Security update for apache2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2015:0974-1 Final 1 1 2015-04-10T12:24:10Z current 2015-04-10T12:24:10Z 2015-04-10T12:24:10Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache2 Apache2 updated to fix four security issues and one non-security bug. The following vulnerabilities have been fixed: - mod_headers rules could be bypassed via chunked requests. Adds 'MergeTrailers' directive to restore legacy behavior. (bsc#871310, CVE-2013-5704) - An empty value in Content-Type could lead to a crash through a null pointer dereference and a denial of service. (bsc#899836, CVE-2014-3581) - Remote attackers could bypass intended access restrictions in mod_lua LuaAuthzProvider when multiple Require directives with different arguments are used. (bsc#909715, CVE-2014-8109) - Remote attackers could cause a denial of service (child-process crash) by sending a crafted WebSocket Ping frame after a Lua script has called the wsupgrade function. (bsc#918352, CVE-2015-0228) The following non-security issues have been fixed: - The Apache2 systemd service file was changed to fix situation where apache wouldn't start at boot when using an encrypted certificate because the user wasn't prompted for password during boot. (bsc#792309) Additionally, mod_imagemap is now included by default in the package. (bsc#923090) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-SDK-12-2015-226,SUSE-SLE-SERVER-12-2015-226 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2015/suse-su-20150974-1/ Link for SUSE-SU-2015:0974-1 https://lists.suse.com/pipermail/sle-security-updates/2015-June/001415.html E-Mail link for SUSE-SU-2015:0974-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/792309 SUSE Bug 792309 https://bugzilla.suse.com/871310 SUSE Bug 871310 https://bugzilla.suse.com/899836 SUSE Bug 899836 https://bugzilla.suse.com/909715 SUSE Bug 909715 https://bugzilla.suse.com/918352 SUSE Bug 918352 https://bugzilla.suse.com/923090 SUSE Bug 923090 https://www.suse.com/security/cve/CVE-2013-5704/ SUSE CVE CVE-2013-5704 page https://www.suse.com/security/cve/CVE-2014-3581/ SUSE CVE CVE-2014-3581 page https://www.suse.com/security/cve/CVE-2014-8109/ SUSE CVE CVE-2014-8109 page https://www.suse.com/security/cve/CVE-2015-0228/ SUSE CVE CVE-2015-0228 page SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Software Development Kit 12 apache2-devel-2.4.10-12.1 apache2-2.4.10-12.1 apache2-doc-2.4.10-12.1 apache2-example-pages-2.4.10-12.1 apache2-prefork-2.4.10-12.1 apache2-utils-2.4.10-12.1 apache2-worker-2.4.10-12.1 apache2-2.4.10-12.1 as a component of SUSE Linux Enterprise Server 12 apache2-doc-2.4.10-12.1 as a component of SUSE Linux Enterprise Server 12 apache2-example-pages-2.4.10-12.1 as a component of SUSE Linux Enterprise Server 12 apache2-prefork-2.4.10-12.1 as a component of SUSE Linux Enterprise Server 12 apache2-utils-2.4.10-12.1 as a component of SUSE Linux Enterprise Server 12 apache2-worker-2.4.10-12.1 as a component of SUSE Linux Enterprise Server 12 apache2-2.4.10-12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 apache2-doc-2.4.10-12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 apache2-example-pages-2.4.10-12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 apache2-prefork-2.4.10-12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 apache2-utils-2.4.10-12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 apache2-worker-2.4.10-12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 apache2-devel-2.4.10-12.1 as a component of SUSE Linux Enterprise Software Development Kit 12 The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such." CVE-2013-5704 SUSE Linux Enterprise Server 12:apache2-2.4.10-12.1 SUSE Linux Enterprise Server 12:apache2-doc-2.4.10-12.1 SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-12.1 SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-12.1 SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-12.1 SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-12.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-12.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-doc-2.4.10-12.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-12.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-12.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-12.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-12.1 SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-12.1 low 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20150974-1/ https://www.suse.com/security/cve/CVE-2013-5704.html CVE-2013-5704 https://bugzilla.suse.com/871310 SUSE Bug 871310 https://bugzilla.suse.com/914535 SUSE Bug 914535 https://bugzilla.suse.com/930944 SUSE Bug 930944 https://bugzilla.suse.com/938728 SUSE Bug 938728 The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header. CVE-2014-3581 SUSE Linux Enterprise Server 12:apache2-2.4.10-12.1 SUSE Linux Enterprise Server 12:apache2-doc-2.4.10-12.1 SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-12.1 SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-12.1 SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-12.1 SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-12.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-12.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-doc-2.4.10-12.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-12.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-12.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-12.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-12.1 SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-12.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20150974-1/ https://www.suse.com/security/cve/CVE-2014-3581.html CVE-2014-3581 https://bugzilla.suse.com/899836 SUSE Bug 899836 mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory. CVE-2014-8109 SUSE Linux Enterprise Server 12:apache2-2.4.10-12.1 SUSE Linux Enterprise Server 12:apache2-doc-2.4.10-12.1 SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-12.1 SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-12.1 SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-12.1 SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-12.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-12.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-doc-2.4.10-12.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-12.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-12.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-12.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-12.1 SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-12.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20150974-1/ https://www.suse.com/security/cve/CVE-2014-8109.html CVE-2014-8109 https://bugzilla.suse.com/909715 SUSE Bug 909715 The lua_websocket_read function in lua_request.c in the mod_lua module in the Apache HTTP Server through 2.4.12 allows remote attackers to cause a denial of service (child-process crash) by sending a crafted WebSocket Ping frame after a Lua script has called the wsupgrade function. CVE-2015-0228 SUSE Linux Enterprise Server 12:apache2-2.4.10-12.1 SUSE Linux Enterprise Server 12:apache2-doc-2.4.10-12.1 SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-12.1 SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-12.1 SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-12.1 SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-12.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-12.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-doc-2.4.10-12.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-12.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-12.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-12.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-12.1 SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-12.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20150974-1/ https://www.suse.com/security/cve/CVE-2015-0228.html CVE-2015-0228 https://bugzilla.suse.com/918352 SUSE Bug 918352