.com/security/cve/CVE-2020-9490.html CVE-2020-9490 https://bugzilla.suse.com/1175071 SUSE Bug 1175071 https://bugzilla.suse.com/1178074 SUSE Bug 1178074