Security update for apache2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2015:1851-1 Final 1 1 2015-10-22T09:19:23Z current 2015-10-22T09:19:23Z 2015-10-22T09:19:23Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache2 The Apache2 webserver was updated to fix several issues: Security issues fixed: - The chunked transfer coding implementation in the Apache HTTP Server did not properly parse chunk headers, which allowed remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c. [bsc#938728, CVE-2015-3183] - The LOGJAM security issue was addressed by: [bnc#931723 CVE-2015-4000] * changing the SSLCipherSuite cipherstring to disable export cipher suites and deploy Ephemeral Elliptic-Curve Diffie-Hellman (ECDHE) ciphers. * Adjust 'gensslcert' script to generate a strong and unique Diffie Hellman Group and append it to the server certificate file. - The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x did not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allowed remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior. [bnc#938723 bnc#939516 CVE-2015-3185] - Tomcat mod_jk information leak due to incorrect JkMount/JkUnmount directives processing [bnc#927845 CVE-2014-8111] Other bugs fixed: - Now provides a suse_maintenance_mmn_# [bnc#915666]. - Hardcoded modules in the %files [bnc#444878]. - Fixed the IfModule directive around SSLSessionCache [bnc#911159]. - allow only TCP ports in Yast2 firewall files [bnc#931002] - fixed a regression when some LDAP searches or comparisons might be done with the wrong credentials when a backend connection is reused [bnc#930228] - Fixed split-logfile2 script [bnc#869790] - remove the changed MODULE_MAGIC_NUMBER_MINOR from which confuses modules the way that they expect functionality that our apache does not provide [bnc#915666] - gensslcert: CN now defaults to `hostname -f` [bnc#949766], fix help [bnc#949771] The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-SDK-12-2015-772,SUSE-SLE-SERVER-12-2015-772,SUSE-Storage-1.0-2015-772 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2015/suse-su-20151851-1/ Link for SUSE-SU-2015:1851-1 https://lists.suse.com/pipermail/sle-security-updates/2015-October/001653.html E-Mail link for SUSE-SU-2015:1851-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/444878 SUSE Bug 444878 https://bugzilla.suse.com/869790 SUSE Bug 869790 https://bugzilla.suse.com/911159 SUSE Bug 911159 https://bugzilla.suse.com/915666 SUSE Bug 915666 https://bugzilla.suse.com/927845 SUSE Bug 927845 https://bugzilla.suse.com/930228 SUSE Bug 930228 https://bugzilla.suse.com/931002 SUSE Bug 931002 https://bugzilla.suse.com/931723 SUSE Bug 931723 https://bugzilla.suse.com/938723 SUSE Bug 938723 https://bugzilla.suse.com/938728 SUSE Bug 938728 https://bugzilla.suse.com/939516 SUSE Bug 939516 https://bugzilla.suse.com/949766 SUSE Bug 949766 https://bugzilla.suse.com/949771 SUSE Bug 949771 https://www.suse.com/security/cve/CVE-2014-8111/ SUSE CVE CVE-2014-8111 page https://www.suse.com/security/cve/CVE-2015-3183/ SUSE CVE CVE-2015-3183 page https://www.suse.com/security/cve/CVE-2015-3185/ SUSE CVE CVE-2015-3185 page https://www.suse.com/security/cve/CVE-2015-4000/ SUSE CVE CVE-2015-4000 page SUSE Enterprise Storage 1.0 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Software Development Kit 12 apache2-devel-2.4.10-14.10.1 apache2-2.4.10-14.10.1 apache2-doc-2.4.10-14.10.1 apache2-example-pages-2.4.10-14.10.1 apache2-mod_auth_kerb-5.4-2.4.1 apache2-mod_jk-1.2.40-2.6.1 apache2-mod_security2-2.8.0-3.4.1 apache2-prefork-2.4.10-14.10.1 apache2-utils-2.4.10-14.10.1 apache2-worker-2.4.10-14.10.1 apache2-mod_fastcgi-2.4.7-3.4.1 apache2-mod_fastcgi-2.4.7-3.4.1 as a component of SUSE Enterprise Storage 1.0 apache2-2.4.10-14.10.1 as a component of SUSE Linux Enterprise Server 12 apache2-doc-2.4.10-14.10.1 as a component of SUSE Linux Enterprise Server 12 apache2-example-pages-2.4.10-14.10.1 as a component of SUSE Linux Enterprise Server 12 apache2-mod_auth_kerb-5.4-2.4.1 as a component of SUSE Linux Enterprise Server 12 apache2-mod_jk-1.2.40-2.6.1 as a component of SUSE Linux Enterprise Server 12 apache2-mod_security2-2.8.0-3.4.1 as a component of SUSE Linux Enterprise Server 12 apache2-prefork-2.4.10-14.10.1 as a component of SUSE Linux Enterprise Server 12 apache2-utils-2.4.10-14.10.1 as a component of SUSE Linux Enterprise Server 12 apache2-worker-2.4.10-14.10.1 as a component of SUSE Linux Enterprise Server 12 apache2-2.4.10-14.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 apache2-doc-2.4.10-14.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 apache2-example-pages-2.4.10-14.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 apache2-mod_auth_kerb-5.4-2.4.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 apache2-mod_jk-1.2.40-2.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 apache2-mod_security2-2.8.0-3.4.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 apache2-prefork-2.4.10-14.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 apache2-utils-2.4.10-14.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 apache2-worker-2.4.10-14.10.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 apache2-devel-2.4.10-14.10.1 as a component of SUSE Linux Enterprise Software Development Kit 12 Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified vectors. CVE-2014-8111 SUSE Enterprise Storage 1.0:apache2-mod_fastcgi-2.4.7-3.4.1 SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1 SUSE Linux Enterprise Server 12:apache2-doc-2.4.10-14.10.1 SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1 SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1 SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1 SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1 SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1 SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1 SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-doc-2.4.10-14.10.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1 SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20151851-1/ https://www.suse.com/security/cve/CVE-2014-8111.html CVE-2014-8111 https://bugzilla.suse.com/927845 SUSE Bug 927845 The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c. CVE-2015-3183 SUSE Enterprise Storage 1.0:apache2-mod_fastcgi-2.4.7-3.4.1 SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1 SUSE Linux Enterprise Server 12:apache2-doc-2.4.10-14.10.1 SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1 SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1 SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1 SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1 SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1 SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1 SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-doc-2.4.10-14.10.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1 SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20151851-1/ https://www.suse.com/security/cve/CVE-2015-3183.html CVE-2015-3183 https://bugzilla.suse.com/938728 SUSE Bug 938728 https://bugzilla.suse.com/948325 SUSE Bug 948325 https://bugzilla.suse.com/949218 SUSE Bug 949218 The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior. CVE-2015-3185 SUSE Enterprise Storage 1.0:apache2-mod_fastcgi-2.4.7-3.4.1 SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1 SUSE Linux Enterprise Server 12:apache2-doc-2.4.10-14.10.1 SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1 SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1 SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1 SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1 SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1 SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1 SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-doc-2.4.10-14.10.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1 SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20151851-1/ https://www.suse.com/security/cve/CVE-2015-3185.html CVE-2015-3185 https://bugzilla.suse.com/938723 SUSE Bug 938723 https://bugzilla.suse.com/939514 SUSE Bug 939514 https://bugzilla.suse.com/939516 SUSE Bug 939516 The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue. CVE-2015-4000 SUSE Enterprise Storage 1.0:apache2-mod_fastcgi-2.4.7-3.4.1 SUSE Linux Enterprise Server 12:apache2-2.4.10-14.10.1 SUSE Linux Enterprise Server 12:apache2-doc-2.4.10-14.10.1 SUSE Linux Enterprise Server 12:apache2-example-pages-2.4.10-14.10.1 SUSE Linux Enterprise Server 12:apache2-mod_auth_kerb-5.4-2.4.1 SUSE Linux Enterprise Server 12:apache2-mod_jk-1.2.40-2.6.1 SUSE Linux Enterprise Server 12:apache2-mod_security2-2.8.0-3.4.1 SUSE Linux Enterprise Server 12:apache2-prefork-2.4.10-14.10.1 SUSE Linux Enterprise Server 12:apache2-utils-2.4.10-14.10.1 SUSE Linux Enterprise Server 12:apache2-worker-2.4.10-14.10.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-2.4.10-14.10.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-doc-2.4.10-14.10.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-example-pages-2.4.10-14.10.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_auth_kerb-5.4-2.4.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_jk-1.2.40-2.6.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-mod_security2-2.8.0-3.4.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-prefork-2.4.10-14.10.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-utils-2.4.10-14.10.1 SUSE Linux Enterprise Server for SAP Applications 12:apache2-worker-2.4.10-14.10.1 SUSE Linux Enterprise Software Development Kit 12:apache2-devel-2.4.10-14.10.1 important 7.3 AV:N/AC:H/Au:N/C:C/I:C/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20151851-1/ https://www.suse.com/security/cve/CVE-2015-4000.html CVE-2015-4000 https://bugzilla.suse.com/1074631 SUSE Bug 1074631 https://bugzilla.suse.com/1211968 SUSE Bug 1211968 https://bugzilla.suse.com/931600 SUSE Bug 931600 https://bugzilla.suse.com/931698 SUSE Bug 931698 https://bugzilla.suse.com/931723 SUSE Bug 931723 https://bugzilla.suse.com/931845 SUSE Bug 931845 https://bugzilla.suse.com/932026 SUSE Bug 932026 https://bugzilla.suse.com/932483 SUSE Bug 932483 https://bugzilla.suse.com/934789 SUSE Bug 934789 https://bugzilla.suse.com/935033 SUSE Bug 935033 https://bugzilla.suse.com/935540 SUSE Bug 935540 https://bugzilla.suse.com/935979 SUSE Bug 935979 https://bugzilla.suse.com/937202 SUSE Bug 937202 https://bugzilla.suse.com/937766 SUSE Bug 937766 https://bugzilla.suse.com/938248 SUSE Bug 938248 https://bugzilla.suse.com/938432 SUSE Bug 938432 https://bugzilla.suse.com/938895 SUSE Bug 938895 https://bugzilla.suse.com/938905 SUSE Bug 938905 https://bugzilla.suse.com/938906 SUSE Bug 938906 https://bugzilla.suse.com/938913 SUSE Bug 938913 https://bugzilla.suse.com/938945 SUSE Bug 938945 https://bugzilla.suse.com/943664 SUSE Bug 943664 https://bugzilla.suse.com/944729 SUSE Bug 944729 https://bugzilla.suse.com/945582 SUSE Bug 945582 https://bugzilla.suse.com/955589 SUSE Bug 955589 https://bugzilla.suse.com/980406 SUSE Bug 980406 https://bugzilla.suse.com/990592 SUSE Bug 990592 https://bugzilla.suse.com/994144 SUSE Bug 994144