Security update for apache2 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2022:0091-1 Final 1 1 2022-01-17T15:25:36Z current 2022-01-17T15:25:36Z 2022-01-17T15:25:36Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache2 This update for apache2 fixes the following issues: Apache2 was updated to the current stable version 2.4.51 (jsc#SLE-22733 jsc#SLE-22849) It fixes all CVEs and selected bugs represented by patches found between 2.4.23 and 2.4.51. See https://downloads.apache.org/httpd/CHANGES_2.4 for a complete change log. Also fixed: - CVE-2021-44224: Fixed NULL dereference or SSRF in forward proxy configurations (bsc#1193943) - CVE-2021-44790: Fixed buffer overflow when parsing multipart content in mod_lua (bsc#1193942) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2022-91,openSUSE-SLE-15.3-2022-91 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LQX4BVMFKUTV6DOPDTL26H5DQJJFUPXZ/ E-Mail link for openSUSE-SU-2022:0091-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1193942 SUSE Bug 1193942 https://bugzilla.suse.com/1193943 SUSE Bug 1193943 https://www.suse.com/security/cve/CVE-2021-44224/ SUSE CVE CVE-2021-44224 page https://www.suse.com/security/cve/CVE-2021-44790/ SUSE CVE CVE-2021-44790 page SUSE Package Hub 15 SP3 openSUSE Leap 15.3 chromedriver-99.0.4844.84-bp153.2.75.1 chromium-99.0.4844.84-bp153.2.75.1 apache2-2.4.51-3.37.1 apache2-devel-2.4.51-3.37.1 apache2-doc-2.4.51-3.37.1 apache2-event-2.4.51-3.37.1 apache2-example-pages-2.4.51-3.37.1 apache2-prefork-2.4.51-3.37.1 apache2-utils-2.4.51-3.37.1 apache2-worker-2.4.51-3.37.1 chromedriver-99.0.4844.84-bp153.2.75.1 as a component of SUSE Package Hub 15 SP3 chromium-99.0.4844.84-bp153.2.75.1 as a component of SUSE Package Hub 15 SP3 chromedriver-99.0.4844.84-bp153.2.75.1 as a component of openSUSE Leap 15.3 chromium-99.0.4844.84-bp153.2.75.1 as a component of openSUSE Leap 15.3 apache2-2.4.51-3.37.1 as a component of openSUSE Leap 15.3 apache2-devel-2.4.51-3.37.1 as a component of openSUSE Leap 15.3 apache2-doc-2.4.51-3.37.1 as a component of openSUSE Leap 15.3 apache2-event-2.4.51-3.37.1 as a component of openSUSE Leap 15.3 apache2-example-pages-2.4.51-3.37.1 as a component of openSUSE Leap 15.3 apache2-prefork-2.4.51-3.37.1 as a component of openSUSE Leap 15.3 apache2-utils-2.4.51-3.37.1 as a component of openSUSE Leap 15.3 apache2-worker-2.4.51-3.37.1 as a component of openSUSE Leap 15.3 A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included). CVE-2021-44224 SUSE Package Hub 15 SP3:chromedriver-99.0.4844.84-bp153.2.75.1 SUSE Package Hub 15 SP3:chromium-99.0.4844.84-bp153.2.75.1 openSUSE Leap 15.3:apache2-2.4.51-3.37.1 openSUSE Leap 15.3:apache2-devel-2.4.51-3.37.1 openSUSE Leap 15.3:apache2-doc-2.4.51-3.37.1 openSUSE Leap 15.3:apache2-event-2.4.51-3.37.1 openSUSE Leap 15.3:apache2-example-pages-2.4.51-3.37.1 openSUSE Leap 15.3:apache2-prefork-2.4.51-3.37.1 openSUSE Leap 15.3:apache2-utils-2.4.51-3.37.1 openSUSE Leap 15.3:apache2-worker-2.4.51-3.37.1 openSUSE Leap 15.3:chromedriver-99.0.4844.84-bp153.2.75.1 openSUSE Leap 15.3:chromium-99.0.4844.84-bp153.2.75.1 important 6.4 AV:N/AC:L/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LQX4BVMFKUTV6DOPDTL26H5DQJJFUPXZ/ https://www.suse.com/security/cve/CVE-2021-44224.html CVE-2021-44224 https://bugzilla.suse.com/1193943 SUSE Bug 1193943 A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier. CVE-2021-44790 SUSE Package Hub 15 SP3:chromedriver-99.0.4844.84-bp153.2.75.1 SUSE Package Hub 15 SP3:chromium-99.0.4844.84-bp153.2.75.1 openSUSE Leap 15.3:apache2-2.4.51-3.37.1 openSUSE Leap 15.3:apache2-devel-2.4.51-3.37.1 openSUSE Leap 15.3:apache2-doc-2.4.51-3.37.1 openSUSE Leap 15.3:apache2-event-2.4.51-3.37.1 openSUSE Leap 15.3:apache2-example-pages-2.4.51-3.37.1 openSUSE Leap 15.3:apache2-prefork-2.4.51-3.37.1 openSUSE Leap 15.3:apache2-utils-2.4.51-3.37.1 openSUSE Leap 15.3:apache2-worker-2.4.51-3.37.1 openSUSE Leap 15.3:chromedriver-99.0.4844.84-bp153.2.75.1 openSUSE Leap 15.3:chromium-99.0.4844.84-bp153.2.75.1 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LQX4BVMFKUTV6DOPDTL26H5DQJJFUPXZ/ https://www.suse.com/security/cve/CVE-2021-44790.html CVE-2021-44790 https://bugzilla.suse.com/1193942 SUSE Bug 1193942 https://bugzilla.suse.com/1204730 SUSE Bug 1204730