Security update for apache2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:0729-1 Final 1 1 2017-03-17T13:58:38Z current 2017-03-17T13:58:38Z 2017-03-17T13:58:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache2 This update for apache2 fixes the following issues: Security issues fixed: - CVE-2016-2161: Malicious input to mod_auth_digest could have caused the server to crash, resulting in DoS (bsc#1016714). - CVE-2016-8743: Added new directive 'HttpProtocolOptions Strict' to avoid proxy chain misinterpretation (bsc#1016715). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sdksp4-apache2-13032,slessp4-apache2-13032,slestso13-apache2-13032 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20170729-1/ Link for SUSE-SU-2017:0729-1 https://lists.suse.com/pipermail/sle-security-updates/2017-March/002710.html E-Mail link for SUSE-SU-2017:0729-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1016714 SUSE Bug 1016714 https://bugzilla.suse.com/1016715 SUSE Bug 1016715 https://www.suse.com/security/cve/CVE-2016-2161/ SUSE CVE CVE-2016-2161 page https://www.suse.com/security/cve/CVE-2016-8743/ SUSE CVE CVE-2016-8743 page SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Server for SAP Applications 11 SP4 SUSE Linux Enterprise Software Development Kit 11 SP4 SUSE Studio Onsite 1.3 apache2-2.2.12-69.1 apache2-devel-2.2.12-69.1 apache2-doc-2.2.12-69.1 apache2-example-pages-2.2.12-69.1 apache2-prefork-2.2.12-69.1 apache2-utils-2.2.12-69.1 apache2-worker-2.2.12-69.1 apache2-2.2.12-69.1 as a component of SUSE Linux Enterprise Server 11 SP4 apache2-doc-2.2.12-69.1 as a component of SUSE Linux Enterprise Server 11 SP4 apache2-example-pages-2.2.12-69.1 as a component of SUSE Linux Enterprise Server 11 SP4 apache2-prefork-2.2.12-69.1 as a component of SUSE Linux Enterprise Server 11 SP4 apache2-utils-2.2.12-69.1 as a component of SUSE Linux Enterprise Server 11 SP4 apache2-worker-2.2.12-69.1 as a component of SUSE Linux Enterprise Server 11 SP4 apache2-2.2.12-69.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 apache2-doc-2.2.12-69.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 apache2-example-pages-2.2.12-69.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 apache2-prefork-2.2.12-69.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 apache2-utils-2.2.12-69.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 apache2-worker-2.2.12-69.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 apache2-2.2.12-69.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 apache2-devel-2.2.12-69.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 apache2-doc-2.2.12-69.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 apache2-example-pages-2.2.12-69.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 apache2-prefork-2.2.12-69.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 apache2-utils-2.2.12-69.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 apache2-worker-2.2.12-69.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 apache2-devel-2.2.12-69.1 as a component of SUSE Studio Onsite 1.3 In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continues to crash even for subsequently valid requests. CVE-2016-2161 SUSE Linux Enterprise Server 11 SP4:apache2-2.2.12-69.1 SUSE Linux Enterprise Server 11 SP4:apache2-doc-2.2.12-69.1 SUSE Linux Enterprise Server 11 SP4:apache2-example-pages-2.2.12-69.1 SUSE Linux Enterprise Server 11 SP4:apache2-prefork-2.2.12-69.1 SUSE Linux Enterprise Server 11 SP4:apache2-utils-2.2.12-69.1 SUSE Linux Enterprise Server 11 SP4:apache2-worker-2.2.12-69.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:apache2-2.2.12-69.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:apache2-doc-2.2.12-69.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:apache2-example-pages-2.2.12-69.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:apache2-prefork-2.2.12-69.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:apache2-utils-2.2.12-69.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:apache2-worker-2.2.12-69.1 SUSE Linux Enterprise Software Development Kit 11 SP4:apache2-2.2.12-69.1 SUSE Linux Enterprise Software Development Kit 11 SP4:apache2-devel-2.2.12-69.1 SUSE Linux Enterprise Software Development Kit 11 SP4:apache2-doc-2.2.12-69.1 SUSE Linux Enterprise Software Development Kit 11 SP4:apache2-example-pages-2.2.12-69.1 SUSE Linux Enterprise Software Development Kit 11 SP4:apache2-prefork-2.2.12-69.1 SUSE Linux Enterprise Software Development Kit 11 SP4:apache2-utils-2.2.12-69.1 SUSE Linux Enterprise Software Development Kit 11 SP4:apache2-worker-2.2.12-69.1 SUSE Studio Onsite 1.3:apache2-devel-2.2.12-69.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170729-1/ https://www.suse.com/security/cve/CVE-2016-2161.html CVE-2016-2161 https://bugzilla.suse.com/1016714 SUSE Bug 1016714 https://bugzilla.suse.com/1033513 SUSE Bug 1033513 Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution. CVE-2016-8743 SUSE Linux Enterprise Server 11 SP4:apache2-2.2.12-69.1 SUSE Linux Enterprise Server 11 SP4:apache2-doc-2.2.12-69.1 SUSE Linux Enterprise Server 11 SP4:apache2-example-pages-2.2.12-69.1 SUSE Linux Enterprise Server 11 SP4:apache2-prefork-2.2.12-69.1 SUSE Linux Enterprise Server 11 SP4:apache2-utils-2.2.12-69.1 SUSE Linux Enterprise Server 11 SP4:apache2-worker-2.2.12-69.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:apache2-2.2.12-69.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:apache2-doc-2.2.12-69.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:apache2-example-pages-2.2.12-69.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:apache2-prefork-2.2.12-69.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:apache2-utils-2.2.12-69.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:apache2-worker-2.2.12-69.1 SUSE Linux Enterprise Software Development Kit 11 SP4:apache2-2.2.12-69.1 SUSE Linux Enterprise Software Development Kit 11 SP4:apache2-devel-2.2.12-69.1 SUSE Linux Enterprise Software Development Kit 11 SP4:apache2-doc-2.2.12-69.1 SUSE Linux Enterprise Software Development Kit 11 SP4:apache2-example-pages-2.2.12-69.1 SUSE Linux Enterprise Software Development Kit 11 SP4:apache2-prefork-2.2.12-69.1 SUSE Linux Enterprise Software Development Kit 11 SP4:apache2-utils-2.2.12-69.1 SUSE Linux Enterprise Software Development Kit 11 SP4:apache2-worker-2.2.12-69.1 SUSE Studio Onsite 1.3:apache2-devel-2.2.12-69.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170729-1/ https://www.suse.com/security/cve/CVE-2016-8743.html CVE-2016-8743 https://bugzilla.suse.com/1016715 SUSE Bug 1016715 https://bugzilla.suse.com/1033513 SUSE Bug 1033513 https://bugzilla.suse.com/1086774 SUSE Bug 1086774 https://bugzilla.suse.com/1104826 SUSE Bug 1104826 https://bugzilla.suse.com/930944 SUSE Bug 930944